We should hear about this in 3 years or so

Set of bugs puts software company and IoT device makers into motion

Or some device makers at least. No comment from Wyze.

https://therecord.media/throughtek-kalay-software-vulnerabilities-roku-wyze-owlet

Cybersecurity researchers and Internet of Things (IoT) technology companies say they worked together to eliminate four software vulnerabilities that could have given malicious hackers deep access to networks.

**Wyze did not respond to requests for comment about the vulnerabilities. **

1 Like

A quote from the linked article:

A Roku spokesperson said a mandatory patch was issued in January and that an attack could only be launched if the hacker had access to the device owner’s WiFi network.

So only if someone is attached to YOUR network.

2 Likes

Following the trail from the article to Bitdefender’s blog post and from there to Bitdefender’s white paper describing their vulnerability testing against the Cam v3, it looks like Bitdefender’s timeline squares pretty well with Wyze’s own timeline of firmware updates for that camera, which at least gives the appearance that these particular vulnerabilities have already been remediated.

2 Likes

My memory is that Throughtek TUTK was only used to authenticate P2P connection between cam and phone. Reading through the vulnerabilities, it appears to do more.

1 Like

Yeah, I remember reading about detection zone issues—and some “Random acts…”—and now following the trail back through Bitdefender to Wyze’s own timeline makes me wonder if yet another “fix” inadvertently broke something else, as is often the case. Scrolling through the firmware history indicates that the Cam v3 in Bitdefender’s test and @peepeep’s Cam v2 would’ve both received firmware updates with “Security improvements” on or around 16 January 2024, near the time Bitdefender says, “Vendor issues update that fixes the remaining issue.”

1 Like

It looks to me like all of those CVE’s are related to authentication. AuthKey is about authentication, Pre-shared key is related to the authentication process too, etc. But once you get authenticated, then you can do more, so it is the critical lynch-pin to more stuff.

This lines up with the updates in October (when Bitdefender disclosed the finding) and Wyze released an update and then again in January (when TUTK announced a critical update to their SDK on their end of things) both times when Wyze pushed out updates to all the cameras that use TUTK, but not all the ones that didn’t. So it looks like Wyze had them patched up basically immediately, the same month as the notice and again the same month as the SDK update.

It also possibly explains why some people started having authentication issues with some of their TUTK cameras after these updates were pushed out. I would suspect the off-network live-stream issues on some of the TUTK cameras are due to TUTK’s SDK update starting in January. It’s just weird that the issue isn’t affecting everyone.

But as WildBill pointed out, I, personally, really don’t care [urgently or strongly] or worry too much about “vulnerabilities” that can only be done by someone locally on my network since my network is secure. So, to me, this isn’t a huge issue, just as some past CVE’s weren’t a huge issue if they require local network access to execute them. It basically just means me and my family. Sometimes I’m even sad about them getting patched, like the one that allowed us to access the SD card recordings if we were on own secure network anyway, but nobody could do it remotely. I would’ve loved to have been able to access my camera SD cards from my laptop and was very sad the stopped allowing that as a possibility.

1 Like

I didn’t even know this used to be a thing, but I didn’t get my first Wyze camera until about a year ago (have been using other Wyze devices much longer). That’s something I definitely would’ve missed if I had it before but no longer did. Since I never had it…maybe not so much, but now knowing about it makes me want that. :crazy_face:

2 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.