Researchers have discovered multiple security vulnerabilities in Wyze Cam smart cameras exposing saved videos to a remote attacker. Wyze patched the vulnerability following the bug disclosure, but users must ensure that they receive the updates on their devices.
Wyze Cam Vulnerabilities
Explaining the details in a recent blog post, Bitdefender researchers shared how exploiting Wyze Cam vulnerabilities could risk users’ security.
As elaborated, they spotted at least three different bugs compromising the device’s security. These include CVE-2019-9564 – an authentication bypass, CVE-2019-12266 – a stack-based buffer overflow leading to remote code execution, and unauthenticated access to the SD Card.
The researchers explained that exploiting these vulnerabilities could directly allow an adversary to remotely hack the internet cameras and access saved videos. Explaining this vulnerability, the researchers stated,
When inserting an SD card into the camera, the contents of the SD card (including the recordings) can be accessed via the webserver listening on port 80 without authentication. This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the webserver.
Besides, an attacker could view the card contents via “hello.cgi functionality located at /cgi-bin/hello.cg”. The attacker could also download the target files via the /SDPath/ path.
The researchers have shared the technical details of their study in a separate white paper.
Wyze Patched The Flaws
Bitdefender researchers found these three vulnerabilities in 2019. However, they have disclosed it recently because of the delayed patches from Wyze.
Specifically, the vendors fixed CVE-2019-9564 in September 2019, and CVE-2019-12266 on November 9, 2020. Evidently, fixing these two bugs took the vendors much time to address. However, the worst delay appeared to fix the third bug, that Wyze addressed in January 2022.
Hence, the researchers have disclosed the bug now after ensuring all fixes from the developers. So now, Wyze Cam (v2 and v3) users should ensure updating their device firmware at the earliest. Whereas, Wyze Cam v1 users should consider upgrading their devices as the vendors have discontinued this product line. So, continuing to use unpatched cameras would threaten users’ security.