Wyze patches serious flaws on its security cameras, but not its oldest one — what you need to know
First-gen Wyze Cam needs to be put out to pasture
If you have a Wyze Cam version 1, we've got bad news. The cheap, easy-to-use home security camera has some serious security flaws that aren't going to be fixed.
You're best just getting rid of the unit and spending $35 to trade up to the Wyze Cam version 2 or Wyze Cam v3, on both of which these flaws have been fixed. Or you could check out our list of the best home security cameras for even more options.
"While versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes," warned security firm Bitdefender in a blog post today (March 29). "Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited."
What's the difference between Wyze Cam v1 and v2?
The only problem is that the Wyze Cam v1, which debuted in 2017, and the Wyze Cam v2, which was released a year later, may look exactly the same. (There's also a black model of v2.)
We reached out to Wyze's customer-support chat line and were informed that you can find the device info on the bottom of each camera — v2 units will say "v2" while v1 units won't.
The main differences are in the innards. Wyze Cam v2 has a frame rate of 15 fps versus v1's 10 fps; v2 works with Google Assistant and Amazon Alexa, while v1 only has Alexa; and v2 has a motion-tagging feature whereas v1 doesn't.
In any case, Wyze ended support for v1 back on Feb 1. That's ironic, because a Bitdefender white paper details how it first informed Wyze of these three security flaws back in March 2019, three years ago.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Bitdefender says that Wyze fixed or mitigated some of the flaws over the next year and a half without acknowledging Bitdefender's original messages. Wyze finally replied to Bitdefender in November 2020, according to the security firm's report, and the two then worked together to verify further fixes.
Remote takeover
Flaw no. 1, catalogued as CVE-2019-9564, lets you take control of a Wyze cam over the internet without a password. Using this flaw, you "can fully control the device, including motion control (pan/tilt), disabling recording to [the SD card], turning camera on/off," noted Bitdefender, although you couldn't view the live feed. This has been fixed on Wyze Cams v2 and v3, but not on Wyze Cam v1.
Flaw no. 2, catalogued as CVE-2019-12266, does let you view the live feed. It involves swamping the Wyze's camera's internal memory with too much data, letting a remote attacker take total control of the device. It's not completely clear whether this has been fixed on Wyze Cam v1, but it has been on v2 and v3.
Flaw no. 3 is uncatalogued but lets a remote attacker access the contents of the SD card inserted into the camera without any password. This has been mitigated on Wyze Cam v1, but fully fixed only on Wyze Cams v2 and v3.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.