Wyze knew that hackers could access your camera feed without a password for almost three years and did not fix it or tell customers. They continued selling cameras as "secure" while anyone with basic hacking skills could watch your home. In February 2024, a Wyze system error let about 13,000 strangers see inside other people's homes through their Wyze cameras. Some people could watch live video of other families' private spaces. Major review outlets stopped recommending Wyze cameras.
What they claim: The Wyze app is a companion app for controlling Wyze home security cameras and smart home devices.
What we found: The Wyze app (com.hualai) requests 76 Android permissions including READ_SMS, RECEIVE_SMS, READ_CALL_LOG, READ_CONTACTS, CALL_PHONE, ANSWER_PHONE_CALLS, MANAGE_OWN_CALLS, and MODIFY_PHONE_STATE. A home security camera app has no legitimate need to read text messages, intercept phone calls, access the call log, or read the user's contact list. These permissions enable surveillance of the user's communications far beyond camera control.
What they claim: Wyze Cam OG is a stationary, plug-in indoor/outdoor security camera that does not move.
What we found: The Wyze app requests ACCESS_BACKGROUND_LOCATION and ACCESS_FINE_LOCATION permissions. ACCESS_BACKGROUND_LOCATION allows the app to track the user's precise GPS location even when the app is not in use. A stationary, plug-in camera has no need for continuous background location tracking of its owner. This permission enables Wyze to build a location profile of the user independent of the camera's function.
What they claim: Wyze Cam OG is marketed as a trusted US home security product by Wyze Labs (Kirkland, Washington).
What we found: FCC compliance testing for FCC ID 2AUIUWYZECGS was performed by Compliance Certification Services (Kunshan) Inc — a Chinese testing laboratory. The Wyze app package name is com.hualai (Hualai Technology, TianJin, China) and the original FCC ID for Wyze Cam v1 was 2ANJHWYZEC1 filed by TianJin HuaLai Technology Co., Ltd. The device connects to p2p.tutk.com (ThroughTek, a Taiwanese P2P video platform that had its own vulnerability CVE-2021-32934 enabling remote video interception). Supply chain touches Chinese manufacturing, testing, and software origins despite US marketing.
What they claim: Wyze's Google Play Store Data Safety page states the app does not share data with third parties and does not collect user data.
What we found: Wyze's own privacy policy explicitly discloses that Wyze "sells" personal information under CCPA definitions — sharing personally identifying information and inferences with third-party advertisers for targeted advertising. The app includes ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and AD_ID permissions specifically for advertising tracking. Mozilla's Privacy Not Included review confirmed Wyze sells personal data to advertisers. The Play Store claim directly contradicts the company's own privacy policy.
What they claim: Wyze's privacy policy and app store listing suggest the app collects only data necessary for device functionality.
What we found: The app includes Google Firebase Analytics tracker and advertising-related permissions (ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, AD_ID, BIND_GET_INSTALL_REFERRER_SERVICE). These permissions exist solely for tracking user behavior and serving targeted advertisements. A home security camera app handling sensitive video of people's homes should not be running advertising analytics and tracking user behavior for ad targeting.
What they claim: Wyze markets itself as a secure, trustworthy home security brand and states on its security page that it takes security seriously.
What we found: CVE-2019-9564: Authentication bypass vulnerability allowing attackers to gain full access to the camera feed by sending a NULL authentication request. Bitdefender notified Wyze in March 2019 but Wyze did not fully patch until February 2022 — nearly three years of known vulnerability exposure. Wyze Cam v1 was never patched; discontinued instead. CVE-2019-12266: Stack buffer overflow enabling remote code execution when chained with the auth bypass. Bitdefender security research confirms Wyze knew about these critical vulnerabilities for years while continuing to market cameras as secure home monitoring devices.
What they claim: Wyze markets Wyze Cam OG as secure home monitoring with private, encrypted video feeds.
What we found: February 2024 service outage caused approximately 13,000 users to receive thumbnails and video feeds from OTHER users's cameras — strangers could see inside other people's homes. Approximately 1,500 users tapped through to view full video feeds. Caused by a caching library error that mixed up device ID and user ID mappings. NY Times Wirecutter and USA Today pulled their recommendations. This demonstrates that Wyze's cloud architecture can mix video streams between accounts, fundamentally undermining the security promise of a home camera.
What they claim: Wyze Cam is marketed as private home security monitoring with encrypted video feeds.
What we found: Wyze privacy policy states that camera recordings may be disclosed to law enforcement in response to subpoenas, court orders, or lawful requests by public authorities. Wyze Cam Plus subscription stores 14 days of event video in the cloud; free tier stores 12-second clips. Both create retained video records of your home that are subject to law enforcement subpoena. The app requests ACCESS_BACKGROUND_LOCATION and ACCESS_FINE_LOCATION, adding precise geolocation data to the video records available to authorities.
What they claim: Wyze presents itself as a transparent, trustworthy company on its security and trust page.
What we found: December 2019: Employee error left an Elasticsearch database exposed for 22 days (December 4-26), leaking 2.4 million users' email addresses, WiFi SSIDs, camera nicknames, and API tokens. Wyze did not disclose the breach until forced by security researcher Twelve Security going public on December 26. Class action lawsuit Schoolfield v. Wyze Labs Inc. (W.D. Washington, 2:20-cv-00282) filed. Combined with the 3-year CVE cover-up and the initially downplayed 2024 camera feed exposure, this establishes a pattern of prioritizing growth over transparency.
What they claim: The Wyze Cam OG is a home security camera. The companion app should only need permissions related to camera, audio, and network connectivity.
What we found: The Wyze app requests 20+ health-related permissions: READ_HEART_RATE, READ_BODY_FAT, READ_BODY_WATER_MASS, READ_BONE_MASS, READ_BASAL_METABOLIC_RATE, READ_HYDRATION, READ_LEAN_BODY_MASS, READ_WEIGHT, and corresponding WRITE permissions for all of these plus WRITE_SLEEP, WRITE_STEPS, WRITE_TOTAL_CALORIES_BURNED. A camera app collecting your heart rate, body fat percentage, bone mass, hydration levels, sleep patterns, and step count represents extreme data overreach unrelated to security camera functionality.