Wyze is having issues today. First, they had a prolonged outage overnight causing folks to not be able to connect to their cameras or view their cameras security feeds. Wyze claims that this outage was caused by an issue with their AWS partner. Per Wyze’s service-advisory page, this started at around 6:30 am PST.
Downdetector was reporting some outages in AWS over the last 2 hours, specifically in the 6 am to 10 am range. So this could have potentially been impacting the Wyze service. AWS itself was not reporting any outages, but it wouldn’t be the first time that a service had an unreported outage.
Well, it seems that’s not the end to the Wyze problems today. Around 10 am PST, users on Reddit were saying that they can see images from other people’s cameras including living rooms and more. Wyze confirmed this, and says that they have found the security issue that caused the images to be shown to the incorrect people. At roughly 11:30 am PST Wyze took the Events tab down in the Wyze app to prevent any more images from showing inappropriately. Wyze also reports that they were force logging out all users to remediate the issue, however users on Reddit are commenting that they were never logged out.
Wyze is downplaying this, saying that at most 10 users were affected ( this sounds just like the 10 users they said were affected 5 months ago when this happened ). With more reports coming in, and those being the vocal minority who *know* about the Reddit forum for Wyze, the actual count of impacted users could be in the thousands if not higher. Wyze is also reporting that at most thumbnails from other’s cameras were shown, however multiple people on Reddit are chiming in saying that they were able to see full event clips and live feeds from stranger’s cameras.
This isn’t the first time that Wyze cameras have shown someone images from someone else’s camera. About 5 months ago a similar thing happened where people were able to view images from cameras that did not belong to them. Wyze wasn’t the most forthcoming about this incident, choosing to not explore the full scope of the exposure of user data and to also only contact people through the Wyze community forums.
Wyze has also had other security incidents in the past, specifically with taking nearly three years to fix vulnerabilities in their Wyze Cams.
As someone who works in tech full time, this is totally unacceptable behavior. This is also why we push so hard for folks to invest in fully local smart home solutions. When your security cameras feed to your local server and not some shared AWS environment, there is much less risk of your living room being featured in some stranger’s comment on Reddit.
Update 2/17 @ 9:43 AM: Some users are starting to report authentication issues with their Wyze accounts, and are getting reports from third party monitoring tools that their passwords were potentially breached. Other users are reporting devices not recovering from yesterday’s outage even after turning them on / off and trying to reconnect them.