Wyze Cameras Suffer from Security Flaw that Can Give Hackers Remote Access, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

Wyze Labs faces a proposed class action over an alleged defect plaguing the company’s Cam V1, Cam V2 and Cam V3 products. 

The 25-page lawsuit says the flaw can allow an unauthorized individual to gain unauthenticated, remote access to the videos and images stored on the Wyze cameras’ memory cards. Per the suit, the defect can also allow access to all data on the memory cards, including the AES encryption key, which can potentially give a hacker access to a camera’s live feed. 

The lawsuit alleges Wyze has concealed its knowledge of the defect by “knowingly omitting” information about the problem from advertising and marketing materials. Wyze’s sale of the apparently vulnerable devices amounts to a deceptive trade practice, the case alleges. 

“This is not the first time Wyze has suffered a major security breach to its products and/or systems, and it likely will not be the last,” the complaint says, noting that Wyze suffered a massive data breach impacting 2.4 million users in 2019. 

According to the filing, cybersecurity publication Bitdefender in 2019 reported several vulnerabilities in the Wyze camera firmware that could enable outside hackers to access the cameras’ feeds or execute malicious code that would otherwise compromise their security and consumers’ safety. Per the lawsuit, the flaw at issue in the case remained unfixed for almost three years. 

Specifically, the bug can be exploited when a user inserts an SD card into a Wyze cam IoT device, the suit states. When a card is inserted, an “internet vulnerability” can allow a remote user to access the contents of the SD card, which include all of a device’s log files that in turn contain the camera’s unique ID number and AES encryption key, via web browser without requiring authentication, the lawsuit relays. 

The disclosure of a Wyze camera’s unique ID number and AES encryption key can allow for “unobstructed remote connections” to the product, the case says. 

The SD card vulnerability reported in 2019 by Bitdefender was allegedly not fixed until January 29, 2022, when Wyze issued a firmware update that the lawsuit contends may not have fixed the problem for all consumers. 

“On top of being woefully late, the security patch only repaired vulnerable devices Products [sic] after users opted to download the new software, meaning that some devices may still be running vulnerable firmware,” the case posits. “This is especially true given the nature of a ‘plug-and-forget’ internet connected camera, which users leave on continuously to monitor their property, without taking the device down for security updates.” 

Worse still, the suit says, security updates have been made available only for the Cam V2 and V3, meaning the V1 device “will remain vulnerable to the security flaw forever.”

The lawsuit looks to cover all consumers who bought a Wyze Cam V1, V2 or V3 in the United States after March 2019. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.