We recognize that some existing Wyze customers may feel perfectly comfortable continuing to use their Wyze devices. We believe it’s our responsibility to err on the side of caution when recommending any product that has the potential to expose an owner to privacy or security risks.
Our decision comes after thousands of Wyze users opened their apps on Feb 16, 2024 and found they were seeing images from other customers’ security cameras including, in some cases, access to live and stored video. This incident had been preceded by another Wyze privacy breach five months before, when a small group of Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. And before that, in March of 2022, a Bitdefender study revealed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams at the time. (Wyze did patch two and then discontinued its first-gen camera and guided users to stop using it.)
In response to the September 2023 camera problems—in particular Wyze’s inadequate response and support of customers—we made the decision to pause our recommendation of all Wyze security cameras and provided steps the company would need to take for us to resume considering its products for recommendation. At the time a Wyze representative stated to The Verge, “We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again.”
This most recent incident occurred just a few months later, and is far more serious in scope: The company states that some 13,000 Wyze users incorrectly received images from other customers ’cameras, and 1,504 of them viewed either still images or in some cases video as well. This episode is also far more troubling in principle. Unlike previous instances, in which Wyze devices were found to have a vulnerability with a potential for misuse, in this circumstance Wyze effectively hacked itself by sending one group of customers’ private data to thousands of other customers. The inevitable implication is that Wyze doesn’t have a problem with its security cameras—it has a systemic problem in the way it handles user privacy and security.
And while Wyze did send out a mass email to customers, it arrived almost 48 hours after customers began flagging problems on the Wyze support forum—beyond posts to social media and its support forum, the company didn’t reach out to customers till well after the issue was considered resolved.
Our main concern is not the specifics of this security issue—just about every company or organization in the world will have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. We feel that the frequency of incidents, the increase in severity, and Wyze’s slow customer support response paint a picture of a company that lacks the sorts of rigorous policies and procedures required to adequately protect its customers the way they deserve.
In an email, Dave Crosby, co-founder of Wyze, acknowledged that the company needs to do better, and to that end plans to add engineering staff. “We were already undergoing several penetration testing and multiple process improvements to improve security and protect our customers,” Crosby said. “It’s clear we need to invest even more. This will be our top priority.”
Crosby also defended Wyze’s delay in responding. “We wanted to be very thorough, checking well before and after the reports to make sure we had captured every affected customer so that we could properly notify them,” he wrote. “That way, when we send a customer communication, we can tell them clearly if they are affected and why it happened. We strongly believe doing the opposite would be better. In any situation where security and privacy are concerned, it’s a company’s responsibility to alert their customers as quickly as possible, provide advice, and then later send follow-up with full details.
A look at the posts from disconcerted customers in Wyze’s own customer forum supports that view. And it’s also shared by peers and experts we consulted, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter’s Max Eddy, senior staff writer for security, privacy, and software platforms. When we first reached out to them in September 2023, all of them agreed the central issue was that Wyze had not proactively reached out to all its customers, nor had it been adequately accountable for its failures. “When these sorts of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’” It’s been just a few months since then, Wyze has had another incident, and it still hasn’t improved how it responds.
The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze now has a track record for putting its customers at risk, which also casts a shadow on the smart-home industry as a whole.
In order for us to resume testing and reviewing Wyze smart home products, the company needs to demonstrate it has made specific improvements to its security processes and responses. They need to be proactive, accountable, and transparent to its customers.
- Reach out to customers as soon as possible: When it becomes apparent an issue is arising, send an email to all customers, and push notifications in the app. Instruct your customers to find information in the Wyze Communities online forum.
- Update customers early and often, and give advice if needed on ways to protect themselves in the interim, as needed—such as turning off cameras, or unplugging devices.
- Once the matter is investigated and resolved, describe the issue in detail and, as soon as possible, state precisely who was affected (and who wasn’t).
- Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
- Follow-up with customers to let them know the issue has been resolved.
This isn’t the first time Wirecutter has pulled a recommendation for a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. After the company made a series of significant improvements to its programs and policies we resumed reviewing Ring products and many have since become recommended picks.
Should Wyze change course and adopt more substantial practices like those above, we will be happy to resume testing and considering them for recommendation.
This article was edited by Grant Clauser.
Sources
1. Jen Caltrider, program director, Mozilla’s Privacy Not Included, email interview, September 12, 2023
2. Ari Lightman, professor of digital media and marketing, Carnegie Mellon University, phone interview, September 12, 2023
