Several vulnerabilities have been uncovered in popular Wyze Cam devices, as per new research from cybersecurity firm Bitdefender. The vulnerabilities have been enabling threat actors unlimited access to video feeds and SD cards stored on local memory cards, and have been unfixed for nearly three years.
Wyze was told by Bitdefender it planned to expose the vulnerabilities in September 2021, and on January 29, 2022, the team released a firmware update to fix the SD card issue. Remote users may acquire the contents of the SD card in the camera via a website operating on port 80 without requiring authentication, as per flaw.
- CVE-2019-9564, a remote control execution problem caused by a stack-based buffer overflow provides threat actors complete control of a device, such as the ability to control its mobility, disable recording, turn on or off the camera, and more.
- Unauthenticated access to the contents of an SD card all affected Wyze Cam lines.
- CVE-2019-9564 does not allow users to watch the live audio and video feed, but when paired with CVE-2019-12266, exploitation is "relatively straightforward".
Once users insert an SD card into the Wyze Cam IoT, the webserver creates a symlink to it in the www directory, which is hosted by the webserver but has no access restrictions. The SD card usually includes video, photos, and audio recordings, but it can also contain other types of data manually saved on it. The device's log files, which include the UID (unique identifying number) and the ENR, are also stored on the SD card (AES encryption key). Such revelation could lead to unrestricted remote access to the device.
Wyze Cam version 1 has been retired and will no longer get security updates, however Wyze Cam Black version 2 and Wyze Cam version 3 have been updated to address the flaws. Wyze published an upgrade for its Cam v2 devices on September 24, 2019, which fixed CVE-2019-9564. By November 9, 2020, Wyze had issued a fix for CVE-2019-12266. Although most Internet-connected devices are used with a "set and forget" mentality, most Wyze Cam owners may still be executing a vulnerable firmware version.
The security updates are only for Wyze Cam v2 and v3, which were published in February 2018 and October 2020, in both, and not for Wyze Cam v1, which was released in August 2017. The older model were phased out in 2020, and because Wyze didn't solve the problem till then, such devices will be open to exploitation indefinitely.
If you're using a Wyze device it's still being actively supported, be sure to install any available firmware upgrades, deactivate your IoTs when they're not in use, and create a separate, isolated network just for them.