Security incident: 13,000 Wyze camera users see images of other users

Sicherheit (Pexels, allgemeine Nutzung)[German]Security camera vendor, Wyze, recently experienced technical problems. Users reported that they were suddenly shown other people's camera images. The provider has now confirmed the security incident. Around 13,000 users were affected and were shown the camera data of other Wyze camera owners in their streams. It's funny when your own cameras stream to the cloud, where the manufacturer then has to sort out that everything is running correctly.


Advertising

Wyze, mentioned several times here

Wyze has already mentioned within my blogs in connection with security incidents (see links at the end of the article). In the German article RCE-Exploit für Wyze Cam v3 veröffentlicht (Nov. 2023) I had taken up such an incident. At the time, I had looked on the Internet and noticed that the Wyze Cam v3, for example, was also being offered on the Amazon pages for around 100 euros (as an Amazon tip). The Wyze Cam v3 is an affordable security camera for indoor and outdoor use with support for night vision in color, SD card storage, cloud connectivity for smartphone control, IP65 weather protection and more. The cameras seem to be selling very well.

New incident affects 13,000 users

It had already been in the press for days: Users of Wyze cameras complained that they were suddenly shown images of other people or other people's homes when they wanted to view their own camera images in the cloud. There is this post on reddit.com where a lady felt she was being watched. The operators had announced in the Wyze forum at the time that they were launching an investigation.

Specifically, there was an outage on February 16, 2024, which interrupted the camera transmission for hours. According to Wyze, the outage was caused by a problem with AWS. When AWS goes down, Wyze is also down. Later, the data from one user's system was displayed in another user's app.

Wyze has now acknowledged the incident on February 16, 2024 in the forum, and states in an update on February 19, 2024 that it has informed those affected. Specifically, it states that event thumbnails were made accessible to others as a result of the incident and were accessed on Wyze Friends when users accessed their Wyze account.

Affected were 13,000 users of these Wyze cameras and could theoretically see the thumbnails of other cameras. However, only 1,504 of those affected are said to have selected these thumbnails. In most cases, the image was enlarged, they say. The people at Wyze also found some cases where the thumbnail was attached to an event video and the video was displayed. This occurred with Cam Plus Lite and sound detection events, for example. Videos from live streams were not affected.


Advertising

Overall, slightly less than 0.25% of Wyze users were affected by this event (including users who received thumbnails and users who sent their thumbnails to another account). Sounds trivializing now, and individuals who have had this happen to them should ask themselves if this whole cloud dependency is the last word in wisdom. However, if the Wyze cameras were used in a corporate environment – i.e. not for private use – the incident must be considered a data breach. Anyone who has been notified by Wyze must then submit a GDPR report to the data protection authority in european countries.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Cloud, devices, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *