Wyze Camera Vulnerability

Wyze ignored a vulnerability in its home security cameras for three years. Bitdefender, who discovered the vulnerability, let the company get away with it.

In case you’re wondering, no, that is not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a little outdated and heavily depends on the situation, we’re generally measuring in days, not years. “The majority of researchers have policies where if they make a good faith effort to reach a vendor and don’t get a response, that they publicly disclose in 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tells me.

Tags: , ,

Posted on April 4, 2022 at 6:13 AM34 Comments

Comments

Ted April 4, 2022 7:21 AM

Wyze‘s decision to protect its own product instead of customers will have consequences. Customers should have the right to decide if they can tolerate a vulnerability. Degrading trust is a shaky strategy.

Bitdefender? It was a notably inexpensive camera not a CPU.

Phew. I’m glad this is not normal.

Hedo April 4, 2022 8:12 AM

I think name change is in order. Perhaps, UnWyze, or Dymb, or Stypid, to throw out a few, for starters. I’m sure there are plenty more, much better ones, keep ’em coming please.

Jeremy James April 4, 2022 9:29 AM

I understand that a specific timeline for responsible disclosure can depend on the situation, but how, exactly, is the concept of responsible disclosure timeline dated?

Clive Robinson April 4, 2022 10:43 AM

@ ALL,

Is Wyze any different from some 2man design team knocking out IoT device designs as fast as possible for some NoName Chinese manufacturer to knock out onto the market?

Well they have nice advertising…

The reality is this is a low end consumer device and the old adaje of

“Why should we care at that price?”

Comes into place.

One of the things I tell people about “home electronics” with a WiFi antenna or RJ45 network connector is put in writing a “formal condition of purchase” that the device must “work fully” without being connectd to the Internet. That way they will either not sell it to you or you will have a reasonable chance of getting your money back[1] should it not function.

If they ask why it’s to go in your caravan / boat / log cabin / yurt / etc that has no accessable Internet service.

These days the chances are when you open the box there will be a bit of paper in there telling you how to connect it to your home network.

My advice, do not, if you do not know how to build virtual network securely –and who does these days– then use an entirely seperate physical network.

The thing is those cameras might only have been twenty bucks, but often the reality is such stuff is sold at or below delivery price and the company needs you to plug it into the Internet so they can pull all of your PPI they can get their hands on back to China[2]. Apparently lightbulbs and autonomous vaccume cleaners do this already.

Remember (ID)IoT is not just a lame joke when you buy modern consumer electronics[4].

[1] You very very rarely see checques for payment in the UK anylonger. Which is a shame, because I used to type such conditions on the back of the cheque. That way they could not argue their terms superceeded my terms, or that they had not been aware of my terms.

[2] They do this for a several primary reasons,

1, To sell the data collected (they hope).
2, To have the device as simple as possible so they can move you onto a subscription service (they hope)[3].
3, To have the device as simple as possible, such that the chance it will need “functional patching” is minimal (as for security… It’s on the Internet what do you expect?).

But in the US for instance you have some intetesting legislation. The company is liable for any loss of data, UNLESS they’ve disclosed it to the US Gov already…

No doubt China may have similar “give use the data for free” legislation, one way or another.

But some US companies Amazon being the prime example already sell your cameta data to local law enforcment, and you do not get a dime out of it. They are also turning many of their products to track their “location tags” so they can compeate with Apple’s tags&phones tracking system.

So if the device connects in any way to external infrastructure[4], the chances are it’s spewing you PPI everywhere, if you want it too or not.

[3] I’m hearing a story I’ve yet to confirm all the details on, that a well known European Manufacturer of high end cars, has put the functioning of the car AirCon on a subscription model…

[4] What ever you do, do not forget the power wiring in your home is since the advent of “Smart Meters” yet another form of “communications network” and I’m not talkng “X10 Home Automation” control. Politicians pushed by utility companies want your data. The excuse is “carbon footprint” the reality is “profit any which way they can”, so not only can they read your electricity udage 600times a second so workbout what movie you are watching, they can also turn your air-con/heating etc on or off, up or down, as well as the electric cooker and fridge frezer and washing machine. But it gets worse… in the UK home fuel bills are going to up 100-300% this year depending on how they can squeaze you. With non smart meters you can if you have spare money in the bank pay for your future energy now so buy maybe £2000 now as opposed to paying £4000 or £6000 over the next year or so. Thus getting the equivalent of a tax free savings rate that no bank on earth will give you. If however you have a Smart meter even if you pay now you will still end up paying £4000 and probably more. Because they will probably “flip the switch” on you in the smart meter from “powerfactor corrected” to “Peek VI calculated power… which with modern home electronics can make it look like you are using twice or more times the number of units of elrctricity you realy are, and that’s just the least of the nastyness they can do (as some people with solar energy are finding out).

Ted April 4, 2022 12:49 PM

@Jeremy James

…but how, exactly, is the concept of responsible disclosure timeline dated?

Good question. To give some context, this is from the article:

“Even the US government has a 45-day default disclosure deadline to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, founder and CEO of Luta Security and co-author of the international ISO standards for vulnerability disclosure and vulnerability handling processes.

Norio April 4, 2022 1:06 PM

@hedo, excellent observation! I will suggest a few others, despite the fact I think you got the best one out of the gate “UnWyze”.
Dym, Wytless, Imbecylic, Thyck, Unintellygent, Semyconscious, Cretynous, and Asynine.

Frank Wilhoit April 4, 2022 4:08 PM

@Clive, re your footnote 4, in the US, meter metrology programs (for such they are called) are strictly regulated by the State-level Public Utilities Commissions. I have not seen consumer programs in which time-of-use tiers were allowed to use different metrology. Historically, electric utilities have always had to swallow the incremental cost of inductive or capacitive loads, except where they are written into the individually-negotiated (and unregulated) contract terms for Large Commercial and Industrial customers. The inverters that support reverse metering include power-factor correction — and you cannot install just any inverter, you have to pick from a list of models that have been blessed by the utilities’ engineers; but you can install pretty much any car charger. The utilities are much more worried about the inverters than the chargers, because a bad inverter could refuse to synchronize and cause “property damage” (the universal euphemism for “fire”) on a feeder-wide scale.

Wattson April 4, 2022 6:42 PM

@Clive

Regarding the smart meters. I’ve also started to be quite suspicious about smart meters in the sense I’ve seen my electrical bills going way up after being forced to have one even when my consumption habits remain the same while also taking into account energy and money inflation costs. I’ve been sensing this from quite some time. So my question is how a consumer can have a second probe to assert such doubts? in the most passive way? I guess the way to go is to measure electricity consumption between the smart-meter and your electrical service panel. A low cost DIY probe would be a great project to work on and “free” people from such abuses. Do you have any directions on how to go to develop such tools without getting fried as a chicken for people with low AC electronic knowledge?

kelly b April 4, 2022 6:44 PM

@Ted,

Wyze‘s decision to protect its own product instead of customers will have consequences.

I hope so, but is that a realistic view? What consequences have companies actually faced because of stuff like this? There have been companies that released products with egregious flaws but are still in business.

@Jeremy,

I understand that a specific timeline for responsible disclosure can depend on the situation, but how, exactly, is the concept of responsible disclosure timeline dated?

I don’t know what the quoted person is getting at, but I have several problems with the concept. One is the term itself, which paints the discloser as irresponsible if they don’t give the vendor “enough time”; except, the vendor was already irresponsible by releasing vulnerable software, and they had all the time in the world to do proper security analysis before releasing it. In my view, researchers don’t owe these vendors anything. (And while I have some sympathy for victims of insecure proprietary software, we’ve been warned about those risks for decades and I’m not going to say researchers own them anything either.)

Another problem is the idea that one is keeping people safe by withholding vulnerability details. It’s unclear to what extent that’s true. “Zero-day exploits” are seen frequently, and who’s to say the “major” attackers are not getting notice in advance of the public? Perhaps by companies sharing data with them (I’d expect it from companies headquartered in authoritarian countries—and given what happened with Lavabit and Joseph Nacchio and the operators of international fiber connections, I have to put the USA in this category), if the attackers are not just intercepting all vendor emails as a matter of course.

Were I an attacker, I’d consider “security@” email addresses as some of my most important targets, and would certainly want to promulgate and support any ideology that would justify delays in disclosure…

SpaceLifeForm April 4, 2022 8:58 PM

@ Wattson

Does the meter have some kind of human observable indicator of it’s counting?

Ex: spinning platter, led counter?

If so, turn off all circuit breakers, and see if it is still counting. If so, it is a bad meter and the power company should replace it.

That is likely the case.

JonKnowsNothing April 4, 2022 9:52 PM

@ Frank Wilhoit , @Clive

re: California Public Utilities Commissions new consumer time-of-use tiers

There are new rates in California that are consumer Time of Use hikes. The rate kick starts in the afternoon when people return from work and children are home from school. This rate kick ends in late evening at the time people go to bed.

So the highest consumer usage part of the day is what is getting rate kicked. The difference between the 2 options is a 1 hour offset for the starting period.

  • Peak Pricing 4-9 p.m. Every Day
  • Peak Pricing 5 to 8 p.m. on weekdays during the summer months.

Per PG&E rate plan brochures

  • Plan 4-9 Summer peak 49cents kWh
  • Plan 4-9 Winter peak 39cents kWh
  • Plan 5-8 Summer peak 47cents kWh
  • Plan 5-8 Winter peak 38cents kWh

This of course, has nothing to do with the types of smart meters used and their (un) reliability, or accuracy of readings.

These numbers are for Peak Usage, off-peak isn’t free. All those Tesla folks are going to get a bigger PG&E bill but .. if you are driving a Tesla you probably wouldn’t notice a 100%-1,000% increase in recharging fees.

IF the recharging fees do get noticed, there will be another go-round of (mandatory) solar panel installations in California. There’s nothing inherently bad about solar panels, it’s the Co-Generation backwash to PG&E that people bank on and count on when they borrow the funds for the installation.

Not every home owner is able to run their personal power grid. Preppers do and folks with Bug Out Locations and Off Griders along with RVers and Campers (only the type that don’t get their A$$ kicked by the cops) know how.

In the Dust Bowl of California, the average solar panel home owner doesn’t even know to wash the dirt off the panel array. That, plus they will be penalized for using water for a non-essential purpose.

The New Archeologist: Finding Lost Solar Panel Arrays buried under the wind blown sands swept in from former raisin vineyards.

Tony H. April 4, 2022 11:54 PM

The smart meters used in the US and Canada seem to have at least some standardization across manufacturers. There is a forward-facing IR LED that indicates the consumption rate, and which evidently does not have any knowledge of the rate plans or charges, so would need a whole lower level of intentional inaccuracy to be deceptive. There’s a good writeup from 2014 with some comments as recent as 2021 on the Blueline/Black+Decker power monitor that can read either this LED or the rotating disk in older meters. https://scruss.com/blog/2013/12/03/blueline-black-decker-power-monitor-rf-packets (Most of it is about the RF-end of this particular monitor, but there’s passing talk about what the meter is sending to the LED.)

/dev/null April 5, 2022 1:41 AM

All camera vendors seem a little shady to me.

I don’t know why anyone would run the stock firmware anyway. Signing up for an account so the camera can talk back to the mothership over the Internet? No way. Use the open-source firmware and it’s fine.

Clive Robinson April 5, 2022 2:27 AM

@ Wattson,

A low cost DIY probe would be a great project to work on and “free” people from such abuses.

Whilst I do know how to build a probe that would do the job, it won’t ‘”free” from such abuses’.

The reason is any record it made would not be accepted by a court, and the power companies know this, so will force it into court.

The reason a court will not accept it is not just that it lacks “calibration” but most importantly it will lack “calibration to National Standards”. Almost the first thing their legal representative will ask for is calibration certificates from accredited test houses that in turn trace back to a National Standard.

A DIY project is unlikely to do so, so will fail at that point.

When it comes to this sort of game the odds are stacked so high against you that if you could aford to fight, then the price of the energy you use domestically would be of no interest to you.

Life is not fair but it’s the way it is, if you want to change it then you will have a very expensive legal battle on your hands. In fact fighting a real war might be less expensive.

Have a look at the price gouging that went on in Texas and the response of the politicians all bought and paid for by the energy companies.

To win you eould first have to get rid of the lot of them, and that would not be easy. Because as sleazy as they are they are not sleazy enough for people to fight a civil war over, and those sleaze-balls know it.

With regards,

Do you have any directions on how to go to develop such tools without getting fried as a chicken for people with low AC electronic knowledge?

Actually the circuit required is very simple, it’s the software that is hard.

For the analog instrument head you need two things,

1, A current transformer.
2, A voltage tap.

If you only wanted to calculate peek VI power then the rest of the circuit would be precision AC to DC convertion into peek hold circuits
Followed by a sufficient range A to D conversion and some fairly simple software.

The current transformer can be of the “clamp on” variety which is fairly safe and easy to fit as it requires no direct electrical connection just a magnetic field pick-up of a “single turn primary” through a ferrite ring. The voltage tap however requires a direct electrical connection and whilst simple to do carries a significant “Kentucky Smoke Pit barbeque” risk for anything organic[1]… Remember the old saying,

“It’s the volts that jolt, but the mills that kill”

As little as 9volts directly across your heart can both stop it and almost as easily start it[2] as can “tickling it with a bodkin”.

In the EU there is the CE system where goods “placed on the market” have to be “certified” in oh so many ways. For all electrical items they have to pass the LVD requirments and they can be quite exacting as I’ve mentioned before having had to go through the process many times.

China’s system is very similar to the CE standards as are many others in the world (the UK is a world leader at expoerting standards). The US system is different and not much liked by the rest of the world for fairly good reasons perhaps the most important being the rigidity of the legislation and regulatory process, which gives upto a twenty year handicap…

But… There is no way you would want to pay peek VI Power pricing… You want to pay power factor corrected RMS pricing.

And that’s where your software problems start, because AC is by definition no “steady state” so time is a factor. You are also dealing with two nearly independent quantities that can vary in phase…

Thus you have to by taking a very large number of voltage and current readings (upwards of 4f so 4 x 60hz gives 240/Sec minimum usually around 600). Then do some DSP work to find both amplitude and phase difference and do the phase correction then RMS conversion to get to what you might consider “real power” readings.

So you might ask what Peak VI is all about… You need to know peak V to ensure you are not damaging insulation, and peak I to ensure your conductors are not turning into fuses. Whilst a one off calculation is usually fine for static conductors like power lines, it’s an altogether different story for generators and motors where not only do conductors move they have considerable inductance that can change when they move. Inductors and capacitors “store energy” they don’t –in theory– disipate energy like resistance does. But the process of storing energy has an oposition to the flow of charge, thus inductors and capacitors appear to have a dynamic ever changing resistance we call “impeadence”. The peak VI relates to the voltage across a fully charged capacitor and the current when fully discharged. Unfortunately inductors can appear to be “magic” because not only do they store energy they also act as bidirectional transducers so you can put a voltage via a resistor onto an inductor from a battery. The voltage across the inductor is related to the current that flows through it and the resistor. However open the circuit via a switch and current nolonger flows, the colapsing magnetic field causes what is called a “Back Electro Motive Force”(Back EMF) as the effective resistance of such an open circuit is the break down voltage of either the air across the switch contacts or the insulation on the inductor windings you are going to get an increadibly high voltage and arcs forming low impedece plasma paths, which is not what you want as it’s at several thousand degrees and thus causes burning to occure.

Don’t worry if the above causes a little cognative disonance, I’ve found by experience in teaching the subject to both trainee technicians and graduate students, it can take 6-12weeks of three hours of teaching a week plus a couple of hours of home study for them to get their heads around it sufficient to be able to pass a quite basic exam…

In part because of the mathmatics involved that needs a student to grasp the concepts of Newton’s infetesimals, integration oh and the dred “e to the…” that gives time constants and all sorts of other things… I find it best to start by reviewing “percentages” and “compound interest” that hopefully they have already learnt at school… but have probably forgoton within a couple of days of passing the exam 😉

[1] Your body can withstand 250V DC safely provided the current is kept below 30mA… This is what is used for nurological pathway testing for diseases that cause neuropathy –nerve death– and the like, and having been “tested” that way, I can tell you it is not in the slightest bit pleasant.

[2] However due to the bodies natural resistance to the passage of electricity you actually have to dump a lot of energy in and that can make you jump, or more correctly spasm enough to both break bones and rip the tendons from them.

Volta April 5, 2022 3:36 AM

@Clive

Don’t worry if the above causes a little cognative disonance, I’ve found by experience in teaching the subject to both trainee technicians and graduate students, it can take 6-12weeks of three hours of teaching a week plus a couple of hours of home study for them to get their heads around it sufficient to be able to pass a quite basic exam…

As usual you are suggesting that all people except you of course are dummies.

In fact all of this that actually matters to a power meter is just rather basic stuff. Domestic ‘rotating disk’ power meters didn’t care about peak V or I, there is no reason why an ‘intelligent’ one should if a power reading is all you want.

Get both the V and I waveforms, isolated, with a bandwidth of a few kHz, and scaled to a convenient level for A/D conversion [1]. Multiply the V and I sample streams. The average value of that product is power, accumulate to find energy.

There is no need compute amplitudes and phase difference, although it may be interesting to do so.

[1] When doing this on a PC or RPi, you can use a simple stereo sound card with only line level inputs and no gain controls as the A/D converter. Can be had for $20. The analog stuff required to obtain the V and I signals in a safe way will probably be more expensive.

John April 5, 2022 6:18 AM

@Clive and all,

I have a prototype running of a power monitor to tell:

  1. Display and log Real-time power usage
  2. Format and compare with utility bills

    While there are a few technical problems. This is easy to use proven accurate and easy to test technology. And not unusually dangerous!

    Most useful would be the ability to also log the RF stream emitted from the various meter associated sensors. Gas, electricity, even web data ‘usage’.

    Along with local temp, humidity, air pressure data.

    Along with independently measured gas, electricity and other usage.

    Gas usage for example can be logged by monitoring the typically electric gas flow control valve.

    I suspect my own gas usage is ‘estimated’ rather than measured!!!

    Kinda tempting for a utility to be able decide how big a bill to send.

    John

Clive Robinson April 5, 2022 7:39 AM

@ Volta,

As usual you are suggesting that all people except you of course are dummies.

No, I’m simply suggesting that they will based on teaching experience find the subject sufficiently new that they will not already have a frame of refrence.

But I go on and I see,

Domestic ‘rotating disk’ power meters didn’t care about peak V or I, there is no reason why an ‘intelligent’ one should if a power reading is all you want.

And I immediatly recognise the symptoms…

Which just gets confirmed by,

Multiply the V and I sample streams. The average value of that product is power, accumulate to find energy.

You are not cognicent of the required details. Power Factor is the ratio of True Power(kW) to Apparent Power(kVA).

That is one is bigger than the other when measured, even though the usefull load to you is the same.

Reactive Power (kVAr) is something you don’t want as it ups the peak current, thus has a cost penalty. You can have a high kVAr but next to know actuall usefull “True”power(kW).

To see why draw a right angle triangle, True power kW is the adjacent, Reactive power kVAr is the opposite, and Apparant power kVA is the hypotenuse, which is what they want you to payfor. If you have a knowledge of trig you will realise that at some angles True/useful power kW is small and kVAr is many times greater. Thus kVA they want from you is way greater.

If kW = 1, kVAr = 10 then what you pay is 10.05 not 1…

Which do you wish to pay for?

Most would want to pay the smaller figure that they are actually using to do work. Whilst the power company wants you to pay the larger figure as that puts more money in their shareholders pockets and the executive bonuses.

Modern Smart Meters can measure power in all sorts of ways and you can bet they will switch the meter to what ever brings in the most money for them. The method you describe will net them more as I indicated…

But hey it’s your money, your choice.

Just remember the old sayings about money… Because those energy companies rely on people not knowing they are being stiffed.

Ted April 5, 2022 8:47 AM

@kelly b

What consequences have companies actually faced because of stuff like this?

Well, here a senior news editor is sharing his indignation about the company. The article could live a long time. He also claims he will be tossing out his Wyze camera and earbuds.

Other companies have faced congressional hearings for vulnerabilities-gone-bad.

But of course, the story here is about the really, really long vuln disclosure time – 3 years. Interestingly, the company received a $20 million investment 3 years ago.

Volta April 5, 2022 9:19 AM

@Clive

You are not cognicent of the required details.

Be assured that I am.

Domestic ‘rotating disk’ power meters ignore reactive power, just look up and try to understand how they work. ‘Intelligent’ ones may measure both real and reactive, but a domestic user will normally pay only for the real power used. Where I live this is actually regulated by law.

For industrial users their reactive power or power factor will be monitored, and they will pay extra if it goes beyond reasonable limits.

The average of the product of instantaneous current and voltage, which is what I described, is real power. Any current 90 degrees out of phase with voltage will not contribute to it.

Wattson April 5, 2022 10:14 AM

@SpaceLifeForm

The only indication I have on my smart meter is digital so prone to being tampered/manipulated. I miss those mechanical spinning plates without any kind of remote connection (RF or through the electrical grid)

@Clive, @All

Thanks for sharing the knowledge on the matter.

Clive Robinson April 5, 2022 10:17 AM

@ Volta,

Be assured that I am.

You are not.

But this time all you’ve done is agree with what I’ve previously said…

Go back and read what you’ve said before and think… Then with a little luck you will spot where you are wrong and not make the same mistakes again in real life that could be costly.

As for “Where I live this is actually regulated by law.” that is the case in many places, but it does not change the fact that unless you can show the readings from the Smart Meter are egregiously wrong[1] a court will not give you the time of day without proof.

The definition of proof as I’ve already indicated requires tracability to national standards independently certified and no DIY project will do that.

Why you are apparently not cognizant of that when it was written by me on this page before you responded to it, maybe you chose to ignore it for some other reason? Either way it is kind of odd to put it politely. As is you have changed your handle from posts you have made to this blog before…

[1] in the UK an egregious supplier Scottish Power has been fined ~$20,000,000 by a very industry friendly regulator for the way it treats customers, but it still continues to do so,

https://www.bbc.co.uk/news/uk-scotland-59690022

Which should tell you something about the illegal profit they are making in comparison to the fines. This gives more info on the scale that they mislead and how cosy the regulator is with them,

http://www.scottishenergynews.com/scottish-power-giant-pays-1m-compensation-after-mis-reading-thousands-of-electricity-meters/

But they have quite a history with fiddling the meters and customers as do most other energy suppliers in the UK despite the law.

https://community.scottishpower.co.uk/t5/My-Energy/Smart-Meter-Reading-Ridiculously-High/td-p/9628

How ridiculously high, how about ~$50,000 in one day?

https://www.bbc.co.uk/news/uk-39169313

And that was by no means the first time such “system errors” have occured with Scotish Power there is an official report from Prof Leferink saying that Smart Meters misread in favour of the power comoanies and we’ve known that without doubt since 2009, in effect he wad soundly condeming them as much as the rules alowed him to do. The thing is as a High Court Judge pointed out to British Gas, those computer / system errors are as a result of the activities of humans, therefore “The computer says” is not a get out of jail card free for the energy suppliers and then found them guilty…

lurker April 5, 2022 1:11 PM

@Clive, re Scottish meter readings

It appears that it was a software problem giving spurious readings on the LED display and the app. The real consumption measured by the meter was allegedly accurate, but, what went wrong? How did SSE know the “real” numbers? Will we ever know, commercial sensitivity …

MarkH April 5, 2022 3:18 PM

@Volta, Clive:

Volta has the mathematics correct: to find out the amount of energy transferred, it is sufficient at each sample time to measure the voltage and current, compute their product, and sum these products.

An energy meter for consumption from a modern electric utility does not need to determine phase, power factor, peak magnitudes, etc.

Provisos:

• remember that all of the quantities are signed (positive / negative)

• take care to prevent arithmetic overflow

• measure and correct any phase shifts in the voltage and current measuring circuits

• small offset errors can integrate into large energy measurement errors

• when loads are reactive, the energy summation must be performed over a whole number of cycles to avoid truncation error

kelly b April 5, 2022 3:32 PM

@Ted,

Well, here a senior news editor is sharing his indignation about the company. The article could live a long time.

I don’t count talk, including Congressional hearings, as notable consequnces. If this talk causes a notable drop in sales, or a new law, that’s different, but so far it seems to be just “tech nerds” who even know about most of this.

He also claims he will be tossing out his Wyze camera and earbuds.

A decent idea, but it does nothing to hurt the company. They already have his money.

The researchers who shorted medical company stocks before announcing a flaw were an interesting case. Technically, stock price is only meaningful to a company when they’re issuing shares; but in practice, they treat it as much more important, so maybe that type of thing will have a useful effect if it becomes common. That “$20 million investment” you mentioned might have been a lot more difficult to get had the flaw been public. Actually, if the company knew about it and failed to disclose it to those investors, the investors might have a decent case for securities fraud.

MarkH April 5, 2022 3:33 PM

Notes:

1) Modern electric utilities usually have highly accurate mean frequency, often slaved to some master timer. This makes switching operations for grid management much easier, and keeps synchronous motor electric clocks accurate (they used to be a thing!)

2) If the sample frequency is a multiple of 100, it’s convenient to compute the summations at 100 msec intervals, giving a whole number of cycles for 50, 60 or 400 Hz systems.

3) Phase will wobble with load variations, introducing small truncation errors into energy sums (e.g., the energy for a particular 0.1 second interval), but …

4) Truncation error deltas “average out” so slightly low energy sums will be balanced by slightly high energy sums soon after; with integration (summation) the total error converges to zero.

Ted April 5, 2022 4:59 PM

@kelly b

Actually, if the company knew about it and failed to disclose it to those investors, the investors might have a decent case for securities fraud.

Hmm. That’s an interesting thought. They did report the $20 million investment to the SEC…

https://www.geekwire.com/2019/smart-home-camera-maker-wyze-labs-raises-20m-startup-finds-success-low-cost-wyzecam/

Also, you mind find this amusing. These excerpts are from their About page:

  • The phrase “too good to be true” came to us out of a review for Wyze Cam v1, our very first product launched in 2017.
  • In those early days, that meant we didn’t always have access to premium components or the biggest factories.

https://www.wyze.com/pages/our-story

And if you want to report a vuln to them, hope you feel comfortable using PGP.

Vulnerability information is extremely sensitive so the Wyze Cybersecurity team strongly recommends that all security vulnerability reports be sent encrypted using the Wyze Cybersecurity team PGP key.

https://www.wyze.com/pages/security-report

Oh my.

Ted April 5, 2022 5:03 PM

If you want to report a vuln to Wyze, hope you feel comfortable using PGP.

Vulnerability information is extremely sensitive so the Wyze Cybersecurity team strongly recommends that all security vulnerability reports be sent encrypted using the Wyze Cybersecurity team PGP key.

https://www.wyze.com/pages/security-report

Oh my.

JonKnowsNothing April 5, 2022 6:44 PM

@MarkH, @Volta, @Clive

re: modern electric utility does not need to determine phase, power factor, peak magnitudes, etc.

fwiw: Having done 99rounds with California’s PG&E over a construction project electrical system, I can tell you that PG&E will not budge until all of that is 100% pounded into the ground, fixed and defined by the builder, contractor, electrical load engineer, before PG&E will connect up the juice.

There is a tonnage of reports, spec, designs, legal documents that go both to the County (property is in the county not the city, county rules are different) and to PG&E. PG&E has their own set of requires and of course $$$ too. County gets a pile of $$$ too for stamping permits.

PG&E will not connect the juice for just any old reason. You gotta have a PG&E reason. Wanting electricity is not one of them.

Who? April 6, 2022 3:50 AM

Some years ago we found a bug in a Lenovo NAS device. That bug, easily exploited through CIFS protocol, allows anyone to access all files in the storage area without using credentials.

Lenovo said they would fix it. Now that device is EOL’d, but the vulnerability remains.

Security is not a priority. It is simple, security does not sell devices, cool features do.

Volta April 6, 2022 5:33 AM

@MarkH

• small offset errors can integrate into large energy measurement errors

Assume for a moment that the voltage has no DC component [1].

Then any DC component in the current will not correlate with the voltage and be ignored [2]. This is why you can get away with AC coupling for the current signal. Now if the voltage is assumed to be DC free we can make sure that the digital voltage signal has no offset by removing it after the A/D conversion.

[1] Reasonable assumption given that most AC power is delivered via transformers. Still there could be corroded contacts or a highly assymetric load (not the one being measured but on the same line) combined with resistive losses. Anyway if such a situation exists there will be other and more serious problems.

[2] So if your load is e.g. a light bulb in series with a diode, it doesn’t matter if the DC component of the current is measured or not. You get the same (correct) result in boht cases.

Technotron April 7, 2022 10:03 AM

Who cares if hackers can access my hours and hours of video? My cameras point outside my home. My Wyze email is sacrificial. The WiFi AP my camera connects to is separate from the WiFi AP I connect my personal devices to. If only people thought more, they could mitigate the impact of potential vulnerabilities.

Clive Robinson April 7, 2022 1:45 PM

@ Technotron,

Who cares if hackers can access my hours and hours of video? My cameras point outside my home

You should care for a couple of reasons,

1, It’s actually an “unwarranted invasion of privacy” and legislated against in some places.

2, Some consider such data highly valuable, and whilst not paying you they are actually making you pay to give it to them.

But there is another reason to care, that you should think about.

It is said we all committ “three crimes a day” on average. In the US you are entitled to not provide evidence against yourself (take the 5th as some describe it).

However that only applies to what is in your head, your possessions are fair game to any investigating officer or prosecuter. In the case of daya sent and stored by a third party no warrant or effective oversight is required as the output of your devices have become “Third Party Business Records”.

Thus you are effectively “self incriminating” by your cammera and in a lot of cases there is no time limit on when a prosecution can be brought.

Remember also the “three strikes and out” where you go down for serious time even if your three crimes are not otherwise worth prosecuting.

What easier way could there be to appear “tough on crime” oh and also potentially “raking it in” with back handers from “Private Prison Operators”… Which has been found to happen.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.