UPDATED 21:11 EST / MARCH 29 2022

SECURITY

Vulnerabilities in Wyze cams exposed users to device takeover and video access

Three vulnerabilities in cams from Wyze Labs Inc. have been found to expose users to device takeover and video access.

Detailed today by researchers at S.C. Bitdefender SRL, the first two vulnerabilities allowed for authentication bypass and remote code execution, while the third gave unauthenticated access to the contents of the SD card used in each cam.

The authentication bypass, officially named, CVE-2019-9564, would allow an attacker to bypass a login process by sending a NULL authentication request. Having obtained access, an attacker would have control over the device, including motion control, disabling recording to the SD card and the ability to turn the camera off and on. However, live access to the camera was not available because of the encryption used by the cams.

The remote code execution vulnerability, CVE-2019-12266, involves an attacker being able to gain access to a Wyze cam using a debugging function. The SD card issue, which does not have a Common Vulnerabilities and Exposures number, allows the contents of the card to be accessed via a web server listening on port 80 without authentication.

Notably, the CVE numbers issued to the first two vulnerabilities start with 2019, reflecting the date they were discovered. Some companies are better than others in responding to vulnerability reports, but this wasn’t the case with Wyze.

The Bitdefender researchers initially attempts to contact Wyze twice in March 2019 and failed to get a response. Two updates by Wyze in April 2019 then partially addressed the issues. With still no contact from Wyze, the Bitdefender researchers reserved CVE numbers for the vulnerabilities pending publication in May. In September 2019, Wyze then issued another update that fixed CVE-2019-9564 while still not responding to Bitdefender.

Forward to November 2020, and Wyze released a fix for the other CVE and finally acknowledges the Bitdefender researchers. In August 2021, Bitdefender followed up on the patch program and then in September told Wyze that it intended to publish the details. In January, Wyze finally released a firmware update to fix the SD card issue, with the details published today.

It’s an extraordinarily long timeline of three years from vulnerability report to publication. Although having fixes is positive, the fixes only apply to Wyze Cam v2 and v3. The vulnerabilities also exist in Wyze Cam v1, but the company no longer supports the product.

“This report should be a wake-up call to the broader issue of IoT devices as the most vulnerable part of an organization’s attack surface,” Bud Broomhead, chief executive officer at enterprise IoT security platform company Viakoo Inc., told SiliconANGLE. “IP cameras, in general, have many known vulnerabilities, not just these ones.

Mike Parkin, senior technical engineer at cyber risk management firm Vulcan Cyber Ltd., noted that the real surprise is a vulnerability release timeline that spans three years. Though the company released patches long before the release, he noted, that still begs the question of whether any malicious actors found and leveraged, this vulnerability during that time.

“Unfortunately, IoT devices pose a number of security risks, from slow, or no, response from vendors, to having low visibility, low priority or both for organizations that use them,” Parkin said. “However, there are ways to mitigate the risk, from keeping them isolated from production networks to making sure they are included in any vulnerability, patch, and risk management programs.”

Photo: Davidlamma/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU