That security camera and smart doorbell you’re using may have some major security flaws

Mar 9, 2024, 8:52 PM

Security cameras and other smart home products continue to raise privacy concerns. (Smith Collectio...

Security cameras and other smart home products continue to raise privacy concerns. (Smith Collection/Gado, Getty Images)

(Smith Collection/Gado, Getty Images)

(CNN) — When 24-year-old Heather Hines from Southern California was changing into her work clothes last month, she noticed the seven security cameras she owned from Wyze went offline for a short period of time, including the one in her bedroom.

About 48 hours later, she received an email from the company stating that thousands of its customers opened their apps and saw photos and video footage from inside other people’s homes. The issue stemmed from a caching problem from a third-party partner that occurred when the camera systems came back online.

Hines was one of the 13,000 accounts that were compromised in the hack. About 1,500 users viewed images and videos from other Wyze cameras.

“It made me feel violated,” said Hines, who used the cameras to monitor her sick cat when she’s not at home. “I’m scared I’m going to wake up one day and have my friends texting me saying my camera video got leaked.”

Issues with surveillance systems like cameras and doorbells continue to make headlines, stoking security and privacy concerns, reminding people who own smart home gadgets that some devices intended to make homes safer or more convenient continue to pose some serious security risks. Still, little repercussions exist for the companies responsible for keeping customers safe.

Hines told CNN she was “disappointed” in the Wyze’s limited response after inquiring what photos or footage were captured and seen by other users. In an email to Hines viewed by CNN, the company wrote: “We truly understand your concern, and we regret that we are unable to offer detailed information on a per-camera basis or specifics about how users might have been affected.”

Hines has since removed all of the Wyze cameras from her home. “Now I don’t have the cameras to watch over my sick cat. … I’m completely done with smart devices like that.”

For some Wyze customers, like 51-year-old Eddie Henderson from Nova Scotia, Canada, the incident came as less of a shock. This was the second security breach he’s been part of with Wyze in recent months, where he was once again able to see thumbnail images taken from other people’s cameras.

After accessing the app, he was able to peek into the front yards of two different residential homes, one of which he said was visible to a business across the street, making the location identifiable.

“I definitely felt violated … but I learned not to put them indoors in main areas of living space,” he said. Now he worries about one of his outdoor cameras placed near his medicinal marijuana field.

“The medical grow is valuable so if someone could figure out my location they may be interested in trying to steal it,” he said.

Henderson, who owns 10 Wyze cameras, said he is starting to replace them with other brands.

In an email sent to CNN, Wyze CEO Dave Cosby said the company knows “these events are unacceptable.” He said Wyze plans to hire up to a dozen new engineering positions to help “reduce reliance on any third parties.”

He added: “It will take time to repair trust with users and tech publications, but it has our total focus.”

The latest incident highlights a growing problem not only with security cameras but other internet-connected devices, putting the onus often on consumers to take extra steps to keep their homes safe from potential breaches and bad actors. It also raises the question about whether the value of smart devices is worth the risks.

Problematic devices

The problem is much bigger than one company. Less than two weeks after the Wyze incident, a Consumer Reports investigation found a series of cheaply made smart doorbells sold on Amazon, Walmart, Sears, Shein and other popular retailers had security flaws, allowing bad actors to easily hack into the systems to gain access to photos and footage stored on the app.

A majority of those products, from popular brands such as Eken and Tuck, were manufactured in China and sold at half the price of more well-known US brands. Consumer Reports said the doorbells did not have a required ID issued by the Federal Communications Commission, effectively making them illegal for sale in the US.

Walmart told CNN it is no longer selling these items. Amazon, which still lists them for sale on its site, did not respond to a request for comment.

Adding to the problem, some companies make and sell devices under different names, according to the Consumer Reports article.

“All computing devices are susceptible to hacks,” said Paddy Harrington, a senior analyst at market research firm Forrester Research. “The exposure of those devices to attack just grows exponentially when you put them on the internet and store the data in a publicly accessible place.”

Cheaply made devices without security controls in place can present significant vulnerabilities for customers. Hackers can access non-secure devices to get onto people’s home networks and other devices, from phones, computers and TVs to speakers, lights, and garage door openers. Attackers can potentially obtain sensitive information about the device’s owners, and they can also take over the smart gadgets, for exampleby speaking through the devices, stealing footage and recordings, or flickering the lights.

When a vulnerability is found, bigger companies can turn around a fix quickly. That’s not always the case for smaller brands. Still, security breaches impact companies of all sizes. Amazon and Google have experienced security breaches with Ring and Nest security devices in recent years.

But because consumer goods have low profit margins, some smart home providers want to cut costs elsewhere, from limiting security controls to producing poor-quality products, according to Michela Menting, an analyst with market research firm ABI Research.

“It’s easy to dismiss risk and push it as the responsibility of the cloud provider,” said Michela Menting, an analyst with market research firm ABI Research. “But I’d say it’s really the smart home provider’s fault. They choose to make insecure products, thereby facilitating a future hacker’s job. There is plenty they could do to minimize the risk, but they choose not to.”

Cheaply made devices target buyers who seek less costly solutions compared to known-brand names. Inexpensive options can also disappear; sometimes pulled from the market a few weeks or months later because companies “found a better way to make a buck,” Harrington said.

“And what happens to your data and where it’s stored? [The company] walks away with them,” he added.

Why this happens

Fighting these issues remains a big challenge, akin to a game of Whac-a-Mole. Although the US government can go after American companies, it’s much harder to track down Chinese manufacturers. And even if a device says it was made in another country, its components could still be made in China.

It’s also difficult for shoppers to weed through endless products on sites such as Amazon; a search for smart light bulbs will pull up name brands, along with dozens of other companies you’ve never heard of – and many with good reviews. (Amazon has also struggled with questionable, fake reviews).

The company has come under fire over the years for the quality of some products it sells on its platform, including dietary supplements, carbon monoxide detectors, hair dryers and children’s sleepwear. In 2021, the Consumer Product Safety Commission called on Amazon to remove hundreds of thousands of products on its site deemed hazardous.

Although Amazon has removed some products, it continues to struggle with keeping untrustworthy products off its virtual shelves.

“When it comes to what they sell, Amazon has a lot of work to do to clean out the garbage and until consumers hold them accountable, they’ll keep doing it because it makes them money,” Haddington said.

On the security side, regulations and policies may help with some smart home products down the line, such as the White House Executive Order which requires manufacturers to list ingredients that make up software components and the European Union’s Cyber Resiliency Act, which mandates hardware and software to meet certain cybersecurity requirements.

“They will make manufacturers and providers accountable for security,” Menting said. “But these take time to develop and enact and it will get worse before it gets better.”

What can people do?

Consumer education and awareness can help. It’s smart to shop with a healthy dose of discernment, so people can feel comfortable with smart technologies they select for the home.

“There are many conscientious smart home providers who do their best from a security and privacy perspective, and this is laudable,” Menting said.

But because there are twice as many that do “a poor job” on that front, people must do their research before buying, she added.

This means getting recommendations from verified testers, such as CNN Underscored, Wirecutter, Consumer Reports and other trusted sources.

The FBI also offers guidance on how people can keeping smart homes secure, such as by making sure users only allow the device to operate on a network with a secured Wi-Fi router, and picking strong network passwords.

It also urges shoppers to purchase internet-connected gadgets from manufacturers with” a track record of providing secure devices,” and setting devices to automatically update with security fixes.

People can also reconsider how many smart devices they actually need in the home.

“This isn’t an issue with just one product,” Harrington said. “When it comes to things that involve personal security and privacy, everyone needs to take a little extra time and weigh the risks when buying connected products.”

KSL 5 TV Live

National News

President John F. Kennedy slumps against his wife as the bullet from an assassin strikes him in the...

Zachary B. Wolf, CNN

Long list of presidents have been shot or shot at

Multiple presidents and former presidents and candidates for president have been attacked in US history, according to a CNN report from 2011 and a list of instances of political violence that includes attacks on senators, congressmen and governors compiled by CNN’s research library.

4 hours ago

Republican presidential candidate former President Donald Trump is helped off the stage at a campai...

Mark Jones

Utah leaders react to assassination attempt at Trump rally in Pennsylvania

Former President Donald Trump was rushed off a stage at a Pennsylvania rally Saturday by U.S Secret Service agents after apparent gunshots were heard in the crowd.

7 hours ago

Republican presidential candidate former President Donald Trump is surround by U.S. Secret Service ...

Associated Press

‘I was shot’: Trump issues statement after being whisked off stage following an apparent assassination attempt

Donald Trump was whisked off the stage at a rally in Butler, Pennsylvania after apparent gunshots rang through the crowd.

9 hours ago

FILE - In this Aug. 10, 2013 file photo, fitness guru Richard Simmons arrives at the Project Angel ...

Dan Heching, CNN

Richard Simmons, fitness personality and TV host, dead at 76, per reports

Richard Simmons, the perennial 1980s workout personality who was defined by his uplifting spirit, has died, according to multiple reports.

10 hours ago

A vending machine is pictured selling ammunition. (American Rounds, AP)...

Anissa Carby and Navya Shukla, CNN

Company debuts vending machines selling ammunition in 3 Southern states

Vending machines selling ammunition will now be in grocery stores in Alabama, Texas and Oklahoma. According to the American Rounds' website, the distributor of the machines, AI technology scans the customers’ identification and facial recognition software to verify a customer’s identity.

12 hours ago

Ruth Westheimer arrives on Day One of the 2022 US Open at USTA Billie Jean King National Tennis Cen...

AJ Willingham and Artemis Moshtaghian, CNN

Ruth Westheimer, sex therapist known as ‘Dr. Ruth,’ dead at 96

Dr. Ruth Westheimer, the iconic sex therapist whose cheerful and disarming advice helped educate millions of Americans about sexual desires and practices, has died, her publicist Pierre Lehu told CNN on Saturday. She was 96.

15 hours ago

Sponsored Articles

young male technician is repairing a printer at office...

Les Olson

Unraveling the dilemma between leasing and buying office technology

Carefully weigh these pros and cons to make an informed decision that best suits your business growth and day-to-day operation. 

A kitchen in a modern farmhouse....

Lighting Design

A room-by-room lighting guide for your home

Bookmark this room-by-room lighting guide whenever you decide to upgrade your lighting or style a new home.

Photo courtesy of Artists of Ballet West...

Ballet West

The rising demand for ballet tickets: why they’re harder to get

Ballet West’s box office is experiencing demand they’ve never seen before, leaving many interested patrons unable to secure tickets they want.

Electrician repairing ceiling fan with lamps indoors...

Lighting Design

Stay cool this summer with ceiling fans

When used correctly, ceiling fans help circulate cool and warm air. They can also help you save on utilities.

Side view at diverse group of children sitting in row at school classroom and using laptops...

PC Laptops

5 internet safety tips for kids

Read these tips about internet safety for kids so that your children can use this tool for learning and discovery in positive ways.

Women hold card for scanning key card to access Photocopier Security system concept...

Les Olson

Why printer security should be top of mind for your business

Connected printers have vulnerable endpoints that are an easy target for cyber thieves. Protect your business with these tips.

That security camera and smart doorbell you’re using may have some major security flaws