Some TidBITS readers were annoyed to learn that Wyze Labs unceremoniously stopped supporting its original $20 camera (see “Wyze Labs Discontinues First-Generation Security Camera,” 1 February 2022). Now we know what prompted Wyze’s move: the company has admitted that there was a severe security vulnerability that could let attackers read the contents of the camera’s SD card. That’s bad. Wyze patched its second- and third-generation cameras but was unable to patch the original cameras.
Even worse, Bitdefender first reported the vulnerability to Wyze Labs in March 2019, and Wyze Labs sat on the information for 3 years. The standard disclosure window is 90 days. The good news is that an attacker needed access to your local network to take advantage of the vulnerability, but Wyze’s behavior remains unacceptable. We won’t be recommending any more of its products until it becomes clear from the company’s actions over time that it’s taking security seriously.