Response to the 3/29/22 Security Report

Indeed! While your statements are correct, the vulnerabilities included authentication bypass (CVE-2019-9564), remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266) and unauthenticated access as I recall. The CVEs can be looked up at mitre.org easily (among other places) for the more technical folk. As defined, these vulnerabilities let an outside attacker access the camera feed or execute malicious code to further compromise the device.

My point was simply that regardless how simple or complex the cure - and the above does not sound truly consumer friendly to me - the manufacturer needs to inform in significantly less than 3 years. I know all too well that vulnerabilities are a way of life but I also expect to be told when there is one. I have not run any Windows based systems in some time now but still receive - regularly - the Microsoft bulletins on patches and fixes. Likewise the notifications from Cisco and Asus.

'nuff said.

Cheers!

Right, but all of those CVESs require access to port 80 first. Without access to port 80, you cannot connect to the device to execute any of those vulnerabilities. Therefore, any device behind a common router with NAT enabled (as it is by default) is safe from all of those exploits, unless the user has chosen to place their camera in a DMZ, or chosen to forward port 80 to it or if the attacker is already on your network, in which case, they can be assumed to have control of your entire network. And, as the cameras are wireless, and do not have ethernet ports, it is impossible to connect any of these cameras directly to a modem, they must be connected to a wireless router, therefore, all cameras can be assumed to be protected from these exploits from the internet by default.

As that video points out, Bitdefender’s white paper is a how-to manual to hackers and instructs them on how they can take advantage of it.

It still remains important that Wyze reach out to their customers with explicit advice regarding this matter.

Advice: keep using your v1s if you want, as long as they are on a secure secondary network. At some point your camera sensors will burn in and you’ll get the purple haze/ splotchy pixels/lines over your images and you should upgrade to something newer.

To clarify: I don’t work for wyze, but I do spend time supporting some of their products here, for fun.
I have also been employed as a network security technician and system administrator in the past.

Excellent! Thanks @Rareapple3 . I’ve only watched the first 3 minutes but at least, unlike The Verge and Gizmodo and the rest, good old Lon seems to know what a router is!

Yay for Lon.tv.

I don’t have v1s. Never did. My concern is focused on corporate responsibility and protecting myself going forward.

To that end, is the advice in that video good in terms of sequestering the cams to a guest network? I have no and probably will never have cams inside my home, My main concern is protecting the personal info stored on my computers and other devices on my home network from vulnerabilities potentially introduced by IoT devices.

That’s a good wrinkle I hadn’t even considered - I imagined a literal handful of people may have bought additional public IP addresses and granted them to their cameras (for no discernable reason) - but the only way your statement would be disproved is if they not only had the extra IPs but put a non-routing Access Point (with an accompanying DHCP server to hand out the public IPs) on the same segment. Might be down to a single theoretical user.

Agreed. I was not disagreeing with you but none of this absolves Wyze from telling people what is going on. Likewise, if Bitdefender holds the info.

Cheers!

Ha! Of course, someone could sit outside, near your router, with a sniffer in hand and … but we’re now getting silly. Again, my issue was with Wyze sitting on this information for 3 years.

Cheers!

Amen! You kinda summed up my only point.

Yes, it is good basic advice to put devices on the guest network. Should the device be accessed your computers etc will not likely be accessed. However, the vulnerability reported had nothing (or little) to do with your computer being accessed (though that is always possible, of course) but rather data on your camera being vulnerable.

Cheers!

As a general rule, I wouldn’t allow any device onto a corporate network that can’t be controlled by a security policy. This includes all IoT devices, security cameras, personal wifi devices brought in by employees, etc. I would generally set up a VLAN for those sorts of devices, and exclude access to the router’s management ports and any other corporate LAN networks, making a VLAN and separate virtual wireless access points for different tiers of trust.

You generally want all your IoT devices on their own VLAN, blocked from access to any corporate LANs, with internet access only. This applies to any consumer grade item that needs internet access. If you’re connecting consumer grade products to your company network, and haven’t been hacked yet, you will be in the future.

Please DM me, I will take all of your [Mod Edit] hardware… I will pay for shipping.

Sorry if I said anything to lead you to a wrong assumption. I’m strictly talking about a home network. But I appreciate your point regarding corporate networking as well and hope your advice helps someone in any case.

And I’m gonna extrapolate from your comments that your advice can be generalized to a home network as well.

My husband is retired from his career as a network (security) engineer with a telecom company and would be able to answer my questions. However, never in a manner that this novice techie would understand. So I avoid that scenario for the sake of our ongoing peaceful cohabitation.

The marriage you save may be my own. LOL

Thanks for the explanation. If correct, Wyze should had been more forthcoming with news. On the other hand, if someone has my wi-fi password, wyze video files would be at bottom of worries for me.

So, I’ve done firmware for over 35 years now. Even though I think the original report was overblown, I cannot understand why it took Wyze three years to fix this.

Ideally, this would not be a bug, but rather a fully implemented, secured feature. I could see where implementing such a feature might take a while because of the time it takes to burn down a feature request list, but if there was a known vulnerability, Wyze had a responsibility to address it in a timely fashion. These days, the strategy must be “fix first” “features and new product later”. Failure to do so will result in an erosion of trust in your products. Trust is hard to gain and can be lost in an instant. Anyone who is not the least concerned about Wyze’s response really needs to put their security hat on and have another think.

Especially when this exists.

I’m going to guess that Wyze has fixed this since then and is using the T31’s Secure Boot feature. But it looks like this was out there for a while and it never was disclosed that someone could do this.

Personally, I have quit buying new Wyze gear as I didn’t buy this stuff for the subscription model (which seemed to be much more important to get implemented than fixing a vulnerability). I have every confidence that Wyze is fully committed to producing products in order to sell subscriptions and that does not fit my needs.

Along those lines, I looked at the RTSP firmware for the V3 cameras, but fear it has vulnerabilities (possibly undisclosed) that have not yet been addressed as they have for the normal firmware.

I downloaded what I think is the latest firmwares for the V3 camera, standard and RSTP, I’m a bit dismayed by the “demo” prefix on all of it, I 'd hope for the word “gold” or “validated” or something to indicate the firmware had gone through a formal validation process.

Looking at the versioning information, it is unclear if the RTSP firmware is “newer” than the standard firmware or whether Wyze just has some goofy non-linear versioning scheme.

• demo_wcv3_4.36.8.32.zip
• demo_v3_RTSP_4.61.0.1.zip

It is also unclear what state the RTSP firmware is in, and how it fits in the lineage of V3 firmware. It would be nice if Wyze would just fix their process and make sure they built and validated both versions of the firmware in lockstep.

Can Wyze respond and let us know where the RTSP firmware stands?

The consistent “demo” naming is weird but mostly cosmetic. Not really something to worry about.

On the RTSP firmware they’ve been moderately clear that they were one-offs cut from the main branch and will NOT be regularly patched or updated. In fact it was a surprise when they released a second version for the V2.

I have seen it but not done anything with it as of now. Technically, RTSP firmware eliminates the cloud portion and many of the nvr solutions like “Frigate” seem to incorporate all the ai detection Wyze desperately wants to charge for. As I only have one Wyze camera at this time - in the garage - this is not a very high priority for me currently but it is an interesting option to possibly follow up on one day.

Cheers!

Sigh but it really doesn’t. The Wyze RTSP still provides most cloud features and also still wants to phone home periodically.

My bad, thanks for the correction. As I said, I have not done anything with it as of yet.