Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds

Three security vulnerabilities have been disclosed in the
popular Wyze Cam devices that grant malicious actors to execute
arbitrary code and access camera feeds as well as unauthorizedly
read the SD cards, the latter of which remained unresolved for
nearly three years after the initial discovery.

The security flaws relate to an authentication bypass
(CVE-2019-9564), a remote code execution bug stemming from a
stack-based buffer overflow (CVE-2019-12266), and a case of
unauthenticated access to the contents of the SD card (no CVE).

Successful exploitation of the bypass vulnerability could allow
an outside attacker to fully control the device, including
disabling recording to the SD card and turning on/off the camera,
not to mention chaining it with CVE-2019-12266 to view the live
audio and video feeds.

Romanian cybersecurity firm Bitdefender, which discovered the shortcomings^[1], said it reached out to
the vendor way back in May 2019, following which Wyze released
patches to fix CVE-2019-9564 and CVE-2019-12266 in September 2019
and November 2020, respectively.

But it wasn’t until January 29, 2022, that firmware updates were
released to remediate the issue related to unauthenticated access
to the contents of the SD card, around the same time when the
Seattle-based wireless camera maker stopped selling version 1^[2].

This also means that only Wyze Cam versions 2 and 3 have been
patched against the aforementioned vulnerabilities while leaving
version 1 permanently exposed to potential risks.

“Home users should keep a close eye on IoT devices and isolate
them as much as possible from the local or guest network,” the
researchers cautioned. “This can be done by setting up a dedicated
SSID exclusively for IoT devices, or by moving them to the guest
network if the router does not support the creation of additional
SSIDs.”