On February 16, thousands of Wyze security camera owners opened their apps and discovered they were seeing images from other customers’ devices, including, in some cases, access video. This incident had been preceded by another Wyze privacy breach five months before, when a small group of the service’s customers were able to access video from other device owners’ cameras through the Wyze web portal.
Before that, in March 2022, a Bitdefender study revealed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three Wyze camera models existing at the time. (Wyze repaired two of those models, and the company discontinued its first-generation camera and instructed users to stop using it.)
Smart-home device security is a growing concern because of the potential privacy and data leakage from these devices when they don’t work as intended. And our dependence on connected devices – also known as Internet of Things (IoT) technologies – is making them so prevalent in our homes and cars that it can be easy to forget the risks involved.
Wyze responds
Last month, Wyze said that, in the February incident, some 13,000 customers incorrectly received thumbnail images from other customers’ cameras, and 1,504 of them actually viewed those images. Some were able to view video as well. The announcement came from an email sent to customers entitled An Important Security Message from Wyze, in which the company copped to the breach and apologized, while also partly (or mostly) blaming its web hosting provider.
The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing other people’s images and video footage until Wyze disabled access and launched its own investigation.
In an email sent to CNN, Wyze CEO Dave Cosby said the company knows “these events are unacceptable”. He said Wyze plans to hire up to a dozen new engineering positions to help “reduce reliance on any third parties”. He added: “It will take time to repair trust with users and tech publications, but it has our total focus.”
Easily hacked doorbells
These problems are not confined to one service. Less than two weeks after the Wyze incident, a Consumer Reports investigation found a series of cheaply made smart doorbells sold on Amazon, Walmart, Sears, Shein and other popular retailers had security flaws, allowing bad actors to easily hack into the systems to gain access to photos and footage stored on the app.
A majority of those products, from popular brands such as Eken and Tuck, were manufactured by the Eken Group, based in Shenzhen, China, and sold at half the price of more well-known US brands. Consumer Reports says those doorbells do not have a required ID issued by the Federal Communications Commission, making them illegal for sale in the US.
As companies enable their employees to have greater mobile connectivity to each other, plus to customers and suppliers, these businesses are becoming more reliant on systems they don’t directly control.
The Consumer Reports researchers said some of these devices exposed a user’s home IP addresses and WiFi network names to the internet without encryption, potentially opening a user’s home network to malicious activity.
And users of devices made by American companies such as Amazon and Google have experienced security breaches with their Ring and Nest smart-home technology.
Wirecutter cuts ties
Wyze is scrambling to fix things and issue apologies, but it might not be enough to forestall litigation. The New York Times‘ newsletter entitled Wirecutter said it was expanding its existing suspension of Wyze-camera recommendations to include all of Wyze’s smart-home and security products, including the newsletter’s picks for smart bulbs, strip lights, and locks.
Noting that it was the third such privacy and security incident at Wyze since 2022, and citing its slow customer-support response, Wirecutter said: “We believe that it’s our responsibility to err on the side of caution when recommending any product that has the potential to expose an owner to privacy or security risks.”
IoT devices and data breaches
IoT and mobile devices are two of the biggest sources of data breaches during an external attack. According to a survey by Forrester, almost a third (31%) of enterprise security decision-makers who experienced a breach said IoT devices were targeted, followed by employee-owned mobile devices (29%) and company-owned mobile devices (27%).
Because some connected devices have limited processing power, they may lack a strong defense against an external attack. Some of the security weaknesses can also be attributed to the complexity of integrating a variety of connected devices that use different communications methods and protocols.
Of the professionals who are responsible for the procurement, management or security of mobile devices, 82% said that their company will rely on networks it doesn’t own.
As companies enable their employees to have greater mobile connectivity to each other, plus to customers and suppliers, these businesses are becoming more reliant on systems they don’t directly control.
A Verizon Communications survey found that of the professionals who are responsible for the procurement, management or security of mobile devices, 82% said that their company will rely on networks it doesn’t own – such as home broadband and cellular – more than ones it does own and control.
And then there’s the added risk that comes from employees using personal devices for work, including in their homes and cars. Each of these locations has connected device technology that can capture confidential data. And each is increasingly used for work conversations.
What we can do
The first two steps to preventing problems that could compromise business data are awareness and mindfulness. We’ve all grown so accustomed to having these pieces of technology around and it is easy to forget about what we should be discussing, where and how.
Our policies on using personal devices and other connected devices at home (or just away from work) must continue to be refined for our mobile, work-from-home and work-from-anywhere lives.
Companies can use technology to separate business and personal data, and they can better educate and warn employees to be aware of potential threats.