In an effort to restore trust in the security of its cameras, smart home brand Wyze has developed VerifiedView — a new layer of protection that embeds your user ID into the metadata of every photo, video, and livestream. Wyze claims the system matches this data to your account before playback, blocking unauthorized access to your footage.
“This is a safety net,” Wyze co-founder and CMO Dave Crosby tells The Verge. “On top of doing everything we can to protect users, we’ve built this double check at the end to make sure that they’re extra protected.”
“We realized that we cannot survive if we keep making these stupid mistakes.”
The move follows several rough years for Wyze on the security front, starting with a vulnerability on its v1 cameras that it knew about for three years and never disclosed, followed by two high-profile incidents in 2023 and 2024, where users saw images from other people’s cameras.
Crosby says that Wyze now sees fixing its security practices as existential. “We realized that we cannot survive if we keep making these stupid mistakes that we’re making,” he says. “We’ve got to make monumental changes so this kind of stuff never happens again.”
VerifiedView is just one result of this major shift; Wyze has also expanded its in-house security team, Crosby says, and “invested millions of dollars” in strengthening its security architecture from top to bottom. That includes re-architecting its security stack, requiring two-factor authentication, launching a bug bounty program, and deploying monitoring tools to detect and prevent threats.
Wyze is also committed to being more transparent around security. “One of the biggest mistakes we ever made was not being more transparent on that,” Crosby says, referring to a flaw Bitdefender identified in its camera in 2019, but which the company didn’t disclose to customers until 2022.
VerifiedView is available now via a firmware update that began rolling out in April. “It’s 100% deployed on our most popular cameras — Wyze Cam v4, v3, Pan v3, and OG,” Crosby says, adding that it’s coming to the rest soon. Some older cameras don’t have the hardware to support it, but Wyze is exploring ways to accommodate them. Users can check to see if their cameras are on the new firmware on Wyze’s site.
After the 2024 breach, Cosby says Wyze regrouped around security. “We went through our entire security stack, evaluating where we can improve, reviewing third-party tools, and removing them where we can. Where we have to use them, we are only building with the best platforms,” he says. “We’ve invested in AWS tools – including Lacework, Security Hub, GuardDuty, and Q CLI.” Wyze also hired several security firms “to verify and validate what we’ve done.”
VerifiedView should prevent the types of scenarios Wyze experienced in 2023 and 2024 around issues with third-party tools. “If everything else fails and people get into the cloud or data gets switched, people cannot see other people’s content,” Crosby says. It works by attaching your user ID to your camera – and therefore onto any photo, video, or livestream it produces. Before you can access the footage, VerifiedView checks that the ID from the device you’re using matches. If it doesn’t, access is denied.
The tech is similar to DRM (Digital Rights Management) created to combat content piracy, explains Sharon Hagi, a cybersecurity expert and chief security officer at Silicon Labs, who reviewed Wyze’s published materials at The Verge’s request. “At the core of VerifiedView is a well-established and critical data security concept: cryptographic binding of user identity and device data to digital content,” he says, calling it a significant step forward in smart home security.
While VerifiedView is designed to prevent unauthorized access to your footage, it can’t stop someone with access to your account from viewing it. To address that, Wyze claims login security has been strengthened. Two-factor authentication is now required by default, secure sign-in options are available, and the company has deployed tools to detect suspicious logins.
Crosby emphasized Wyze has invested a lot of money into these changes and that the ongoing costs to maintain VerifiedView, including engineering and cloud infrastructure, are substantial. This raises the question of how sustainable this is for a bootstrapped startup with razor-thin margins. Could VerifiedView eventually become a paid feature? “We will never charge for this feature and we will never discontinue it,” Crosby says. “It will be a regular feature for all Wyze Cams going forward.”
Another question is why not just build in end-to-end encryption (E2EE), which ensures only the user and their authorized devices can access footage? Most cloud-based security cameras, including Wyze, encrypt data while “in transit” and “at rest,” which protects against bad actors, but allows the company to access it while on their servers to provide additional features.
“VerifiedView offers very similar protections to E2EE without compromising the user experience – it felt like the perfect trade-off.”
Crosby says E2EE is the “holy grail,” but it breaks the features users value. “With E2EE, you can’t use third-party integrations like Alexa, and AI identifications in the cloud don’t work. VerifiedView offers very similar protections to E2EE without compromising the user experience — it felt like the perfect tradeoff.”
It’s true that encrypting your footage keeps a company’s cloud servers from looking at it and acting on your behalf to tell you when, say, a package is at your door. But some companies like Apple, with its E2EE HomeKit Secure Video, use a local server to do that processing.
Alongside the local storage it offers on some cameras, Crosby says they are exploring adding more local processing, something it has on its higher-end cameras. “We want to move more and more to the edge,” he says, adding that could mean new local devices, but didn’t clarify if that’s new cameras or some type of hub for local processing. Wyze is also working on bringing back Real-Time Streaming Protocol, Crosby says. This would let users stream video to a local recording device and/or platforms like Home Assistant.
When asked why not at least offer E2EE as an option, Crosby again pointed to the lost functionality of E2EE, such as Wyze’s new AI features that help cut down on notifications. “We created VerifiedView to be a third layer of protection so users can benefit from the AI features … while knowing their videos are secure.”
Clearly, the cloud will always be a core part of the Wyze service. “There will probably always be some sort of edge-cloud collaboration,” Crosby says. “Today, we do the easy stuff on the edge and the hard stuff on the cloud. As our cameras get smarter, we move more to the edge. But situations are getting harder, too, and we’re adding more use cases to what we monitor. So, it will always be a process of learning and getting better at something, and then moving that to the edge.”
Crosby believes that users should now feel safe using Wyze’s security cameras. “We are more locked down than ever,” he says. “I feel very confident. And while you can’t be too confident in this game, because everyone feels confident until something happens, we’re building layers of tools on top of each other. It’s the best we can do at this point, and I feel very confident with it.”
Read the full article here
