Cve-2021-32934

cnice · June 16, 2021, 6:56pm

just read an article on a supply chain component vulnerability. Anyone know if this component is used on devices or apps ? Millions of Connected Cameras Open to Eavesdropping | Threatpost.

Customer · June 17, 2021, 5:28am

Sure sounds like it! Wyze uses ThroughTek as its P2P service for all of our cameras. This is relevant news, thanks.

Vulnerable P2P SDK

The ThroughTek component at issue is its peer-to-peer (P2P) software development kit (SDK), which has been installed in several million connected devices, according to the supplier. It’s used to provide remote access to audio and video streams over the internet.

Nozomi Networks, which discovered the bug, noted that the way P2P works is based on three architectural aspects:

A network video recorder (NVR), which is connected to security cameras and represents the local P2P server that generates the audio/video stream.

An offsite P2P server, managed by the camera vendor or P2P SDK vendor. This server acts as a middleman, allowing the client and NVR to establish a connection to each other.

A software client, either a mobile or a desktop application, that accesses the audio/video stream from the internet.

“A peculiarity of P2P SDKs…is that OEMs are not just licensing a P2P software library,” analysts at Nozomi Networks pointed out, in a Tuesday posting. “They also receive infrastructure services (the offsite P2P server) for authenticating clients and servers and handling the audio/video stream.”

In analyzing the specific client implementation for ThroughTek’s P2P platform and the network traffic generated by a Windows client connecting to the NVR through P2P, Nozomi researchers found that the data transferred between the local device and ThroughTek servers lacked a secure key exchange, relying instead on an obfuscation scheme based on a fixed key.

“After setting a few breakpoints in the right spots, we managed to identify interesting code where the network’s packet payload is de-obfuscated,” according to Nozomi’s writeup. “Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.”

Customer · July 25, 2021, 3:59pm

Strange we haven’t heard more about this as it applies to Wyze. It was assigned the identifier ICSA-21-166-01 by the US government.

I came across this article…

https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/

Are Wyze cameras, old firmware or new, currently affected?

WildBill · July 25, 2021, 10:37pm

Excellent question…I think you should contact Wyze support…

spamoni · July 26, 2021, 12:13am

you should ask this at the upcoming CamPlus session.

peepeep · July 26, 2021, 7:33pm

Hi @cnice

You might want to change the Topic title to:

Millions of Connected Cameras Open to Eavesdropping - Cve-2021-32934

or such like. Will definitely get more traffic and possibly staff attention.

(Click the pencil icon at the end of the current title to edit it.)

Cheers

-peep

bryonhu · July 26, 2021, 8:46pm

I flagged it yesterday for Wyze staff to answer if this affects our Wyze cams.

Antonius · July 26, 2021, 11:07pm

Someone is going to see all my raccoon videos

bryonhu · July 27, 2021, 10:13pm

Still no reply from Wyze Staff, this is concerning.
If we are not affected they would have chimed in by now.

I will assume this does affect Wyze Cams until told differently from a Wyze staff member

bryonhu · July 28, 2021, 2:47am

There was a post about a very serious security concern but the title needed more clarity to be noticed.

Wyze Staff needs to address this issue

Please see this post Cve-2021-32934

bryonhu · July 28, 2021, 4:51am

Wonder when Wyze will comment on this security issue?

gemniii · July 28, 2021, 12:18pm

ANY data transferred over the internet is subject to hacking.

Customer · July 29, 2021, 12:12pm

True but that’s like saying any lock can be broken or any person defeated or any food overeaten. This is about a specific identified vulnerability that may or may not apply to us Wyze users.

bryonhu · July 30, 2021, 6:32pm

And Wyze staff has failed to even comment on this subject, and it was flagged for their attention…
Just Crickets…

peepeep · August 3, 2021, 4:57pm

Hey @bryonhu … Man, you’ve been a member (almost) since Wyze’ inception!

In the past, when you’ve flagged a topic for staff attention have you received either a public or personal response? I haven’t done it for years but I often received a private message, I think.

FYI, as discussed in another topic:

bryonhu · August 4, 2021, 4:16am

In the past back when they were only a camera producer only, V1. V2, and Pan Cam they were more responsive and addressed issues that were directed to Wyze Staff.

Since they went crazy on new products releases they do seem far less responsive to questions/issues directed to Wyze Staff. Guess they are to busy working on the Wyze WiFi-Bluetooth Toilet to answer us on a Critical Security Concern.

Maybe they know it is a issue and won’t address it until they have a solution, rather than reveal to the Interwebz that they are vulnerable. But their Lack of Response tells me they are vulnerable in my opinion.

peepeep · August 4, 2021, 3:46pm

I throw in valuable factoid keying off single word:

Roaches can hold their breath underwater for 30-40 minutes.

I don’t know what Wyze can do about that, but there it is.

bryonhu · August 4, 2021, 8:24pm

I now have sent a DM to WyzeGwendolyn hopefully she will answer back on this, fingers crossed…

Customer · August 5, 2021, 12:05am

Great, hope that helps, and hope it’s nothing in the end.

bryonhu · August 5, 2021, 12:54am

Apparently NOT, Question was posed in the WyzeGwendolyn post Wyze App 2.23 and Wyze Sense Hub 4.32.4.295 Released - 8/4/21 And she replied to other question about Geo-Location.

But Just the Same CRICKETS in response to this.