I’m sorry rbautil the update bricked your cameras. Yes, I’ve been reading in several forums & finding this “forced update” has caused issues & worse bricking cameras. So is Wyze going to replace those cameras their forced update cuzed to those cameras (those that are past warrenty)?
So why hasn’t Wyze removed this update, which obvously was rushed out & not properly checked that it were a stuable update, & removed users from being locked out of single live streaming & play back on their (our) cameras?
Imagine if MicroSoft locked us out of using our computers til we updated the OS!
Have you tried yet to view an event lars2? I just tried to view a motion on the side of the house in eve hrs & just to view that camera, I am getting the update popup. I can’t even adjust the settings for the cameras & change detection settings. Our cameras have been jijacked!
This is a great example. Windows does critical updates all the time, but still allows us the flexibility of deciding when they take place even if they’re really important.
I don’t doubt that they could/would do a forced update if it was a beyond critical and urgent remote zero day exploit that was easy and widely public or something… But despite all the important security issues that have come up, I can’t think of the last forced update I had to deal with, and yes, they also control cameras, webcams, and more, but still rarely to never force immediate updates with no flexibility.
I think that’s usually only if you already downloaded the update then shut down your computer. Then they tell you it will install the next time you restart. So the solution is you can wait to restart and you can postpone (schedule) when it does it.
At least that’s how it’s always been for me. I never turn my computer(s) off though, so it pretty much never happens to me anyway.
A Firmware Flash will most likely recover those cams to working order.
The current issue with the failed firmware updates “bricking cams” on several models is not in the firmware itself but within the OTA update process failing somewhere in the download and install logic. And, this is not a new problem. This issue has been documented in multiple prior OTA firmware updates, on multiple models, since 4.36.11.xxxx and it’s equivalent on other cams was introduced some time back.
Many users, myself included, have successfully OTA updated V3 cams to this version. Others have successfully Flashed to this version. This indicates that the Firmware code is sound. The OTA Update process of getting it there is questionable at best.
Since Wyze has now disabled the download of all prior firmware versions for these cam models to force everyone into the current version, users seeking prior versions will need to look to the Social Media platforms to get older Firmware Flash archives from other users who have archived them locally.
Then that isn’t a V3 Cam, which is the topic of this thread. The PanV3 and VDBv1 Firmware Update Thread discusses the only two current Firmware Updates to have been posted as Mandatory\Forced Updates recently. The V3 Firmware is not mandatory or forced. Any Firmware Pop-Up Messages on a V3 can be cancelled.
I haven’t noticed any problems with my v3 cams after the update.
It sounds like no one else has reported their V3 cams getting updated automatically like mine were, which makes me wonder what really happened with mine. Maybe some other bug caused my auto-update to get turned on, which then caused the cams to get updated. I know auto-update wasn’t turned on to begin with, as I did originally see the messages prompting me to update the firmware, as with past updates.
V3 firmware updates this last year have been flaky at best. This forced firmware update may have similar issues. Cameras should be power cycled or at least restarted before pushing firmware in my opinion.
Once this update is applied, is the camera secure from future attacks?
If the camera was compromised prior to firmware update and fix, does applying the latest firmware remove previous “owning” of device of security vulnerability OR is compromised access
Local network access. This could be provided by an app on a local network device (eg smartphone using Wyze app and security flaw in Wyze app). Or a compromised device on network (Wyze cam hacked from cloud/service). Or compromised network.
What exactly was the vulnerability (attack surface, attack window, attack behaviour, remediation, etc)?, 3rd party software library used in Wyze firmware? How long has this issue been accessible and provided a window of opportunity to hack the cameras and gain local camera and/or possibly compromise camera and launch attacks? Was vulnerability remote access to camera functions only, or visibility and ability to use camera to attack other devices inside the local network? Printer temporary memory was used years ago as way to attack other local network devices. Given device was compromised, what else could have happened and how does user remediate?
I get vendors like Wyze not disclosing vulnerabilities fully to protect users (and themselves from liability, reputational damage, etc) but lack of information or misinformation can be just as damaging, as user expected to manage, own and control… without ALL the information. BEST PRACTICES with security of camera
Is not present in installation instructions… and is not proactive w AI support either (maybe in future).
Bottom line… lots of opportunities for growth here in security (why software testing didn’t reveal, will it next time?), communications, firmware update process, best practices, education, etc
No cam is safe from future attacks. So long as there are knucklehead hackers out there with the time and desire to create a new tool to punch a new hole in the firmware, there will always be a need for new security updates. We can only hope that the hackers who are working that hard at breaking firmware are on the good guy’s side and are doing it for the Bounty money from Wyze when they submit it to Wyze.
All of that is covered in great detail within the News Articles that reported it and published online by the spiteful hacker who uncovered the RCE vulnerability.
Well said and totally agree! Block all open ports not used or needed in your router. Create an approved list of MAC addresses and block all others from even connecting.
People should worry about the other slew of apps for various other products because those apps used to control lights or whatever have most likely saved your network credentials. As Slab, Carver, and others have said, IoT things should always be separated and isolated from your main network.
Great job guys for the non complicated explanations so others not as savvy can understand. I would like to advise as well to use WPA3 if your routers support it for your main devices (desktop, laptop, etc). IoT things, from what i have anyways, only support WPA2. Just a suggestion.
Since the firmware upgrade last week, all three of my Cam v3 were off line, I deleted one cam and did the following
a factory reset,
created a IoT specifically for 2.5Ghz network, and
added that cam as a new device. However, I kept getting “unable to find specific network name”.
I happen to have an extra brand new Cam v3 and did the above - added a new cam, added to the IoT network on 2.5 Ghz and added that cam as a new device. And it worked. As I finished the set-up, I was asked if I want to do a firmware update. I canceled to avoid repeating the problem encountered by all my other Cam v3. Whatever that firmware did, it certainly is a suspected root cause
Make sure the newly created IoT network is not hidden. Reboot the router, connect your phone to the IoT network, then try connecting the camera. It should first attempt to pull the SSID from phone if not, manually enter it. Let me know. I’m curious to see if it addresses your issue. Good luck.