Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Wyze. Show all posts

For Three Years, the Flaws in Wyze Cam Devices Have Gone Unpatched

 

Several vulnerabilities have been uncovered in popular Wyze Cam devices, as per new research from cybersecurity firm Bitdefender. The vulnerabilities have been enabling threat actors unlimited access to video feeds and SD cards stored on local memory cards, and have been unfixed for nearly three years.

Wyze was told by Bitdefender it planned to expose the vulnerabilities in September 2021, and on January 29, 2022, the team released a firmware update to fix the SD card issue. Remote users may acquire the contents of the SD card in the camera via a website operating on port 80 without requiring authentication, as per flaw. 

  • CVE-2019-9564, a remote control execution problem caused by a stack-based buffer overflow provides threat actors complete control of a device, such as the ability to control its mobility, disable recording, turn on or off the camera, and more. 
  • Unauthenticated access to the contents of an SD card all affected Wyze Cam lines.
  • CVE-2019-9564 does not allow users to watch the live audio and video feed, but when paired with CVE-2019-12266, exploitation is "relatively straightforward". 

Once users insert an SD card into the Wyze Cam IoT, the webserver creates a symlink to it in the www directory, which is hosted by the webserver but has no access restrictions. The SD card usually includes video, photos, and audio recordings, but it can also contain other types of data manually saved on it. The device's log files, which include the UID (unique identifying number) and the ENR, are also stored on the SD card (AES encryption key). Such revelation could lead to unrestricted remote access to the device. 

Wyze Cam version 1 has been retired and will no longer get security updates, however Wyze Cam Black version 2 and Wyze Cam version 3 have been updated to address the flaws. Wyze published an upgrade for its Cam v2 devices on September 24, 2019, which fixed CVE-2019-9564. By November 9, 2020, Wyze had issued a fix for CVE-2019-12266. Although most Internet-connected devices are used with a "set and forget" mentality, most Wyze Cam owners may still be executing a vulnerable firmware version. 

The security updates are only for Wyze Cam v2 and v3, which were published in February 2018 and October 2020, in both, and not for Wyze Cam v1, which was released in August 2017. The older model were phased out in 2020, and because Wyze didn't solve the problem till then, such devices will be open to exploitation indefinitely. 

If you're using a Wyze device it's still being actively supported, be sure to install any available firmware upgrades, deactivate your IoTs when they're not in use, and create a separate, isolated network just for them.

Seattle- based Wyze alleged of data breach: Unpaired all devices from Google Assistant and Alexa


Seattle-based smart home appliance maker Wyze, which is popular for selling its products cheaper than its competitors, has been accused of a data breach and trafficking the data to Alibaba Cloud servers in China.




In response to the alleged data breach against its production database, Wyze logged out its users out of their accounts and has strengthened security for its servers.
 "Customers endured a lengthy reauthentication process as the company responded to a series of reports claiming that the company stored sensitive information about people's security cameras, local networks, and email addresses in exposed databases.", stated Android Police.

Texas-based Twelve Security, a self-described "boutique" consulting firm, claimed of a data breach against Wyze's two Elasticsearch databases on Medium yesterday. The data has come from 2.4 million users from the United States, United Kingdom, the United Arab Emirates, Egypt, and parts of Malaysia.

The data included, email addresses, firmware versions, and names of every camera device in a household, time of devices' last activation, times of users' last login and logout, account login tokens for users' Android and iOS devices, camera access tokens for users' Alexa devices, Wi-Fi SSID, and internal subnet layout. Some users who also gave out more information, their info was also tracked, their height, weight, gender, bone health, and protein intake were also exposed.

Twelve Security also posted that Wyze was clearly dealing with and trafficking data through Alibaba Cloud servers in China. Video surveillance news blog IPVM along with Twelve Security could spot devices and accounts linked to their staff those reviewed Wyze products. They chose not to inform Wyze about this breach before going public because of the negligence of the company and probable link to Alibaba and previous security blunders.

Wyze in response to these allegations logged out the users from their accounts but posted in their community forum that it failed to verify a breach. Wyze also denied any relation with Alibaba.

But later it posted that the breach was caused by an employee and was a "mistake" and the affected customers can expect an email from the company and as a caution,n the company logged out all users and they'll have to log in again with two-factor authentication.