1 min read

Wyze Cam Vulnerabilities Could Let Attackers Access the Live Feed, Research Finds

Silviu STAHIE

March 29, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Wyze Cam Vulnerabilities Could Let Attackers Access the Live Feed, Research Finds

Bitdefender’s security researchers investigated all iterations of the Wyze Cam device and found three vulnerabilities that would have given attackers direct access to the cameras, including recordings stored on the SD card.

Smart cameras are always a sensitive subject because of their importance in a household. They are often used to monitor children, backyards and other areas, meaning they collect data that should never end up in the hands of attackers.

The Wyze Cam investigation revealed a series of vulnerabilities that could have been easily weaponized in the wrong hands. Typically, the window for responsible disclosure is 90 days, but Bitdefender contacted the vendor all the way back in March 2019. Publishing details on the vulnerability in the absence of a patch is problematic when it comes to smart cameras, so Bitdefender waited until the vendor fixed the issues.

First of all, security researchers managed to bypass the authentication process for remote connection and obtained almost total control.

“After authentication, we can fully control the device, including motion control (pan/tilt), disabling recording to SD, turning camera on/of, among others,” explained the researchers in the whitepaper. “We can’t view the live audio and video feed, though, because it is encrypted.”

The second vulnerability is a more standard stack buffer overflow, which would have given attackers access to the live feed combined with the remote authentication bypass.

Finally, the third vulnerability was more of an oversight because it allowed users to view the contents of the SD card via the webserver listening on port 80 without authentication.

“This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the web server,” the researchers also explained.

The company issued patches to fix these issues, but three generations of cameras are affected. While versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and no longer receives security fixes. If you have one of these unsupported cameras, switching to a supported model is recommended.

Download the research paper here


tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Popular Devices Are Usually the Safest, Bitdefender Consumer Threat Landscape Report Finds Popular Devices Are Usually the Safest, Bitdefender Consumer Threat Landscape Report Finds
Silviu STAHIE

June 29, 2022

2 min read
CafePress Fined $500,000 for Not Disclosing Data Breach that Compromised 23 Million Accounts CafePress Fined $500,000 for Not Disclosing Data Breach that Compromised 23 Million Accounts
Silviu STAHIE

June 28, 2022

1 min read
Carnival Cruises bruised by $6.25 million fine after series of cyberattacks Carnival Cruises bruised by $6.25 million fine after series of cyberattacks
Graham CLULEY

June 28, 2022

2 min read