Three vulnerabilities found in Wyze Cam devices allow for outside access

Several vulnerabilities have been found in popular Wyze Cam devices that give threat actors widespread access to camera feeds and SD cards, according to a new report from cybersecurity firm Bitdefender. 

Bitdefender found that some Wyze Cam lines were affected by an authentication bypass vulnerability (CVE-2019-9564) as well as a remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266) and another issue affecting the unauthenticated access to the contents of an SD card. 

Bitdefender noted that after more than two years of working on this issue, “logistic and hardware limitations on the vendor’s side” prompted the discontinuation of version 1 of the product, leaving existing owners “in a permanent window of vulnerability.”

Wyze Cam version 1 has been discontinued and is no longer receiving security fixes, while Wyze Cam Black version 2 and Wyze Cam version 3 have been patched against the vulnerabilities.

“While most of our reports get answered and patched, this one ends differently. We advise users to stop using this version of hardware as soon as possible,” Bitdefender explained. 

The company first contacted Wyze on March 6, 2019 and spent months attempting to get in touch with the company about vulnerabilities they discovered. While subsequent updates from Wyze reduced the risk for the unauthenticated access to the contents of the SD card, the company was largely unresponsive to Bitdefender’s initial contact attempts. 

By September 24, 2019, Wyze released an update for its Cam v2 products that fixed CVE-2019-9564. Wyze later released a fix for CVE-2019-12266 by November 9, 2020. 

Bitdefender notified Wyze that it was planning to publicize the vulnerabilities in September 2021 and the company released a firmware update on January 29, 2022 that fixes the SD card issue. 

The cybersecurity company said CVE-2019-9564 gives threat actors full control of a device, including the ability to control its motion, disable recording, turn the camera on or off and more. 

Bitdefender explained that CVE-2019-9564 does not allow them to view the live audio and video feed but when combined with CVE-2019-12266, exploitation “is straight-forward.” 

CVE-2019-12266 allows hackers to set which servers to use to connect to the cloud. The SD card vulnerability gives threat actors access to the contents of the card after it is inserted into the camera. 

In a statement to The Record, Wyze’s cybersecurity team said they appreciated the responsible disclosure provided by Bitdefender on the vulnerabilities. 

“We worked with Bitdefender and patched all security issues in our supported products. These updates are already deployed in our latest app and firmware updates," they said. 

An IoT ‘wakeup call’

While the vulnerabilities have been patched, some experts like Vulcan Cyber’s Mike Parkin said the lengthy timeline – spanning almost three years – left them concerned about whether malicious actors found, and leveraged, these vulnerabilities during that time.

Bud Broomhead, CEO of IoT security firm Viakoo, said one of the most concerning vulnerabilities in the report centered on SD card files.

IP cameras, including the Wyze Cams in this report, are sometimes meant for creating video evidence that could be used in investigations or legal proceedings, Broomhead said, adding that these vulnerabilities could invalidate use of video as evidence because of the potential for evidence tampering.  

“Even more chilling is the potential for deepfakes to replace real video evidence, as these vulnerabilities would enable. This report should be a wakeup call to the broader issue of IoT devices as the most vulnerable part of an organization’s attack surface,” Broomhead explained.

He noted that news outlets have covered extensive issues with IP cameras including RealTek-based devices being used by botnets, Exterity IPTV devices with zero-day vulnerabilities, and hacktivists gaining access to CCTV feeds from Iran and Belarus.

According to Broomhead, most cameras like these are managed by non-IT organizations that do not have the training or the budget to ensure that all IoT devices are kept on the most secure version of firmware.

“This results in long delays in patching these vulnerable devices, keeping open the attack window for much longer than traditional IT systems. In addition, they are often distributed widely (think of a camera hanging outside a building), making the process of updating them very time consuming unless an automated solution is used,” he added.  

“And as is highlighted in this report, many IoT devices like IP cameras get obsoleted by the manufacturer, therefore no new patches to fix vulnerabilities, yet continue to be used by organizations as long as they are functional.”

He urged organizations to create an inventory of all Wyze assets and plan for either automatically patching current devices or replacing obsolete devices with ones that can be patched. 

Parkin also suggested isolating IoT devices from production networks in light of the issues around them.