Pictured: Wyze Cam V3
Wyze’s original and recently discontinued Cam v1 suffers from a flaw that allows attackers to view the contents of the camera’s SD card.
Cybersecurity firm BleepingComputer has published a white paper detailing the security hole, which lets hackers access the original Wyze Cam’s SD card by exploiting a webserver vulnerability.
The security flaws relate to an authentication bypass (CVE-2019-9564), a remote code execution bug stemming from a stack-based buffer overflow (CVE-2019-12266), and a case of unauthenticated access to the contents of the SD card (no CVE).
The authentication bypass would allow an attacker to bypass a login process by sending a NULL authentication request. Having obtained access, an attacker would have control over the device, including motion control, disabling recording to the SD card and the ability to turn the camera off and on. However, live access to the camera was not available because of the encryption used by the cams.
The remote code execution vulnerability involves an attacker being able to gain access to a Wyze cam using a debugging function. The SD card issue, which does not have a Common Vulnerabilities and Exposures number, allows the contents of the card to be accessed via a web server listening on port 80 without authentication.
Romanian cybersecurity firm Bitdefender, which discovered the shortcomings, said it reached out to the vendor way back in May 2019. But it wasn’t until January 29, 2022, that firmware updates were released to remediate the issue related to unauthenticated access to the contents of the SD card, around the same time when the Seattle-based wireless camera maker stopped selling version 1.
This also means that only Wyze Cam versions 2 and 3 have been patched against the aforementioned vulnerabilities while leaving version 1 permanently exposed to potential risks. Wyze v1 hit end of life in 2020 and the issue hasn’t been fixed–meaning the exploit on this original camera is going to be around forever.
“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” the researchers cautioned. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”
Wyze told BleepingComputer the following statement on the matter, saying they “put immense value in our users’ trust in us, and take all security concerns seriously.” The company said they have already deployed security updates in their latest app and firmware updates.