Xepher

cross-posted from: https://lemm.ee/post/8552498

After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.

On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.

We believe Wyze is acting irresponsibly to its customers. As such, we've made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.

We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”

If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.

In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:

• Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
• Describe the issue in detail and state precisely who was affected (and who wasn’t).
• Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
• Follow-up with customers to let them know the issue has been resolved.

For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.

This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.

After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.

On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.

We believe Wyze is acting irresponsibly to its customers. As such, we've made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.

We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”

If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.

In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:

• Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
• Describe the issue in detail and state precisely who was affected (and who wasn’t).
• Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
• Follow-up with customers to let them know the issue has been resolved.

For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.

This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.

Google is reportedly planning to introduce a new Android feature that will let users link their various Android devices together, similar to Continuity features across the Apple ecosystem. Android expert Mishaal Rahman posted about the potential feature, noting that it could allow Android devices that are signed into the same Google account to communicate with each other.

This could enable features like “Call Switching,” which allows users to jump between connected devices during calls, and “Internet Sharing,” which Android Authority speculates could be an easier way to quickly set up a personal hotspot across the linked devices. Apple has a similar call-switching feature called “iPhone Mobile Calls” that allows users to make and receive calls from Apple devices like Macs and iPads signed into the same Apple ID, providing they’re on the same network as the user’s iPhone.

Android Authority also notes, however, that Apple’s “iPhone Mobile Calls” feature doesn’t allow users to receive calls from another iPhone. The wording for Google’s “Call Switching” feature (as seen in the screenshot provided by Rahman) suggests that it could be used to switch between different Android devices, including phones. So you might be able to pick up a call on a phone and transfer it to another linked phone or something like the Pixel Tablet. We won’t know for sure until Google officially announces this, but if it’s genuine, then this could be useful for folks who need to carry more than one phone.

Rahman claims that the “Link Your Devices” menu will appear under Settings > Google > Devices & Sharing in the device settings once the feature is officially released. Google has yet to announce the Android device linking feature, let alone a release date. We have reached out for comment from Google and will update this story should we hear back.

Wanted to see how everyone in the community felt about the using the android navigation bar buttons vs using gesture control.

I've used the navigation buttons since they released on android and just recently started trying to use the gesture based navigation. It's been a little difficult for me to adapt to it so far, but curious what others experience has been.

Its acquirer (Bending Spoons) has taken over operations. They’ve also hiked subscriptions prices and told customers they intend to use new revenues to pay for new features. How they intend to do that without any staff is something I would like to know about.

If you’re still using Evernote, probably a good time to stop.

Microsoft is getting ready to make its new Teams 2.0 client available for all users. As of today, the new app is available via a toggle in public preview, but the same toggle will become generally available for customers in September.

Microsoft launched the new Teams 2.0 client in public preview in March 2023. The app has been rebuilt from the ground up to make it two times faster and consume 50 percent less memory as compared to the classic Teams desktop app. Microsoft Teams 2.0 is no longer an Electron-based application, and it leverages Microsoft’s Webview2 technology instead.

At launch, the preview version of the new Teams 2.0 client lacked several features that are available in the classic Teams desktop app. Since then, Microsoft has been working to add support for third-party apps, line-of-business (LOB) applications, and advanced calling and meeting capabilities. These include 7×7 video, breakout rooms, call queues and voice-enabled channels, as well as survivable branch appliance (SBA).

Later this month, end users will be able to switch between the new Teams client and the classic app with a toggle button. This change will be applicable to tenants where the admin policy setting of “UseNewTeamsClient” is set to Microsoft default. Microsoft will let IT admins deploy new Teams directly to all devices in their organization in mid-July.

“We’re still working on this version, so some things aren’t available yet. It’s easy to toggle back and forth between using the classic and new Teams, so you can take advantage of the new Teams performance enhancements on some days and switch back to the classic Teams when you need to,” Microsoft explained.

Microsoft expects to make Teams 2.0 the default client for all customers in late September. The upcoming update will be available for both enterprise and business (Business Basic, Business Standard, Business Premium, and Teams Essentials, etc) customers. Microsoft recommends IT admins to start preparing users for this upcoming change in Fall 2023.

Currently, Microsoft Teams 2.0 is only available in preview on Windows PCs. Microsoft has confirmed that the new Teams client will launch on macOS, VDI, and Web later this year. Let us know in the comments below if you have switched to the Microsoft Teams 2.0 preview app.