Another day, another smart home camera system security hack, this one affecting the Seattle-based company Wyze. First reported by the Texas-based cybersecurity firm Twelve Security and confirmed by Wyze, the hack is estimated to have affected 2.4 million customers who had their email addresses, the emails of anyone they ever shared camera access with, a list of their cameras, the last time they were on, and much more information exposed. Some customers even had their health data leaked.
“Personally, in my 10 years of [system administration] and cloud engineering, I never encountered a breach of this magnitude,” wrote Dan Ehrlich, founder Twelve Security, in a post about the Wyze hack.
Wyze is a home camera system similar to Amazon’s Ring that’s more economical: Whereas the cheapest Ring indoor camera will set you back around $60 (and their flagship doorbell products start at $100), Wyze’s products top out at $30. Both companies have now experienced at least one kind of major breach — either a hack or a leak — that should raise the eyebrows of anyone considering purchasing this type of home security.
Dr. Richard Forno, assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County, told Digital Trends that these security systems leave a lot to be desired in terms of securing themselves, much less their customers. “You have to ask, are product companies doing basic Cyber 101-type security measures to make sure their costumer and priority data is protected? You have to at least do the basics,” Forno told DT. “The fact that we see so many data breaches these days shows that companies are not doing the basics, let alone their best, to minimize the breaches from happening.”
Ehrlich told Digital Trends that the lack of security on smart home camera systems, to him, amounts to gross negligence. “I know what bad security looks like,” Ehrlich said. “When I see bad security, usually you can understand why, for example, they took down a firewall, but I’ve never seen it as bad as this. Equifax should be held up as a gold standard compared to these guys,” he said, referring to the 2017 security breach of the Equifax credit reporting company that exposed the data of 147 million people.
Ehrlich said he was confident that eventually the industry will sort itself out, but right now, there just isn’t enough manpower to fix what would need to be fixed to secure smart home systems. “There’s just not the people to fix it. There isn’t the talent pipeline to fix it,” he said. “There’s not the people to secure all the stuff and look at everything that needs looking at.”
“The winning move right now is not to play,” Forno told Digital Trends, speaking about what consumers should do to better protect themselves from an almost inevitable camera hack. “Just don’t buy one.”
If a consumer is dead set on buying one of these systems, Ehrlich says “be aware that it is technically possible right now for all video taken to be exfiltrated to anyone in the world, anywhere. This is true of Wyze and a lot of other brands.”
Forno warned that these cameras are not much different than a computer, tablet, or phone, and that it’s just a fact that some companies are taking privacy more seriously than others. “The privacy on these devices is really lacking and there’s not much to do short of unplugging,” he said.
If you do purchase one, Forno said to make sure everyone in the home is aware of where it is and when it’s turned on. Also, make sure to fully unplug it when it’s not needed. “Nothing beats actually physically powering it off and unplugging it,” he said. “A modicum of common sense by the user will go a long way.”
Wyze did not immediately respond to a request for comment. This story will be updated when we hear back.
- Wyze customers hit by online data leak, company confirms
- Ring’s defense of recent hacks is as shoddy as its security, lawyer claims
- Ring and Amazon slammed with a federal lawsuit over failed camera security
- Data leak exposes personal info of more than 3,000 Ring users
- Ring admits employees have improperly accessed customers’ doorbell videos