A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years.
The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication.
Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions.
The SD card typically contains video, images, and audio recordings but can include various other information the user may have saved on the SD card.
The SD card also stores all the log files of the device, which contain the UID (unique identification number) and the ENR (AES encryption key). Their disclosure may result in unobstructed remote connections to the device.
The flaw was discovered and reported to the vendor by researchers at Bitdefender in March 2019, along with another two vulnerabilities, an authentication bypass, and a remote control execution flaw.
The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019.
The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery.
The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.
Impact and solutions
Considering that Internet-connected devices are typically used according to the “set and forget” mindset, most Wyze Cam owners might still be running a vulnerable firmware version.
To locate trustworthy firmware updates for your camera model, check out the available releases on Wyze’s official download portal.
It should be noted that the security updates have been made available only for Wyze Cam v2 and v3, released in February 2018 and October 2020, respectively, and not for Wyze Cam v1, released in August 2017.
The older model has reached the end of life in 2020, and since Wyze hadn’t fixed the issue until then, those devices will remain vulnerable to exploitation forever.
As Bitdefender warns in its disclosure report:
After working for more than two years on this issue, logistic and hardware limitations on the vendor’s side prompted the discontinuation of version 1 of the product, which leaves existing owners in a permanent window of vulnerability. We advise users to stop using this hardware version as soon as possible.
If you’re using an actively supported Wyze product, make sure to apply the available firmware updates, deactivate your IoTs when they’re not used, and set up a separate, isolated network exclusively for them.
Wyze’s cybersecurity team told BleepingComputer that both v2 and v3 cameras are perfectly safe to use with the latest firmware update, while a spokesperson shared the following comment:
At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.
Source: https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-remotely-access-your-saved-videos/