How Wyze Just Torpedoed Its Own Security Reputation

Security vulnerabilities are an unavoidable part of technological development — especially when it comes to devices with network access — but smart home company Wyze may have dropped the ball too severely to recover this time around.

The company was scrutinized back in 2019 over a data leak caused by an unprotected database. In a more recent turn of events, Bitdefender released a report on March 29 detailing several security risks with Wyze Cam versions 1, 2, and 3 that could allow hackers to remotely access camera feeds, access the camera's SD card storage, and even take remote control of the cameras.

Patches have since been issued for both Wyze Cam version 2 and version 3 models, but version 1 was discontinued in January 2022 and has not been patched. It's all somewhat typical for these kinds of tech-related security issues, where a problem is discovered, it's addressed, and users are hopefully able to re-secure their devices with an update before anything untoward happens. But the reason this particular problem with the Wyze Cam is so much more concerning for users like The Verge's Sean Hollister is that it took Wyze an exceptionally long time to address (or even acknowledge) any of it.

Three years later

As Hollister points out, Bitdefender's disclosure timeline details the series of events that eventually resulted in Wyze taking action, revealing the security firm initially contacted the IoT company in March 2019, a full three years ago. Despite that, Wyze didn't disclose the risks to its customers nor fix the security problem in these version 1 cameras, leaving its customers to learn about the matter in Bitdefender's very delayed report.

Typically speaking, security researchers give companies a certain grace period from the time they're first notified about a security problem to the date they respond and, potentially, take action to correct it. Hollister cites experts who say this grace period is generally around 30-45 days, though some companies may be given a relatively short extension, after which point the details are published regardless. 

It's a fairly sensible approach because once the information is publicly available, it could result in an increased risk as potential attackers become aware of the exploits. By delaying an announcement, companies have time to develop and release a fix before the security vulnerabilities are detailed for anyone to read.

However, that sort of grace period would have ended back in April 2019 for Wyze, at least based on Bitdefender's report. In the intervening days, weeks, months, and years following it, many Wyze customers continued to use at-risk hardware without so much as a warning from the company itself. It's not the vulnerabilities that have (possibly irreparably) damaged Wyze's reputation in the eyes of customers like Hollister, but rather the fact it did nothing about the problem.