Wyze Cam Vulnerabilities Could Let Attackers Access the Live Feed, Research Finds

Bitdefender’s security researchers investigated all iterations of the Wyze Cam device and found three vulnerabilities that would have given attackers direct access to the cameras, including recordings stored on the SD card.
Smart cameras are always a sensitive subject because of their importance in a household. They are often used to monitor children, backyards and other areas, meaning they collect data that should never end up in the hands of attackers.
The Wyze Cam investigation revealed a series of vulnerabilities that could have been easily weaponized in the wrong hands. Typically, the window for responsible disclosure is 90 days, but Bitdefender contacted the vendor all the way back in March 2019. Publishing details on the vulnerability in the absence of a patch is problematic when it comes to smart cameras, so Bitdefender waited until the vendor fixed the issues.
First of all, security researchers managed to bypass the authentication process for remote connection and obtained almost total control.
“After authentication, we can fully control the device, including motion control (pan/tilt), disabling recording to SD, turning camera on/of, among others,” explained the researchers in the whitepaper. “We can’t view the live audio and video feed, though, because it is encrypted.”
The second vulnerability is a more standard stack buffer overflow, which would have given attackers access to the live feed combined with the remote authentication bypass.
Finally, the third vulnerability was more of an oversight because it allowed users to view the contents of the SD card via the webserver listening on port 80 without authentication.
“This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the web server,” the researchers also explained.
The company issued patches to fix these issues, but three generations of cameras are affected. While versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and no longer receives security fixes. If you have one of these unsupported cameras, switching to a supported model is recommended.
Download the research paper here
tags
Author
Right now
Top posts
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
June 22, 2022
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022