Wyze knew hackers could remotely access his cameras for three years, but he didn’t tell anyone

Wyze has been selling affordable smart security cameras since the original Wyze Cam in 2017, and has branched out into other product categories (like earbuds). However, the company has also had its fair share of problems, and a more significant issue has come to the fore – hackers can gain access to the video feeds from Wyze Cams.

Bitdefender on Tuesday publicly disclosed a series of security vulnerabilities in Wyze’s security cameras, which led to Wyze Cam Pan v2 (prior to 4.49.1.47), Wyz Cam v2 (prior to 4.9.8.1002), Wyze Cam v3 (4.36. before .8.32). ), and the original Wyze Cam on all firmware versions. The first vulnerability, known as CVE-2019-9564, allowed hackers to bypass logins for Wyze devices and gain access to camera controls. Bitdefender also discovered a stack buffer overflow vulnerability (CVE-2019-12266), used in conjunction with the first security flaw, to be used to gain remote access to a camera’s video feed.

XDA-Developers VIDEO OF THE DAY

Taking advantage of this security flaw requires knowing the initial camera ID, which is a random string that can only be recorded by connecting to the same local network as the camera. This significantly limits the scope of the security flaw, as a hacker would have to gain access to your home network before accessing the video feed from the Wyze camera.

The main problem here isn’t really a security vulnerability, it’s how Wyze handled vulnerability. Bitdefender says it contacted Wyze twice, first on March 6, 2019, and again on March 15, 2019, and apparently received no response. Over the following months, Wyze updated some of its cameras with a partial fix for the login vulnerability, yet without responding to Bitdefender. It was not until November 2020 that Wyze finally communicated with Bitdefender, and the final fixes were not deployed until January 2022.

Email sent to Wyze customers on January 6, 2022 (Source: The Verge)

Not only did Wyze act quickly and work with Bitdefender to resolve the security issues, but the company never acknowledged the vulnerability of its customers. Wyze told ledge That the company has been transparent with its customers and “completely fixed the issue”, but the original Wyze Cam was never fixed, and the company never told customers about this specific issue.

Wyze has not issued a public statement about its security vulnerabilities. Twitter account or other social media accounts, as long as this article was published.

Source: The Verge, Bitdefender

Leave a Reply