A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years.
The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication.
Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions.
The SD card typically contains video, images, and audio recordings but can include various other information the user may have saved on the SD card.
The SD card also stores all the log files of the device, which contain the UID (unique identification number) and the ENR (AES encryption key). Their disclosure may result in unobstructed remote connections to the device.
The flaw was discovered and reported to the vendor by researchers at Bitdefender in March 2019, along with another two vulnerabilities, an authentication bypass, and a remote control execution flaw.
The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019.
The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery.
The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.
Impact and solutions
Considering that Internet-connected devices are typically used according to the “set and forget” mindset, most Wyze Cam owners might still be running a vulnerable firmware version.
To locate trustworthy firmware updates for your camera model, check out the available releases on Wyze’s official download portal.
It should be noted that the security updates have been made available only for Wyze Cam v2 and v3, released in February 2018 and October 2020, respectively, and not for Wyze Cam v1, released in August 2017.
The older model has reached the end of life in 2020, and since Wyze hadn’t fixed the issue until then, those devices will remain vulnerable to exploitation forever.
As Bitdefender warns in its disclosure report:
After working for more than two years on this issue, logistic and hardware limitations on the vendor’s side prompted the discontinuation of version 1 of the product, which leaves existing owners in a permanent window of vulnerability. We advise users to stop using this hardware version as soon as possible.
If you’re using an actively supported Wyze product, make sure to apply the available firmware updates, deactivate your IoTs when they’re not used, and set up a separate, isolated network exclusively for them.
Wyze's cybersecurity team told BleepingComputer that both v2 and v3 cameras are perfectly safe to use with the latest firmware update, while a spokesperson shared the following comment:
At Wyze, we put immense value in our users' trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and take appropriate measures to protect our customers' privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.
Comments
DanAVL - 2 years ago
It's not clear the real world impact of this vulnerability... would it only be to Wyze cams not behind a NAT firewall? "remote users to access the contents of the SD card in the camera via a webserver listening on port 80 " Which webserver, one only on the LAN? If so, then this seems like not a serious flaw at all. If it's public to the world regardless of LAN, then we have something more serious!
172pilot - 2 years ago
I agree - As a wyze user with some of all of their versions of cameras, I clicked on this article with expectations of finding some way that an attacker could make the camera switch wifi networks and then divulge everything, but I kind of feel these days that if someone can get into my home network, there's a lot more I have to worry about than them seeing what I'm printing on my 3d printer or whether my garage door is open or not. Compared with other vendors, I've found Wyze to be very open about their corporate struggles, and this seems to be an exception that concerns me, but the actual vulnerability isn't going to make me stop using these cameras which sit behind my NAT with uPNP turned off.
gleep52 - 2 years ago
Is this a backdoor situation from external access or does someone need to be behind the NAT?
I’m not sure why it’s recommended to isolate the Wyze cameras on a different network if the cameras do not work without internet access…? Separating the Wyze cams to a vlan and blocking internet stops them from working and if they are connected to HQ and THATS the vulnerability that’s a really significant issue to leave open for three years!
Do we have a POC for this to illustrate exactly how it’s done? I’m actually using older firmware for external compatibility intentionally but might need to update if this is externally exploitable….
clarkcant - 2 years ago
The cameras can be used via RTSP. And as I understand it, the suggestion you are referring to was to "isolate" the devices to a separate network, like the Guest network. Not to keep them offline.
AndLastly - 2 years ago
I too have questions. Nowhere have I seen what access is required to the camera to authenticate. If through the web server, that requires TCP and therefore local network access. This wouldn't have me throwing away cameras like so many articles' authors are suggesting.
172pilot - 2 years ago
Correct me if I'm wrong, but the RTSP firmware (especially for the model 1) makes it not use the SD card anyway because it can't do both it's cloud connections AND the RTSP at the same time? This to me would mean a cheap first gen camera would be a great (and safe) option for an RTSP camera..
gleep52 - 2 years ago
Sadly, I was hacked and the the point of origin so far is my Wyze Camera - sitting behind a nearly fully closed firewall with no uPnP enabled and Wyze on a separate VLAN from my more important stuff. https://www.reddit.com/r/wyzecam/comments/tsmmjf/comment/i2to1d2/?utm_source=share&utm_medium=web2x&context=3
172pilot - 2 years ago
I am curious why you think the initial point of entry was the Wyze cam? How would they have gotten in to get to it? I'm not saying you're wrong, just not seeing what the initial attack vector could have been if everything is closed on the firewall as you say? You sure someone friendly didn't have your wifi password and somehow let something in?
gleep52 - 2 years ago
I understand your comments and am reeling trying to figure this out. We do not have visitors and do not share wifi... most things in my house are rather overly secure. Moving into the cybersecurity sector and being vocal in some channels might have made me a target perhaps - but the first IOC I can see is the Wyze Cam attacking the system that was recording it's stream and broadcasting it to my Apple HomeKit stuff. So if someone did manage to backdoor into the camera due to the old firmware and only needed to use the ports the camera already had open (443) to control it - it's scary and not a stretch to say it was the point of origin. Sadly at home - I dabble with too many SIEM products and loggers to accurately capture everything on my network and the wyze cams I've never even really thought to monitor other than turning them on and off. Honestly I figured if I were behind NAT I'd be fine - but it's always bugged me that the cameras don't work without internet. Even if I had taken the time to setup my ACL rules to firmly block lateral movement with the cameras, I still would have opened access for the very system they attacked since that system needs access to the cameras. I'm rambling sorry - I should wait to post when I learn more. I've reached out to my firewall vendor (Unifi) to see if they can recovery anything from the internal syslog of the system or have any other methods of detecting an IOC or point of origin... what a mess.
172pilot - 2 years ago
That is really scary and concerning.. I am also using unifi, and am probably relying too much on NAT for security, so I'm probably in a similar boat. I dont do nearly enough monitoring that I'd even be confident that I would know if I was hacked. Since there wouldn't seem to be any direct path from outside to the camera though, I'm still having problems blaming it directly. I can't help but think SOMETHING at least had to somehow proxy that initial connection to the camera or be the initial vector to get behind the NAT and then the camera was just a good jumping off point. Did you buy that camera new? I did see a blog once about firmware being available for that camera to allow it to keep a reverse shell open. It was a pretty clever hack, and I didn't think much of it, again because you'd need to be able to get the new firmware on the camera, but then the person who wrote the article mentioned that if someone bought the camera, did the hack, then returned the camera to a retail store, then someone buying the camera would be taking it home, configuring it for their wifi, and then have a reverse proxy back to the attacker's computer. I have always bought mine straight from Wyze, so I didn't worry much about this. I can't seem to find that blog article, but it was a cool hack - they injected some startup commands right into the firmware image from Wyze and explained the whole thing.
172pilot - 2 years ago
Found the hack I was talking about: https://www.youtube.com/watch?v=hV8W4o-Mu2o
gleep52 - 2 years ago
This is awesome thanks for the share. I bought mine from amazon and they were still shrink wrapped and properly packaged - though I suppose if someone had this in their planning they'd probably package it well.
I've had them for about a year or more and haven't had any issues until this Wyze firmware/3year bug has made headlines lately... I"m guessing they are not related but more spudding cybersec people without morals are probably spending more time hacking now than ever... and honestly I don't want to put off that it could be something like Russia trying to find more US based computers to create or grow their botnet even...
I know cybersecurity makes us all paranoid the more we get into it so I try to keep a clear mind - I'm just baffled how it happened. I've made NO hardware changes, no software changes, no updates or new purchases to introduce risk... just out of no where and all sources say the wyze cam was the point of origin so far. My old HP DL380 ILO logs say the same IP as the wyze camera too. (it's a static IP on that VLAN)
I'm not sure what else could be hacked into and moved laterally TO the camera first - it seems more likely to me someone reversed in on the HQ connection - it was a firmware before the DTLS stuff even- very old.