UPDATE YOUR FIRMWARE - Wyze Cam flaw lets hackers remotely access your saved videos ( * if they can gain access to your local network/WiFi )

A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years.

Wow I’m surprised how irresponsible BleepingComputer comes off here. While still a serious vulnerability, this is almost scare mongering when it doesn’t mention that almost no one is vulnerable to this because almost everyone is using a WyzeCam behind a NAT router, not handing out unprotected public IP addresses.

If I have misunderstood, please correct me.

The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication.

May or may not be related to this (depending on reporting user’s response)?

And that it was fixed a couple months ago. I just tried it and no access. But my cameras are all up to date.

From the linked piece:

image810×153 7.86 KB

Why would the logs, UID and ENR be stored on SD card?

The part I find most interesting is the WYZE response at the end.

"At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.

We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates."

Yet the article makes it quite clear that it took WYZE multiple years to address the 3 concerns they brought forward. I do not consider multiple years to fix these issues taking “all security concerns seriously”. In fact, I’m extremely disappointed and based on the actions taken by WYZE it is clear that they do not take security seriously.

Furthermore, the article does not discuss if additional vulnerabilities have been reported during the multiple years it took WYZE to address these three. In other words, how many more vulnerabilities have been reported to WYZE that have not been disclosed to the public or addressed by WYZE?

My trust has been deeply shaken and this article explains how/why I’ve found uSD cards with odd files and structures in the past. Nothing this year, but twice in 2021 on the same cam.

Meh, I am boring so they wouldn’t get much if they did hack them. I Only have 2 out of 5 cameras working since last update.

Very interesting… Security issues aside, and throwing this out there for the more technically adept… A little off topic

“allowed remote users to access the contents of the SD card in the camera via a webserver.”

So if hackers can see the contents of the SD when not protected by a NAT router, why can’t I access the contents (file system, transfer, download etc.) When I am credentialed into that NAT router? It doesn’t seem like it would be that difficult for Wyze to allow this.

Did we ever hear back from @BillyCroan as to if their access\copy method was remote or direct?

Could not agree more. Between this and the lack of serious software/firmware QA there is very little to foster a sense of confidence they have any customer interests in mind.

For a few more details on these vulnerabilities: https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/

Ultimately, you will likely want this, which is linked from the page above: https://www.bitdefender.com/files/News/CaseStudies/study/413/Bitdefender-PR-Whitepaper-WCam-creat5991-en-EN.pdf

This is the reason that I don’t put a app controlled door lock on my home or office. Leaving major security holes for years if a major violation of trust, and if they or ok with doing it once, how can i trust them going forward?

Love the products, but this makes me lose all respect for WYZE.

I don’t think anyone ever really thought it was difficult. Http, ftp, SMB, pretty much any lightweight server would be really easy to implement. Somebody hacked (in the benign way) one in a while back.

Great question, which also makes me question the accuracy of the assertion.

NOOOOOOOOOOO. WYZE DON’T DO IT!!! That’s not a flaw. And those ‘attackers’ they are your customers. If this is really something that lets a user on the same lan download mp4’s from the sd card over with, that’s #NOTABUG I’m so not doing any more firmware updates until I figure out how to use this, properly.

Probably far too late, Billy. This sounds like the one time forced update that some of us were questioning. Took long enough to find out the actual reason. Sheesh.

Anyway, very unlikely you escaped it.

The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.

The functionality would be great if it required authentication. Allowing just anyone on the same wLAN to connect at will, that’s not a feature, that’s a major vulnerability.

Wouldn’t authentication through the app credentials be sufficient?

Yes. But as noted the (now patched) issue was a wide open web service.

What web server?..is it running on the camera? So they’re saying there is a web server running on port 80 of each of my affected cameras that gives direct access to the SD card? Can I access them with their IP address from if I’m inside my network, on a V1 Cam, or a V2 or V3 cam over the past few years? That article seems to think so.

According to the article, “The SD card typically contains video, images, and audio recordings but can include various other [tax information, scanned journal pages, bank logins, saved memes, vacation photos, and crypto wallet recovery phrases that the user probably stored there].” [Paraphrase] added, but I think I stayed with the general scary mood of the article.

Is this the SD Card that I inserted in the camera, or is like the “SD Card” on my android phone, which is really the built in memory? The article seems to think that “all the log files for the device” are stored there as well along with encryption keys (public key?) and that “their disclosure may result in unobstructed remote connections to the device”. Isn’t that what you get from the webserver running on port 80 with no login? What does a cam do with all those log files when I don’t have an SD card in there?

If so, from outside my home network, I would need to be forwarding port 80 to one of my cameras for this vulnerability to work, right? So, if I read this right…right now I just need to worry about my wife spying on my garage cam, or some neighbor that has figured out my wifi pw.

I gotta say…this seems like a whole lotta nothing. It’s so clickbaity. Like an article that says “Did you know the glass in windows of homes built before 2019 are nearly 100% transparent? You’ll be SHOCKED by what 100 peeping toms see while you sit at your desk and work…”

Dang, just tried http://192.168.86.63:80 and http://192.168.86.63/ on a V1 and got nothing. What a letdown.

You could have in the past but this is what was patched in Q1 2022 forced update (forced to all cameras 2 months before the article was published).

Yes.

Dunno.

Mostly correct. Particularly because it was already patched on every online regular-firmware Wyzecam in existence.

There was limited exposure for (a) people feeding valuable public IP addresses to their Wyzecams or port forwarding to them and (b) people sharing their home WiFi with untrusted individuals.

Interesting to learn about the vulnerability though.

It’s pathologically insane to require authentication for local access.

tell me. What kind of authentication is required to remove the SD card and put it in my laptop? What kind of authentication is required to disconnect power from a camera. Or to crush it under a mallet?

None.

Because you can do all those things locally. It’s not remotely. Local access trump’s all.

To say that this was remotely exploitable is as dishonest as it is idi otic. No TCP port on these cameras is remotely accessible because nobody has a wyze cam with the public IP. They’re all (>99.999%) on the inside of a one-way Network address translator.

And those .001% of people are no accidents. You have to work quite hard to put one of these cameras on a public IP and at that point you should know what you’re doing enough that you don’t allow the world to communicate with a closed source iot device.

Anyone on the local network could already be doing arp spoofing against the wyze cams or DNS poisoning or 802.11 attacks. A local user could man in the middle the cameras or crush them with a mallet.

It has been much the trend for some time to sensationalize anything that could be perceived as a security bug. It makes the speaker feel soooooo smart, and holier than thou, whoever made the product. It is attention-seeking. It is virtue signaling. It is posturing.

I’ve worked in cyber security now for almost 15 years. Real vulnerabilities do exist. But by and large the vast majority of announcements are technicality nonsense.

Sensationalist nonsense devalues actual vulnerabilities and betrays the public with alarm fatigue. It is because of the flood of these articles that nobody pays attention to real vulnerabilities when they do happen.

Just look at the four and five digits in cve these days. Really? Over 10,000 critical vulnerabilities a year? I don’t think you understand what critical means anymore.

it would be nice to have the option to enable authentication for local access. Simple HTTP basic authentication. But it should absolutely be an option that sane people can disable.

And you know what? Then you’re going to complain that the password is sent in the clear. And then what, you want ssl? With a unique ssl key on every wyze cam? Good luck with that! Vanishingly few wisecam owners know what a hostname is, let alone a CommonName.

Authenticated local access is essentially impossible to achieve in a technically accurate, secure way. So the sane response is to not waste time on local authentication and instead control access to the local network as we already successfully do.

I have at least a dozen other brands of hardware on my land right now from companies far more mature than wyze with no local authentication or local authentication disabled by me. Haven’t had a breach yet.