
Alexa shows private Wyze Cam feed to stranger [video] - pravda
https://www.youtube.com/watch?v=HQGX4iMGlUI
======
wmeredith
Wyze was all over this from the get-go. It has already been patched (took
about 48 hours):
[https://reddit.com/r/wyzecam/comments/bvis0f/psa_asking_alex...](https://reddit.com/r/wyzecam/comments/bvis0f/psa_asking_alexa_to_show_your_wyze_camera_might/)

~~~
Reelin
> What happened — The incorrect camera being shown was once owned by the same
> customer. After the customer deleted this camera, there was a bug where we
> did not completely clean up the user-device association for Alexa viewing.
> This resulted in the customer being able to view the camera from their Alexa
> device even though he does not own this camera anymore. Because the bug is
> related to device deletion from Alexa’s system, this bug ONLY impacts
> cameras that were Alexa enabled and then transferred to another account.

~~~
davidhyde
What a PR disaster. It only takes one incident like this to tank a product.
Testing is so important for IOT stuff but it usually gets shipped out way
before it’s ready.

~~~
mcbutterbunz
I would bet that reselling a camera was treated as a corner case and the
ticket was probably sitting on the backlog somewhere.

~~~
reaperducer
Or just dismissed outright. It's very common see FAANG employees on HN
labeling user concerns "edge cases" and blowing them off.

~~~
justinjlynn
This angers me... edge cases are where people get cut... and badly! If
anything, they should have more attention paid to them than less. Incentive
structures inside these orgs are poorly designed to account for this, however.
Trouble is, I don't know a good way to do modify them to do so without
introducing even worse perverse incentives.

~~~
chairmanwow
This is definitely a corner case and the amount of such corner cases balloon
into numbers difficult to boggle quickly.

I agree this is an egregious miss, but absolutely understandable from an
engineers perspective.

I’m sure no one is happy with this outcome.

~~~
justinjlynn
Upper/executive management certainly were happy... of course, until it bit the
company in the ass. Engineering time not spent handling what would happen when
a customer becomes not a customer is development/engineering time spent making
features for sales to tout instead of making sure the product was safe for
people they no longer thought they had a reason to care about. Reputational
risk is really poorly handled because it's such a nebulous problem - and now,
hopefully they'll see a massive drop in new customer acquisition and existing
customer usage or they'll have absolutely no reason to care at all.

------
tarr11
Watching this video turned on my Alexa when he started talking to Alexa.

Feels like a kind of SQL Injection ("voice injection attack"?) .

~~~
ekimekim
It's more like having an unauthenticated API open to the network, where in
this case the network is sound waves in your local space. The idea that anyone
is using voice for priveliged operations ("buy X", change my calendar, etc) is
horrifying to me.

~~~
pavel_lishin
I'm always startled to find out that people with very young kids have these in
their house. Presumably there's some way from preventing a 3 year old from
running up a $50k bill?

~~~
javagram
Alexa purchasing can be configured with a voice PIN.

I believe purchasing by voice does have to be enabled initially through the
app as well.
[https://www.amazon.com/gp/help/customer/display.html?nodeId=...](https://www.amazon.com/gp/help/customer/display.html?nodeId=201952610)

Edit: I looked in my Alexa app and there is also a voice recognition option,
so you can use it to only allow purchasing via recognized voice patterns and
require a PIN for anything else.

------
jaboutboul
As someone who has worked with Chinese made IoT devices, I have seen this
problem many times. The issue is a bad architectural design of the system
where a camera is “bound” to a user account and even if the user returns that
camera it’s still bound to their account, and adding it to another account
afterwards doesn’t disassociate it from the other user. It’s just stupid
things like this that are not well thought out that pop up in the multitude of
cheaply made Chinese IoT problems that have flooded the market.

Believe it or not, this is the smallest security flaw in some of these
systems/devices...

~~~
ablanco
Which ones do you recommend using?

~~~
chime
Not sure what I would recommend for non-technical people but if you are a bit
tech savvy, rolling your own is very robust nowadays. Buy cameras that don't
need to be setup using an app (I prefer DHCP/Ethernet with web console), block
them from going out at the firewall level, stop all services like mDNS/uPnP on
the cams, install Blue Iris or BlueCherry DVR on a $500 laptop with 8TB USB
drive, install the iOS/Android apps on your phone, open the right firewall
ports, and now you can remotely monitor and watch your house from anywhere,
safely.

I have 30 days of footage for 16 cameras recording to a 4TB HDD. The entire
setup cost me around $3k over 7 years (cameras were more expensive in 2013).

There is absolutely no way I will ever trust a camera that needs me enter my
home wifi password using an app, which then sends the plaintext password to a
.cn domain to generate a QR code that the camera scans to configure itself
(looking at you MECO Wifi IP cams). Way too many people around the world are
falling for these cheap cams.

~~~
shostack
Since most people lack your technical know-how or patience or budget to
implement such a setup, do you have recommendations for alternative consumer
solutions on the market that do it right?

------
tlrobinson
Are there any camera systems that are internet-enabled (for remote viewing +
storage) but use end-to-end encryption for video feeds?

It doesn't seem like too much trouble to have to pair the cameras to your
mobile devices on the local network.

If I were an IoT camera company I wouldn't _want_ to have the responsibility
of securing video footage of inside peoples' homes.

~~~
alias_neo
Unfortunately these cameras and other such devices are far too underpowered to
do when the tasks they're given a lot of the time, let alone encrypt media.

They should he connected to a hub machine with more power to do the encryption
and uploading there.

------
dmje
Why you'd want to fill your house with [internet connected] webcams is beyond
me, let alone cams in your kids' rooms. People are weird.

~~~
Krasnol
This is the first question that comes into my mind.

However I had to scroll down pretty far to find it here. It doesn't look
better over at reddit.

No wonder nobody cares about the public space surveillance overload anymore.
How could you, if your house is being monitored audio and visually by some
company?

This is really frightening.

~~~
TeMPOraL
> _However I had to scroll down pretty far to find it here. It doesn 't look
> better over at reddit._

Almost everyone who notices how ridiculously idiotic current IoT is has
already spoken about it dozens of times here, on Reddit, or elsewhere. At some
point people simply get tired of making the same point over and over and over
again.

------
kaijia
Why is there no end-to-end encryption for such IoT devices? Does it mean the
central service managing all devices have access to all the video streams?

~~~
tedd4u
Apparently -- it's the Panopticon :(

------
social_quotient
I understand it being an edge case in testing but I think there is a design
issue here with “forever authorization”. Once the device is paired with Alexa
I don’t see why Alexa would not still need to get authorization each time it
accesses the device? It would seem like once the device went to another
account Alexa would attempt authorization and then fail.

Authorization is the problem with a lot of security problems today. I don’t
think it should be a corner care, it should be in the initial design of most
things (internet of). Calls to banks, use of CC, and now IoT.

I read the resolution from wyze and while I’m happy they patched device
associations I was looking for the term “authorization” and didn’t find it. I
wish this term had more weight and meaning in the practical use cases we see
as consumers. And I wish it was in the initial meetings for us tech devs.

------
devoply
I wonder how trivial now it would be for some secret gov org to get a live
feed of so many areas if they were so inclined.

~~~
heyoni
They weren’t hacked so much as badly transferred ownership. Basically someone
(Alexa or Wyze) didn’t invalidate security tokens after the device was sold
and changed hands.

~~~
kingo55
Surely was not the first time a camera was sold second hand.

------
rodmena
Horrifying.

------
CrowFly
WARNING: If you watch the video your Alexa devices will respond!

