What if you’re being watched without your knowledge?
A vulnerability/flaw in the ‘Wyze’ camera lets hackers watch your saved content!
A vulnerability in the Wyze internet camera, which has also not been mended for almost 3 years permits unauthenticated, remote access to all videos and images stored on the camera’s local memory cards. This bug has not been assigned a CVE ID, however it allows remote users to get a hold of the content of the SD card via a webserver which does not need authentication. Upon the insertion of the SD card, a symlink is automatically created in the www directory, which is also served by the webserver without any restrictions on access. The SD card usually contains a user’s data such as; videos, images, audio recordings and various other information saved on it.
The card stores all the log files of the device and this contains the UID (unique identification number) and the ENR (AES encryption key). The disclosure could result in unobstructed remote connections to the device. This flaw was actually discovered 3 years ago in March 2019, and reported to the vendor by some researchers at Bitdefender. They were able to find two other flaws; an authentication bypass and a remote control execution issue.
The remote execution flaw, was named as CVE-2019-12266, and was mended via an app update on November 9th 2020. And the authentication bypass flaw was tracked as CVE-2019-9564 that was also addressed by the team, at Wyze via a security update on September 24th 2019. The worse of the list was a flaw concerning the SD card, that was fixed on January 29th 2022, when the team released a firmware update.
Most of these camera owners might still be using a vulnerable device. Another aspect that should be noted is that all updates have only been released to Wyze Cam v2, and Wyze Cam v3 launched in February 2018 and October 2020 respectively. The older model which is v1, has reached the end of it’s life that will remain exploited and vulnerable forever. It is advised that users using this version, to stop immediately and make sure to constantly check and upgrade the available firmware updates, deactivate IoTs when they’re not being used, and set up a separate, isolated network exclusively for them.
Source:
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/
