Tech companies don't always disclose security flaws in a timely fashion, but Wyze apparently didn't disclose one at all. As Bleeping Computer and The Verge explain, Bitdefender has revealed that it informed Wyze of a major security vulnerability in the Wyze Cam v1 in March 2019, but that the device maker didn't inform customers, recall the product or fully patch the problem in the three years since. In fact, Wyze couldn't completely fix the issue — while it did mitigate the problem with patches, it's now clear the company discontinued the camera in January as "hardware limitations" prevented a proper update.
The vulnerability let attackers remotely control the camera without knowing the value normally needed to authenticate. While they couldn't watch live video as it was encrypted, they could steer the camera, switch it off and access videos saved on the SD card. Wyze patched the bug for its v2 and v3 cameras in late January.
Wyze was slow to respond and didn't fully share the nature of the security hole. Bitdefender noted that Wyze only acknowledged reception of the warning in November 2020, a year and a half after it was delivered. And while it did tell customers that it discontinued the Wyze Cam v1 due to incompatibility with a security update, it didn't tell users this was a known three-year-old flaw. It Wyze spokesperson Kyle Christensen told The Verge that the company had been transparent and "fully corrected" the problem, but in practice the firm only told owners that using the v1 camera after February 1st carried "increased risk."
It's not clear if any hackers took advantage of the flaw, but the potential consequences were serious. An intruder could have looked at past activity in the home or disabled the camera ahead of a burglary.
There are also questions surrounding Bitdefender's very late disclosure. The company's PR director Steve Fiore told The Verge that it delays publishing reports when it's not clear a vendor can properly address an issue. It didn't want to expose "potentially millions" of Wyze Cam users by sharing details of the exploit to with the public. However, security researchers typically disclose flaws within weeks, not years — even Google's more cautious Project Zero shares technical details within 90 days. While it's not always easy for tech firms to address vulnerabilities quickly, disclosures can help pressure companies into fixing security issues that might otherwise go unresolved.