WTF?! Are you a long-time user of Wyze cameras? Then here's some bad news: a vulnerability was discovered that could allow strangers unauthorized, remote access to the company's home security cameras, and it took Wyze three years to fix it.
Bitdefender security researchers found three vulnerabilities in Wyze cameras back in 2019. One allowed hackers to bypass the authentication process to gain remote connection and control of the cameras, including tilting and turning them off, though they couldn't view the encrypted remote feed. However, the second issue was one of the standard stack buffer overflow variety, allowing attackers access to the live feed combined with the remote authentication bypass.
The third vulnerability allowed access the contents of the SD card within the camera via a webserver listening on port 80 without requiring authentication. Some users avoid the company's cloud subscription fees and instead store their recordings on a local SD card, which also contains device log files such as the UID (unique identification number) and the ENR (AES encryption key).
Bitdefender first contacted Wyze in March 2019 and shared information about these proof-of-concept vulnerabilities. The authentication bypass flaw (CVE-2019-9564) was addressed by a Wyze security update on September 24, 2019, and it wasn't until November 9, 2020—21 months after its discovery—that an app update fixed the remote execution vulnerability (CVE-2019-12266).
The SD card issue appears to have been dealt with in an even worse manner by Wyze. It was addressed in a firmware update that was pushed out on January 29, 2022, and that was only available for Wyze Cam v2 and v3, which were released in February 2018 and October 2020, respectively. The Wyze Cam v1 that launched in August 2017 was left vulnerable, writes Bleeping Computer. Wyze discontinued this first-gen camera in January without saying why.
Wyze did tell its customers that "your continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk."
Most researchers give companies a grace period, often 30 to 90 days, to disclose any discovered vulnerabilities before doing it themselves. Sometimes those who discovered the problem jump the gun; back in 2018, Epic Games blasted Google for disclosing a Fortnite Android exploit early. So why did Bitdefender wait so long? Company PR director Steve Fiore told The Verge:
Our findings were so serious, our decision, regardless of our usual 90-day-with-grace-period-extensions-policy, was that publishing this report without Wyze's acknowledgement and mitigation was going to expose potentially millions of customers with unknown implications. Especially since the vendor didn't have a known (to us) a security process / framework in place. Wyze actually implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report).
We have delayed publishing reports (iBaby Monitor M6S cameras) for longer periods for the same reason before. The impact of making the findings public, coupled with our lack of information on the capability of the vendor to address the fallout, dictated our waiting.
We understand that this is not necessarily a common practice with other researchers, but disclosing the findings before having the vendor provide patches would have put a lot of people at risk. So when Wyze did eventually communicate and provided us with credible information on their capability to address the issues reported, we decided to allow them time and granted extensions.