After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.

On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.

We believe Wyze is acting irresponsibly to its customers. As such, we’ve made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.

We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”

If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.

In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:

  • Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
  • Describe the issue in detail and state precisely who was affected (and who wasn’t).
  • Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
  • Follow-up with customers to let them know the issue has been resolved.

For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.

This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.

  • @[email protected]
    link
    fedilink
    English
    2141 year ago

    We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room.

    Call me paranoid, but I don’t want a company I don’t trust plugged into my network at all.

      • @[email protected]
        link
        fedilink
        English
        141 year ago

        sadly there are a lot of people who only care about immediate gratification that would call that paranoid.

    • @[email protected]
      link
      fedilink
      English
      341 year ago

      No, you’re not paranoid. I’d call it diligent.

      The premise of the statement you quoted is faulty to the core. A device internal to your home network knows a lot about the design of your home network and it knows a lot about the other devices on your network, and it can be used to facilitate/relay malicious access to your other devices if it becomes compromised.

      Wyze has always struggled with security problems…and I’ll admit that I do have several wyze cameras…but long ago decided their security was not trustworthy and created an entirely new virtual lan to run just my IOT stuff from. That, at least, reduces the exposure for some of their security issues. I certainly would never have interior cameras built by wyze - that’s too risky even with robust network security on my side of it.

    • @[email protected]
      link
      fedilink
      English
      14
      edit-2
      1 year ago

      They’ll be able to flash Morse code at you

      -... . / ... ..- .-. . / - --- / -.. .-. .. -. -.- / -.-- --- ..- .-. / --- ...- .- .-.. - .. -. .

    • @[email protected]
      link
      fedilink
      English
      81 year ago

      Me neither. But building an entirely off-site video monitoring server is a bit over my head. So I just use cameras like this when I’m not home.

      • @[email protected]
        link
        fedilink
        English
        161 year ago

        Any security system hosted in the cloud is inherently unsecure or at the very least a privacy nightmare. Invest in being friendly with neighbours.

      • @[email protected]
        link
        fedilink
        English
        41 year ago

        Switch to Unifi. It’s enterprise-grade hardware and high quality software at consumer prices. If you know networking, you can set them up without connecting them to the internet while still being able to access them outside your network. If not, you can just use their free web portal to access your cameras. It’s probably easier than Wyze, and it’s certainly more secure.

        I don’t normally like to shill brands on the internet, but for these people I make an exception.

        • @[email protected]
          link
          fedilink
          English
          11 year ago

          I also use Unifi but it’s worth mentioning that Unifi Protect (current offering) requires an online Unifi account and a Unifi DVR, whereas the older Unifi Video required a local account and could be run on your own hardware. I like that my videos are not stored in the cloud, but I don’t know enough about how Unifi handles security to confirm that they couldn’t allow another user to stream video off your hardware directly. I’m not too concerned about the risk because I just use these for my front yard and it’s pretty convenient.

          • @[email protected]
            link
            fedilink
            English
            21 year ago

            Are you sure? I currently have an online account (because it was easier to give other people access and I too only have these watching my yard), but I remember when I first set it up in my home I was using a local account created in the DVR’s portal (a Cloudkey Gen 2). The web portal is hosted on the cloudkey, you can access it via any web browser, and the cameras will record to it without an internet connection.

            I could’ve sworn you could host the camera server without a Unifi DVR, but apparently not. The network stuff can be though. I guess that’s important to keep in mind, although I’d be surprised if they removed the ability to use the DVR without an online account.

            • @[email protected]
              link
              fedilink
              English
              21 year ago

              I know there was an issue a while ago that you couldn’t connect directly to your cameras using iOS via the LAN. It had to go online. I remember now a hastily rolled out patch in response to a data breach. So to answer your question, I’m not 100% sure. I use my cameras like you do but this is an important topic for someone who doesn’t want their system online in any capacity.

    • sadreality
      link
      fedilink
      6
      edit-2
      1 year ago

      Imagine a world where an adult person who has self respect feels need to coach his reasonable position like this…

      People are too willing to place shody spyware in their houses. I don’t understand how we got here, I guess cell phones?

  • @[email protected]
    link
    fedilink
    English
    88
    edit-2
    1 year ago

    Finally. I tossed mine after the incident last year.

    EDIT: Wait, they replaced it with a Eufy camera? After the same thing happened with them last year?

      • @[email protected]
        link
        fedilink
        English
        141 year ago

        I personally use Amcrest + Home Assistant behind a firewall, but that’s far from perfect. I’ve been interested in the new Amazon Blink cameras too, since they support self hosting (at least in some capacity). Still a bit iffy about them though, for obvious reasons.

          • @[email protected]
            link
            fedilink
            English
            5
            edit-2
            1 year ago

            This is the sad truth. Nearly every piece of hardware I buy that connects to my home network tries to make requests to the internet.

            I’m honestly getting so frustrated that I’m starting to treat 90s hardware with a bit of admiration. So what if a VHS camera looks like blurry shit. At least the data isn’t being sent across the globe.

          • @[email protected]
            link
            fedilink
            English
            21 year ago

            I’d add smart TVs to this category too. I had a device get compromised on my network (QNAP NAS, not recommended), so I locked my network down pretty hard (UPNP partly the culprit). My Samsung TV began having problems. After a few rounds with customer support I realized I was running into a problem with a feature, not a bug. Then I disconnected my screens from the internet and switched to Apple TV. I figure at least then there is a little pushback to the data scraping. And FYI I saw the same thing with Amazon Fire that you did.

      • @[email protected]
        link
        fedilink
        English
        51 year ago

        You can flash the older Wyze cameras with custom firmware that has more self hosting capabilities but I haven’t tried it myself.

        • @[email protected]
          link
          fedilink
          English
          21 year ago

          When in doubt, assume that it probably does. Use Wireshark to find all outbound traffic from your Lorex devices, and see what they’re talking to. There’s a good chance that they’re, at a minimum, fetching the time from an NTP server.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        AFIK they have some problems but not quite this bad. Maybe I don’t know all the incidents?

        I thought they sent the preview video without HTTPS. Same with a face preview, and most concerning an ID string of unknown intent with the face preview.

        I have a few outside and I’m pretty happy with them. The motion detection isn’t perfect, and you’d have to be lucky to read a license plate… but they are also pretty inexpensive.

        Unfortunately they are susceptible to a standard deauth attack.

    • Ataraxia
      link
      fedilink
      English
      31 year ago

      Mine is recording cats on our porch. We are always home and it doesn’t catch any audio that matters as we are rarely in the room where that window is. I would never have cameras pointed inside the house where I need privacy. Not even if I had it all hooked up to my own server the last thing I’d want is my private moments recorded lol. Freaking weird.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        Our cameras point outside but the microphones are so retry sensitive and my office window is near two of them. I’m sure someone could hear my side of a phone call.

  • @[email protected]
    link
    fedilink
    English
    811 year ago

    The article actually names the people they talked to. So rare to see actual journalism rather than the usual lazy “we talked to experts”, which is equivalent to “we just made shit up”.

    • @[email protected]
      link
      fedilink
      English
      291 year ago

      I happily subscribe to the New York Times. I feel it’s important to support a major source of actual quality journalism and content.

  • @[email protected]
    link
    fedilink
    English
    461 year ago

    Blows my mind how ready people are to hook up a camera that streams to some fucking company, who the fuck knows what they do with it all. I guess some HR fuck said nobody looks at your data so it must be safe!!

  • @[email protected]
    link
    fedilink
    English
    201 year ago

    Eh. I feel like being written up in wirecutter is reason enough to avoid those products altogether.

    • Ertebolle
      link
      fedilink
      71 year ago

      Yeah, Bribercutter has really gone downhill since the NYT acquisition

    • @coach
      link
      English
      41 year ago

      100%. I’ve lost a lot of money to their “recommendations.”

    • @[email protected]
      link
      fedilink
      English
      271 year ago

      If you want to self-host you NVR then anything RTSP or ONVIF. I have a combination of Ubiquiti, Reolink, Dahua, and Amcrest cameras. They sit on their own network with no Internet access and can only talk to the NVR. That’s not exactly an easy setup though unless you are fairly technical but it is a private one.

        • @[email protected]
          link
          fedilink
          English
          171 year ago

          If someone uses acronyms without explaining them, they’re “flexing” and can be ignored.

          But this person made it extra confusing by typo-ing “your NVR” as “you NVR,” which makes “NVR” seem like a verb.

          NVR = Network Video Recorder. A thing that records videos locally from your cameras.

          • @[email protected]
            link
            fedilink
            English
            -2
            edit-2
            1 year ago

            Nah, that’s just a cope statement. I knew what all those acronyms meant already, as would anyone who deals with security cameras with any regularity. Also, using acronyms properly is a concise method of communicating useful information.

            If you were actually interested in the topic instead of just trying to imagine that people are “flexing” their knowledge to cope with lack of your own, you could simply use a search engine to learn what those acronyms meant in a few seconds of time.

        • @[email protected]
          link
          fedilink
          English
          21 year ago

          RSTP is the streaming cam protocol. It shows up as a url with rstp:// instead of https://. You can type that url into streaming video apps like VLC (video lan client) and watch your videos with no configuration. There is no security on the feed so you have to secure your network instead.

        • @[email protected]
          link
          fedilink
          English
          17 months ago

          To translate, a decent set-up involves a self-hosted controller and recorder unit, to which cameras speaking an open protocol connect. RTSP- or ONVIF-style cameras are often chosen for compatibility with a standard central unit (Network Video Recorder, or NVR).

          Brands like ReoLink, Dahua, Armcrest, and (to a lesser extent) Ubiquiti, will easily connect to that self-hosted NVR; although, if some of those camera brands are sketchy then you may need to confirm they’re isolated from the world and test that assumption regularly.

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        Any specific reason for the mixed brands? I went 100% Unifi in my home (cameras and networking equipment) and it’s amazing. Everything just works, and the apps are great. While I haven’t bothered to go through the effort of setting up a VPN so that the NVR is disconnected from the internet, I know it’s doable.

        • @[email protected]
          link
          fedilink
          English
          21 year ago

          Not really. I have a third-party NVR that can take any standards-based camera. I like the Dahua camera over the garage since it handles direct headlights VERY well. The Ubiquiti ones were a holdover from when I ran all their stuff I just haven’t replaced them. The Reolink was a cheap option to watch the corner of the basement where the water and sewer lines are. And the Amcrest is a cheap PTZ to watch other parts of the basement as needed.

          The benefit of a third-party NVR is you can mix and match cameras at will for whatever is best in that specific circumstance without vendor lock-in. Yeah it’s more complicated for sure but I like the flexibility.

          I use Wireguard on my phone for remote access when needed and it works great.

    • @[email protected]
      link
      fedilink
      English
      141 year ago

      Ubiquiti is who I chose. Everything is self hosted, no service fees, good quality equipment and no extra frees for remote maintenance. The motion and AI detections work very well and of course all the products integrate seamlessly into their UniFi network equipment…BUT it’s more a whole network approach than just cameras.

      • AtHeartEngineer
        link
        fedilink
        English
        21 year ago

        They are pricey compared to wyzecam though, but probably worth it at this rate

        • @[email protected]
          link
          fedilink
          English
          31 year ago

          Not cheap, but not overly expensive. You are getting what you pay for without the privacy nightmare.

      • @[email protected]
        link
        fedilink
        English
        27 months ago

        My posh friend has an ubi setup. And then she bought a camera to see under the ice in her Koi pond.

        Ubi refused to connect it.

        I stayed back, as she’s technically proficient and I want to mess with cameras like I want to mess with printers - make my own work, but that’s it - but it really seemed like Ubi doesn’t work with anything else, and that’s by choice a la apple.

    • @[email protected]
      link
      fedilink
      English
      81 year ago

      I have had good luck with reolink cameras, which, so far, have with RTSP as a feature by default. They offer a program, which amazingly doesn’t require an account be made.

      I put custom RTSP firmware on all of my old Wyze cameras and then blocked them from WAN access.

    • @[email protected]
      link
      fedilink
      English
      21 year ago

      You can use Ecobee’s cameras with HomeKit secure video. Just block the cameras from being able to talk to the internet via firewall first.

    • @[email protected]
      link
      fedilink
      English
      21 year ago

      Foscam is relatively cheap and I like the few PTZ cameras I have. I use RTSP and block their access to the internet. For the timestamp to stay synced I redirect the Foscam DNS requests to an NTP docker container.

      • Buelldozer
        link
        fedilink
        English
        11 year ago

        Do foscams work well with Frigate? The next step in my Smart Home evolution is Cameras and I’d like to use Frigate because it integrates well with Home Assistant (and I already have the Google Coral Module).

        • @[email protected]
          link
          fedilink
          English
          1
          edit-2
          1 year ago

          I messed around with Frigate once but never spent any time with it since TPUs are impossible to find these days and I didn’t have a use otherwise. I know I at least got to the point where I was viewing the stream in Frigate, but I can’t vouch for anything past that point.

          edit: I ended up looking and it looks like they are available again, I hadn’t checked in a while. Maybe I’ll give it a whirl again.

  • @[email protected]
    link
    fedilink
    English
    131 year ago

    I actually had this glitch or something similar. Was staying with a friend when I got an activity alert…but it was from their camera. IIRC all it gave me was a still frame of them standing in front of it. I never bothered reporting it to Wyze. I figured it was some rare glitch because I had given my friend that camera (it was now on their account and not linked to mine).

  • SeaJ
    link
    fedilink
    English
    131 year ago

    They recommended them in the first place? They have always had absolutely garbage security.

    • @[email protected]
      link
      fedilink
      English
      12
      edit-2
      1 year ago

      They were also the easiest to use offline. I needed internet to set them up, but once they were up, as long as I didn’t want to ever use the app, they didn’t actually need a connection to operate.

    • drphungky
      link
      fedilink
      English
      31 year ago

      They used to be good. They were cheap, you could flash them with custom firmware, they were very need friendly. They just gradually got worse and worse though, starting with them wanting to keep you in their app. It’s always garbage profit seeking. No one is happy being good to consumers if they can make more money not doing so.

  • YⓄ乙
    link
    fedilink
    English
    121 year ago

    The best solution is Reolink DIY on-prem one.

    • @[email protected]
      link
      fedilink
      English
      331 year ago

      Yeah- your own wired cameras wired to your own ON PREMISES NVR. Anything type of wifi cameras handled by a web portal are completely un-securable and it’s not a question of if the company shuts them down, but when.

      • archomrade [he/him]
        link
        fedilink
        English
        7
        edit-2
        1 year ago

        Edit* - someone mentioned Amcrest as an alternative. Not as cheap as Wyze but they have a couple $70 cameras that aren’t unreasonable, definitely giving them a try.

        It drives me absolutely crazy that there are no cheap NVR cameras in the wyze price-range. If only I could afford a Unifi camera, i’d do it in a heartbeat, but I don’t have several hundred to shell out for the camera and several hundred more for a dream machine.

        If there were $30 cameras somewhere that can only be accessed through LAN or PoE connections, I’d absolutely cream my pants over it.

        • @[email protected]
          link
          fedilink
          English
          11 year ago

          There kind of are: they’re the Wyze cameras, just with custom firmware. They stand up a little web server, and you never log them in to Wyze.

      • @Drewelite
        link
        English
        61 year ago

        Amcrest has web apps but you can skip that and set them up over local protocols and use PoE.

        • @[email protected]
          link
          fedilink
          English
          4
          edit-2
          1 year ago

          I’ve used Surevision a number of times and like their gear too, all remotely accessible from mobile/etc but at least they’re systems THAT YOU OWN and THAT YOU OPERATE. Since it’s impossible to use/test everything I can’t say they’re any better or worse than others. I always recommend against “cloud” cameras and the people who ignore my recommendation always come back saying they regret it, usually 1-2 years later, but sometimes much sooner.

          "Why is my internet speed trash after installing 15 wifi cloud cams? GEE I WONDER

          Spend the money once or spend it every two years hrmmmmm

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        Great, but what kind? Is there a bundle I can buy easily? People go the cloud route because of simplicity

      • @[email protected]
        link
        fedilink
        English
        21 year ago

        Not accurate. I have a number of wifi cameras with web administration portals on each device, not on the Internet, and they are secured by my firewall. The firewall does not permit them to access or be accessed by the Internet.

        • @[email protected]
          link
          fedilink
          English
          -31 year ago

          Why wouldn’t someone have the capability? Time? Money? Other?

          A synology nas device seems a minimal cost of time and money.

            • @[email protected]
              link
              fedilink
              English
              11 year ago

              You can get wireless IP cameras and put them on a separate wireless network that does not connect to the internet.

            • @[email protected]
              link
              fedilink
              English
              11 year ago

              I’m a short term renter. I take my nas, router, and even starlink (for if needed) with me as I move house to house. Takes 10 mins to setup the network and my cameras.

          • @[email protected]
            link
            fedilink
            English
            31 year ago

            For me the whole point of security cameras is real time notifications and cloud infrastructure. Having videos of someone robbing my house after the fact is a distant second motivation. Also, if officer Barbrady kicks down my door and violates my rights, he’s much more likely to get my NAS than some random docker on a random AWS colo.

            • @[email protected]
              link
              fedilink
              English
              21 year ago

              Well sure, you have the nas backing up to the cloud if you want. Or just setup the video stream to go to the an aws instance running nvr software.

              Notifications work any way you set it up so that’s no difference.

              Either way, still not using third party “cloud” magic.

        • @[email protected]
          link
          fedilink
          English
          71 year ago

          Purely anecdotal but in my experience unify is overpriced garbage. Had a dream machine die at 13 months and could only get an, it’s out of warranty, buy a new one response. Looking at the internals it was pretty clear they were never designed with any service in mind.

          They also force you into plenty of cloud bullshit. They lost my password hash for my local device because they fucked up some cloud transfer. If I didn’t have an SSH key I would have been screwed.

          It takes a bunch of time and tech know-how but foss has been a much better solution. Have a openwrt pi4 router, truenas server and switched my Wyze cams to openmiko firmware. Far better than anything offered by these prosumer companies.

          • @[email protected]
            link
            fedilink
            English
            51 year ago

            I have ubiquiti access points and a router, and a Tp-link Omada router. The Unifi interface is more slick, but the Omada interface is good too. And the Omada stuff costs a lot less.

            • @[email protected]
              link
              fedilink
              English
              11 year ago

              Plus you can flash wrt to a lot of the TP-Link stuff including the access points. I haven’t looked in ages but I remember that most or all ubiquity stuff was locked down.

  • @[email protected]
    link
    fedilink
    English
    111 year ago

    We have a wyze camera set up in our living room, it’s usually turned towards the wall but we flip it around when not home to keep an eye on our doggy.

    I was home on sick leave with COVID and noticed the light turn red a couple times. I assumed it was my fiance checking on with me but I asked her and she said it wasn’t her. Same thing the next day, I checked my account and it’s just me and her that have access. I unplugged that shit.

    • @[email protected]
      link
      fedilink
      English
      251 year ago

      Turning red is the generic “activity” notice. Could be being viewed, could be that it is motion detecting, or person detecting, or whatever.

    • Rouxibeau
      link
      fedilink
      English
      81 year ago

      Don’t use your ignorance as anexcuse to fearmonger

  • @[email protected]
    link
    fedilink
    English
    81 year ago

    Thanks to this thread I found out reolink is having a sale and now have a bunch of shit on the way, so thanks lol