Your smart doorbell may have some major security flaws
(CNN) — When 24-year-old Heather Hines from Southern California was changing into her work clothes last month, she noticed the seven security cameras she owned from Wyze went offline for a short period of time, including the one in her bedroom.
About 48 hours later, she received an email from the company stating that thousands of its customers opened their apps and saw photos and video footage from inside other people’s homes. The issue stemmed from a caching problem from a third-party partner that occurred when the camera systems came back online.
Hines was one of the 13,000 accounts that were compromised in the hack. About 1,500 users viewed images and videos from other Wyze cameras.
“It made me feel violated,” said Hines, who used the cameras to monitor her sick cat when she’s not at home. “I’m scared I’m going to wake up one day and have my friends texting me saying my camera video got leaked.”
Issues with surveillance systems like cameras and doorbells continue to make headlines, stoking security and privacy concerns, reminding people who own smart home gadgets that some devices intended to make homes safer or more convenient continue to pose some serious security risks. Still, little repercussions exist for the companies responsible for keeping customers safe.
Hines told CNN she was “disappointed” in the Wyze’s limited response after inquiring what photos or footage were captured and seen by other users. In an email to Hines viewed by CNN, the company wrote: “We truly understand your concern, and we regret that we are unable to offer detailed information on a per-camera basis or specifics about how users might have been affected.”
Hines has since removed all of the Wyze cameras from her home. “Now I don’t have the cameras to watch over my sick cat. … I’m completely done with smart devices like that.”
For some Wyze customers, like 51-year-old Eddie Henderson from Nova Scotia, Canada, the incident came as less of a shock. This was the second security breach he’s been part of with Wyze in recent months, where he was once again able to see thumbnail images taken from other people’s cameras.
After accessing the app, he was able to peek into the front yards of two different residential homes, one of which he said was visible to a business across the street, making the location identifiable.
“I definitely felt violated … but I learned not to put them indoors in main areas of living space,” he said. Now he worries about one of his outdoor cameras placed near his medicinal marijuana field.
“The medical grow is valuable so if someone could figure out my location they may be interested in trying to steal it,” he said.
Henderson, who owns 10 Wyze cameras, said he is starting to replace them with other brands.
In an email sent to CNN, Wyze CEO Dave Cosby said the company knows “these events are unacceptable.” He said Wyze plans to hire up to a dozen new engineering positions to help “reduce reliance on any third parties.”
He added: “It will take time to repair trust with users and tech publications, but it has our total focus.”
The latest incident highlights a growing problem not only with security cameras but other internet-connected devices, putting the onus often on consumers to take extra steps to keep their homes safe from potential breaches and bad actors. It also raises the question about whether the value of smart devices is worth the risks.
Problematic devices
The problem is much bigger than one company. Less than two weeks after the Wyze incident, a Consumer Reports investigation found a series of cheaply made smart doorbells sold on Amazon, Walmart, Sears, Shein and other popular retailers had security flaws, allowing bad actors to easily hack into the systems to gain access to photos and footage stored on the app.
A majority of those products, from popular brands such as Eken and Tuck, were manufactured in China and sold at half the price of more well-known US brands. Consumer Reports said the doorbells did not have a required ID issued by the Federal Communications Commission, effectively making them illegal for sale in the US.
Walmart told CNN it is no longer selling these items. Amazon, which still lists them for sale on its site, did not respond to a request for comment.
Adding to the problem, some companies make and sell devices under different names, according to the Consumer Reports article.
“All computing devices are susceptible to hacks,” said Paddy Harrington, a senior analyst at market research firm Forrester Research. “The exposure of those devices to attack just grows exponentially when you put them on the internet and store the data in a publicly accessible place.”
Cheaply made devices without security controls in place can present significant vulnerabilities for customers. Hackers can access non-secure devices to get onto people’s home networks and other devices, from phones, computers and TVs to speakers, lights, and garage door openers. Attackers can potentially obtain sensitive information about the device’s owners, and they can also take over the smart gadgets, for example, by speaking through the devices, stealing footage and recordings, or flickering the lights.
When a vulnerability is found, bigger companies can turn around a fix quickly. That’s not always the case for smaller brands. Still, security breaches impact companies of all sizes. Amazon and Google have experienced security breaches with Ring and Nest security devices in recent years.
But because consumer goods have low profit margins, some smart home providers want to cut costs elsewhere, from limiting security controls to producing poor-quality products, according to Michela Menting, an analyst with market research firm ABI Research.
“It’s easy to dismiss risk and push it as the responsibility of the cloud provider,” said Michela Menting, an analyst with market research firm ABI Research. “But I’d say it’s really the smart home provider’s fault. They choose to make insecure products, thereby facilitating a future hacker’s job. There is plenty they could do to minimize the risk, but they choose not to.”
Cheaply made devices target buyers who seek less costly solutions compared to known-brand names. Inexpensive options can also disappear; sometimes pulled from the market a few weeks or months later because companies “found a better way to make a buck,” Harrington said.
“And what happens to your data and where it’s stored? [The company] walks away with them,” he added.
Why this happens
Fighting these issues remains a big challenge, akin to a game of Whac-a-Mole. Although the US government can go after American companies, it’s much harder to track down Chinese manufacturers. And even if a device says it was made in another country, its components could still be made in China.
It’s also difficult for shoppers to weed through endless products on sites such as Amazon; a search for smart light bulbs will pull up name brands, along with dozens of other companies you’ve never heard of – and many with good reviews. (Amazon has also struggled with questionable, fake reviews).
The company has come under fire over the years for the quality of some products it sells on its platform, including dietary supplements, carbon monoxide detectors, hair dryers and children’s sleepwear. In 2021, the Consumer Product Safety Commission called on Amazon to remove hundreds of thousands of products on its site deemed hazardous.
Although Amazon has removed some products, it continues to struggle with keeping untrustworthy products off its virtual shelves.
“When it comes to what they sell, Amazon has a lot of work to do to clean out the garbage and until consumers hold them accountable, they’ll keep doing it because it makes them money,” Haddington said.
On the security side, regulations and policies may help with some smart home products down the line, such as the White House Executive Order which requires manufacturers to list ingredients that make up software components and the European Union’s Cyber Resiliency Act, which mandates hardware and software to meet certain cybersecurity requirements.
“They will make manufacturers and providers accountable for security,” Menting said. “But these take time to develop and enact and it will get worse before it gets better.”
What can people do?
Consumer education and awareness can help. It’s smart to shop with a healthy dose of discernment, so people can feel comfortable with smart technologies they select for the home.
“There are many conscientious smart home providers who do their best from a security and privacy perspective, and this is laudable,” Menting said.
But because there are twice as many that do “a poor job” on that front, people must do their research before buying, she added.
This means getting recommendations from verified testers, such as CNN Underscored, Wirecutter, Consumer Reports and other trusted sources.
The FBI also offers guidance on how people can keeping smart homes secure, such as by making sure users only allow the device to operate on a network with a secured Wi-Fi router, and picking strong network passwords.
It also urges shoppers to purchase internet-connected gadgets from manufacturers with” a track record of providing secure devices,” and setting devices to automatically update with security fixes.
People can also reconsider how many smart devices they actually need in the home.
“This isn’t an issue with just one product,” Harrington said. “When it comes to things that involve personal security and privacy, everyone needs to take a little extra time and weigh the risks when buying connected products.”