← Smart Locks
D

Wyze Lock

The company that let strangers watch your camera feed now wants your fingerprints and your front door.
Serious concerns
Wyze Labs · 🇺🇸 United States · Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
FCC ID: 2AUIUWLCKB1
Chipset: Bluetooth 5.0
App: com.hualai
Manufacturer: Wyze Labs
Model: Lock Bolt (WLCKB1)

⚠️ The bottom line

Wyze says they protect your data. They left a database with 2.4 million people's info on the open internet for three weeks. Emails, camera names, Wi-Fi networks, body measurements. They didn't even notice — a security firm found it first. Wyze says nobody can see your camera feed. Then 13,000 people saw other people's feeds. Inside their homes. Wyze first said 14 people, then quietly updated to 13,000. This happened TWICE in six months. Now imagine this company controlling who can open your front door.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
1/4 LOW
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
10Contradictions
3Critical
4High
3Medium
4Sources
Findings by concern
Spying 1/4 LOW 1 finding
⚫ mediumfirmware analysis vs regulatory findings
You think you're buying a lock from a Seattle tech company. You're buying a Chinese-made Lockin lock with Wyze branding. Not necessarily bad — Lockin makes millions of locks. But you should know who actually built the thing protecting your front door.

What they claim: Wyze markets Lock Bolt as a Wyze product. Lockin mentioned as "partner" with "cutting-edge technology" and "standout data security."

What we found: Lockin is a Chinese smart lock company (Singapore-registered) leading Chinese apartment locks since 2014. Lockin develops core hardware, firmware, and biometrics. Wyze provides brand and distribution. Firmware pipeline and supply chain security not documented publicly.

Data Sharing 3/4 HIGH 2 findings
⚡ highpolicy claims vs policy claims
Wyze says they don't sell your data "in the conventional sense." They share it with advertisers, which is legally a sale in California. They even have a "Do Not Sell My Data" page — which only exists because they're selling your data. The "conventional sense" is doing heavy lifting.

What they claim: Wyze: "We do not sell your personal information in the conventional sense." "We do not sell your data for money."

What we found: Wyze's own Data Sharing Opt-Out page acknowledges data sharing that "may be considered a 'sale' under the CCPA." They share user activity with advertising partners. The existence of a "Do Not Sell My Data" page is itself an admission.

⚫ mediumpolicy claims vs regulatory findings
Wyze says they need a warrant. Federal law says they don't if they think there's an emergency. Your lock knows every time you come and go. And this is the company that had an open database for three weeks — police didn't even need to ask politely.

What they claim: Wyze: "only provide user data to law enforcement in response to a valid subpoena, warrant or other similar official legal request."

What we found: ECPA allows disclosure without warrant if provider "believes in good faith" there's emergency danger. Wyze supplemental terms: "may be subject to subpoenas, court orders that require us to retain and/or disclose User Recordings." Lock history synced to cloud. Consumer Reports found similar companies share without warrants.

Security 3/4 HIGH 3 findings
⚠️ criticalpolicy claims vs regulatory findings
Wyze says they protect your data. They left a database with 2.4 million people's info on the open internet for three weeks. Emails, camera names, Wi-Fi networks, body measurements. They didn't even notice — a security firm found it first.

What they claim: Wyze Security & Trust page: "We are committed to protecting the security of your data" with "modern security measures with encrypted data."

What we found: Dec 2019: Elasticsearch database with 2.4M customers' records exposed on open internet for 23 days. Leaked: emails, camera device IDs, Wi-Fi SSIDs, body metrics from Wyze Scale, Alexa tokens. Found by Twelve Security, not Wyze. Class action: Schoolfield v. Wyze Labs (2020).

⚠️ criticalpolicy claims vs firmware analysis
Wyze says they fix security bugs in 3-4 weeks. It took THREE YEARS to fix one that let hackers access your camera's SD card. They ignored the researchers. Another researcher was so frustrated he released a full hack tool on GitHub. These are the people guarding your front door.

What they claim: Wyze vulnerability response policy: "resolve or mitigate issues within approximately 3-4 weeks" for confirmed vulnerabilities.

What we found: Bitdefender reported 3 critical vulns Mar 2019: login bypass (fixed 6mo later), code execution (20mo), SD card access (34mo). Wyze ignored initial contacts. Researcher bl4sty released "unwyze" RCE exploit on GitHub for Cam v3, accusing Wyze of timing patches to avoid Pwn2Own embarrassment.

⚡ highfirmware analysis vs regulatory findings
"Trust us, it's secure" from the company whose camera firmware was compiled without basic protections and got a public exploit on GitHub. Nobody outside Wyze and Lockin has actually audited this lock. No CVEs means nobody looked, not that it's safe.

What they claim: Wyze and Lockin: "full communication link data encryption" and "hardware encryption" making it "impossible for hackers to access codes or fingerprints."

What we found: No independent security audit published. Zero CVEs — but nobody has looked. Lock manufactured by Lockin (China/Singapore). Wyze cameras used ThroughTek Kalay with 3 CVEs. "unwyze" exploit showed Wyze firmware compiled without stack canaries or PIE. BLE relay attacks documented industry-wide.

Honesty 3/4 HIGH 4 findings
⚠️ criticalpolicy claims vs firmware analysis
Wyze says nobody can see your camera feed. Then 13,000 people saw other people's feeds. Inside their homes. Wyze first said 14 people, then quietly updated to 13,000. This happened TWICE in six months. Now imagine this company controlling who can open your front door.

What they claim: Wyze: "Wyze employees do not have the ability to view a user's camera's live feed." Uses "P2P live streaming with direct connection between phone and camera."

What we found: Feb 16, 2024: ~13,000 users received thumbnails from OTHER users' cameras. 1,504 tapped through to view enlarged footage from strangers' homes. Wyze first said 14 affected, revised to 13,000. Third-party caching library mixed device IDs and user IDs. Similar "caching issue" Sep 2023.

⚡ highfirmware analysis vs app permissions
Your fingerprint stays on the lock — genuinely good. But the app tracking who unlocked, when, and your entire coming-and-going pattern is packed with marketing trackers and synced to the cloud. Your fingerprint is private. Your life pattern is not.

What they claim: Wyze: "All codes, schedules, and fingerprint data are stored locally in the lock." "Wyze cannot access your codes or fingerprint data."

What we found: Fingerprint templates stored on lock hardware (good). But Wyze app (com.hualai) contains Braze, Segment, historically Flurry trackers. App syncs lock event history (who, when, method) to Wyze servers. Access schedules and guest codes created through tracker-laden app.

⚡ highapp permissions vs firmware analysis
The app that showed 13,000 people other people's camera feeds is the same app that controls your front door lock. Same account, same backend. Last time it mixed up who was who, people saw inside strangers' homes. Next time, someone might unlock a stranger's door.

What they claim: Wyze positions unified app as convenience: "all tied together in one app" for smart home ecosystem.

What we found: Same app (com.hualai) manages cameras AND locks through one account. Same backend that confused device IDs in the 2024 camera feed incident also controls lock access. Same Braze/Segment trackers. If backend mixes up user mappings again, blast radius now includes physical security.

⚫ mediumpolicy claims vs app permissions
The lock works without a subscription today. But Wyze almost went broke and now lives on subscriptions. They already moved free camera features behind paywalls. The v2 adds Wi-Fi. How long before "remote unlock" or "lock history" requires Wyze Lock Plus at $2.99/month?

What they claim: Wyze Lock Bolt works without subscription. "Essential and core security features should be free and accessible to everyone."

What we found: Wyze nearly went bankrupt, pivoted to subscriptions. Removed free 12-second cloud recording, moved behind Cam Plus Lite requiring payment method. Lock Bolt v2 adds Wi-Fi — opening door for cloud-dependent premium features. Financial dependence on subscriptions = structural incentive to paywall.

Sources