Hacker News new | ask | show | jobs
by tgsovlerkhgsel 854 days ago
This is one of the reasons why you want end-to-end encryption wherever possible.

Even a bad implementation with cloud-synced encryption keys (which defeats most of the benefits of e2e) would have stopped this.

The response in this case (notifying customers and specifically stating whether they were affected or not) is excellent, but this seems to be a repeat of a previous incident from September 2023: https://www.theverge.com/2023/9/8/23865255/wyze-security-cam...
2 comments
avg_dev 854 days ago
Wow. That is decidedly not a good trend. Once is definitely bad enough, but twice…
link
dns_snek 854 days ago
There was another, different incident reported in 2022 spanning 3 years, and a data breach in 2019.

https://www.consumerreports.org/home-garden/home-security-ca...

link
ls65536 854 days ago
I wonder how many people would continue to so casually use these services if they understood that, for the most part, there is rarely proper end-to-end encryption of their data with these services. It is awfully disingenuous when these companies' marketing materials describe their services as "encrypted" when it usually just means there are two independent TLS pipes, which both terminate in their "cloud"; this surely gives a false sense of security to end-users who may not understand the implications of such a setup.
link
dns_snek 854 days ago
Too many. I've consulted with friends who installed "smart" security cameras and other IoT devices. I really spelled it out, saying that there's a very real possibility that one day they'll find out someone's been listening in on all of their private conversations (audio) or watching them through their own cameras.

Responses typically range from "I'm not that interesting" to "I really don't care". I think it's too abstract of a threat for most people to take seriously before it happens to them.

link
fullstop 854 days ago
Where do you charge your cell phone?

I totally agree with you, but then I put my phone on a qi charger on my nightstand and go to sleep. It's a device with both quality cameras and microphones, so I feel a little hypocritical given that there is a non-zero chance that someone could be listening or watching through my phone.

link
dns_snek 853 days ago
That's a possibility, but that would require an exploit and smartphones are far more secure and actively updated. I just keep on top of security patches and hope that's enough.

With IoT there often aren't any security patches and your audio & video are just being live streamed to the OEM's cloud waiting for someone to listen in, it doesn't even require a security exploit.

It's easily abused by employees, it even happened at Tesla where they watched their customers through the onboard cameras, taking screenshots of them walking around naked, and sharing them on company Slack channel for laughs.

That's why I find it so mind boggling, the company could incidentally hire a pervert and now you find yourself being watched in your own home by someone who knows your home address. I find this scary because it doesn't require a security exploit, just a deranged mind and those are dime a dozen.

link
fullstop 853 days ago
So your issue is with the quality of the firmware on the devices and not the fact that it is a camera in a private place which is connected to the internet?

I agree with everything you're saying, but you may be overstating security patches. Until recently, most Android phones only had a few years of security updates.

I guess what I'm getting at is that if I truly believed in keeping Internet connected cameras outside of private areas I wouldn't have a smart phone at all.

The problem with Teslas wasn't the firmware on the cameras, but rather the infrastructure behind it. Ideally the data would be encrypted on servers and decrypted locally when needed. This doesn't pair nicely with services that perform analytics on video streams, of course, but it's a better option for privacy.

At the end of the day I share your concerns, and I want only devices which are controlled locally. I have been making efforts to make this a reality.

link
dns_snek 853 days ago
> So your issue is with the quality of the firmware on the devices and not the fact that it is a camera in a private place which is connected to the internet?

I'm just making a distinction between "connected to the internet" and "streaming private data to the cloud 24/7".

Most of us use a smartphone under the assumption that nobody else has access to it, and that it's not going to send all of our data to some cloud. If someone gains that kind of access to my device, I'll have bigger problems to worry about than someone listening to my conversations, like locking down bank accounts, investment accounts and changing dozens of passwords.

> Until recently, most Android phones only had a few years of security updates.

Tell me about it, I begrudgingly buy a new device when the old one runs out of security updates. I'm not a fan of Samsung or Pixel line (which now offer longer support) so I was planning to switch to an iPhone after my current Android device is made obsolete, but I changed my mind with Apple's latest EU meltdown.

link