Why We’re Pausing Our Recommendation of Wyze Smart Home Devices

We recognize that some existing Wyze customers may feel perfectly comfortable continuing to use their Wyze devices. We believe that it’s our responsibility to err on the side of caution when recommending any product that has the potential to expose an owner to privacy or security risks.

Our decision comes after thousands of Wyze-device owners opened their apps on February 16, 2024, and found that they were seeing images from other customers’ security cameras, including, in some cases, access video. This incident had been preceded by another Wyze privacy breach five months before, when a small group of Wyze customers were able to access video from other device owners’ cameras through the Wyze web portal. And before that, in March 2022, a Bitdefender study (PDF) revealed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three Wyze Cam models existing at the time. (Wyze did patch two of those models; the company then discontinued its first-generation camera and guided customers to stop using it.)

In response to the September 2023 camera problems—in particular, Wyze’s inadequate response and customer support—we decided to pause our recommendation of all Wyze security cameras and outlined steps that the company would need to take for us to resume considering its products for recommendation. At the time a Wyze representative stated to The Verge: “We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again.”

This most recent incident occurred just a few months later and is far more serious in scope: The company states that some 13,000 Wyze customers incorrectly received thumbnail images from other customers’ cameras, and 1,504 of them actually viewed those images and—in some cases were able to view video as well. This episode is also far more troubling in principle. Unlike previous instances, in which Wyze devices were found to have a vulnerability with a potential for misuse, in this circumstance Wyze effectively hacked itself by sending one group of customers’ private data to thousands of other customers. The inevitable implication is that Wyze doesn’t have a problem with its security cameras—it has a systemic problem in the way it handles user privacy and security.

And while Wyze did send out a mass email to customers, that message arrived almost 48 hours after customers began flagging problems on the Wyze support forum—aside from posts to social media and its support forum, the company didn’t reach out to customers until well after the issue was considered resolved.

Our main concern is not the specifics of this security issue—just about every company or organization in the world eventually has to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-A. We’ve concluded that the frequency of incidents, the increase in severity, and Wyze’s slow customer-support response paint a picture of a company that lacks the sorts of rigorous policies and procedures required to adequately protect its customers the way they deserve.

In an email, Dave Crosby, co-founder of Wyze, acknowledged that the company needs to do better and, to that end, plans to add engineering staff. “We were already undergoing several penetration testing and multiple process improvements to improve security and protect our customers,” Crosby said. “It’s clear we need to invest even more. This will be our top priority.”

Crosby also defended Wyze’s delay in responding. “We wanted to be very thorough, checking well before and after the reports to make sure we had captured every affected customer so that we could properly notify them,” he wrote. “That way, when we send a customer communication, we can tell them clearly if they are affected and why it happened." We strongly believe doing the opposite would be better. In any situation where security and privacy are concerned, it’s a company’s responsibility to alert their customers as quickly as possible, provide advice, and then later send follow-up with full details.

A look at the posts from disconcerted customers in Wyze’s own customer forums supports that view. And it’s also shared by peers and experts we consulted, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Max Eddy, Wirecutter’s senior staff writer for security, privacy, and software platforms. When we first reached out to them in September 2023, all of them agreed the central issue was that Wyze had not proactively reached out to all of its customers, nor had it been adequately accountable for its failures. “When these sorts of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’” It has been just a few months since then, Wyze has had another incident, and the company still hasn’t improved how it responds.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that the makers and sellers of these products, especially security devices, are worthy of their trust. Wyze now has a track record for putting its customers at risk, which also casts a shadow on the smart-home industry as a whole.

In order for us to resume testing and reviewing Wyze smart-home products, the company needs to demonstrate that it has made specific improvements to its security processes and responses. The company needs to be proactive, accountable, and transparent to its customers, in several ways:

1. Wyze should reach out to customers as soon as possible. When it becomes apparent that an issue is arising, the company should send an email to all customers, as well as push notifications in the app. The company should instruct customers to find information in the Wyze Communities online forum.
2. The company should update customers early and often, and it should give advice, if needed, on ways customers can protect themselves in the interim, such as turning off cameras or unplugging devices.
3. Once the company has investigated and resolved the matter, it should describe the issue in detail and, as soon as possible, state precisely who was affected and who wasn’t.
4. The company should explain specifically what steps it is taking to aid affected customers and what if any actions customers need to take on their own.
5. The company should follow up with customers to let them know that the issue has been resolved.

This isn’t the first time Wirecutter has pulled a recommendation for a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of that company’s cameras. After the company made a series of significant improvements to its programs and policies, we resumed reviewing Ring products, and since then we have recommended many of them as picks.

Should Wyze change course and adopt more substantial practices like those outlined above, we will be happy to resume testing its products and considering them for recommendation.

This article was edited by Grant Clauser.

Sources

1. Jen Caltrider, program director, Mozilla’s Privacy Not Included, email interview, September 12, 2023
2. Ari Lightman, professor of digital media and marketing, Carnegie Mellon University, phone interview, September 12, 2023