Unfixed for nearly three years, a Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards.
The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the camera’s SD card without requiring authentication via a webserver listening on port 80.
When an SD card is inserted into the Wyze Cam IoT, a symlink to it is created in the www directory, which is served by the webserver but has no access restrictions. The SD card typically contains video, image, and audio recordings, but it may also collect other information that the user has saved on the SD card.
The SD card also stores all the device’s log files, including the UID (unique identification number) and the ENR (AES encryption key). Their disclosure could lead to unrestricted remote access to the device.
Researchers at Bitdefender reported the flaw to the vendor in March 2019, along with two other vulnerabilities, an authentication bypass and a remote control execution flaw.
The Wyze team addressed the CVE-2019-9564 authentication bypass flaw with a security update on September 24, 2019. Additionally, CVE-2019-12266, the remote execution vulnerability, was patched via an app update on November 9, 2020, 21 months after it was discovered.
The SD card problem was the worst, and it wasn’t fixed until January 29, 2022, when Wyze released a firmware update. However, in February, Wyze stopped supporting its V1 camera, so there are no more security updates for those cameras, and they will remain open to this privacy issue.
Once the V1 was retired, the company issued a general warning that using the outdated product could lead to an “increased risk.” However, the company did not mention any known security flaw that hackers could exploit.
As demonstrated by the timeframes of its disclosures, Bitdefender attempted to persuade Wyze to accept its warning messages on multiple occasions. However, if Bitdefender has known about these major threats for three years, why hasn’t it taken action against Wyze? Why did it wait for Wyze to catch up if the company had already been late?
The problem spots had been addressed again by a Wyze spokesperson:
“At Wyze, we put immense value in our users’ trust in us and take all security concerns seriously. We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.”