[German]Security researchers from Bitdefender are drawing attention to vulnerabilities they have discovered in the firmware of Wyze CAM IP video cameras. According to Bitdefender, attackers can bypass the authentication process, gain complete control over the device and read information and configuration data from the camera's SD card or install malicious code. The gap can be closed with an update starting with the Wyze Cam V2. However, patching is not possible for the first version of the camera.
Advertising
I received the information from Bitdefender an March 29, 2022. Since surveillance cameras provide sensitive content and the analysis of the data is subject to strict data protection regulations (EU GDPR), the topic may also be of interest to blog readers. After all, a security breach that allows access to recorded videos not only endangers the security of a building, but can also violate privacy. A networked camera as Internet-of-Things (IoT) hardware needs the same protection as a PC endpoint. Anyone who uses the devices as a "security camera" has already lost.
Who is Wyze?
Wyze is a US provider of 'low-cost' smart-home devices such as cameras, lamps, locks or the like. It was founded by former Amazon employees. How the company is related to China and Alibaba (see the reference here) is unclear to me so far. I had already reported on a security issue of this provider in the blog post IoT provider Wyze admits data leak. In addition, Wyze uses cloud services to manage the features of its IoT cameras, which caused chaos when the AWS cloud failed in December 2021 (see Amazon AWS cloud outage causes chaos (2021/12/08)).
(Shop with Wyze products, source: 12security.com)
Security issues with Wyze Cam IoT cameras
The problem with Wyze Cam IoT cameras – as is so often the case in the IoT world – is flaws in authentication. With the older firmware versions of the Wyze CAM models, these are the gateway for attackers. Overall, the security researchers have uncovered the following vulnerabilities:
- Authentication bypass (CVE-2019-9564): A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3, this allows an attacker to bypass the login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.
- Remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266): A stack-based buffer overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to execute arbitrary code on the affected device. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.
- Unauthenticated access to contents of the SD card
A flaw in the original authentication process allows third parties to bypass the user login without knowing the enr value that is actually required. This is because a vulnerability allows unauthorised access to all contents of a camera's SD card. Initially, the attacker cannot access the encrypted contents. However, a stack buffer overflow error allows an attacker to attempt remote code execution in the next step and view the videos.
Advertising
In addition, unauthorised third parties can read the content via an automatically created symlink to the directory. This allows the log files of the SD card to be read out. The enr value for authentication and the UID for networking the camera can also be found within the log files.
The combination of flaws makes it possible to gain quasi complete control over the device and to read information and configuration data from the camera's SD card or to install malicious code. In this way, a hacker can completely control the device in remote mode, freely move the lens as he wishes (pan/tilt), stop the recording or completely switch off the camera. As a "surveillance camera", the devices can then effectively no longer be used – and operators from companies are also legally "in the fire" with regard to the European GDPR.
What can a user do?
Bitdefender writes that the manufacturer can no longer provide a patch for the first version of the Wyze Cam for various reasons, because it no longer sells the Wyze Cam V1. Customers who use this model should replace it.
For home users – who are likely to increasingly rely on Wyze (possibly via OEMs) – Bitdefender suggests in this blog post to keep a close eye on IoT devices and isolate them from the local network as much as possible. This could be done by setting up a dedicated SSID exclusively for IoT devices, or by administrators moving the IoT devices to a guest network (if the router does not support the creation of additional SSIDs).
Bitdefender also suggests in this blog post the use of a scanner (Bitdefender Smart Home Scanner app) to scan the connected devices and identify and mark vulnerable devices. However, this is a piece of white ointment somewhere, as this will reveal a hack but will not prevent an intrusion if the vulnerabilities are not closed.
Owners of IoT devices should therefore ensure that they check for newer firmware and update the devices as soon as the manufacturer releases new versions. An overview of firmware updates can be found on this website.
Basically, the incident is once again a wake-up call to take a critical look at all IoT devices. The cloud connection of the cameras, in connection with the vulnerabilities and also the cloud failure mentioned below, is virtually a no-go.
Similar article:
IoT provider Wyze admits data leak
Amazon AWS cloud outage causes chaos (2021/12/08)
Advertising
would this mentioned vulnerability allow someone to gain access to a home network, or cell phone if they connect to the same network? myself and my wife have been being harassed by a hacker/stalker for months now and we can't get any help, the cops don't care they said they don't investigate the boogyman. We are not very knowledgeable about these things but are trying to learn.