Three vulnerabilities in cams from Wyze Labs Inc. have been found to expose users to device takeover and video access.
Detailed by researchers at S.C. Bitdefender SRL, the first two vulnerabilities allowed for authentication bypass and remote code execution, while the third gave unauthenticated access to the contents of the SD card used in each cam.
The authentication bypass – CVE-2019-9564, would allow an attacker to bypass a login process by sending a NULL authentication request. Having obtained access, an attacker would have control over the device, including motion control, disabling recording to the SD card and the ability to turn the camera off and on. However, live access to the camera was not available due to encryption used by the cams.
The remote code execution vulnerability – CVE-2019-12266 involves an attacker being able to gain access to a Wyze cam using a debugging function. The SD card issue – which does not have a Common Vulnerabilities and Exposures number, allows the contents of the card to be accessed via a webserver listening on port 80 without authentication.
Notably, the CVE numbers issued to the first two vulnerabilities start with 2019, reflecting the date they were discovered. Some vendors are better than others in responding to vulnerability reports, but this wasn’t the case with Wyze.
The Bitdefender researchers initially attempts to contact Wyze twice in March 2019 and failed to get a response. Two updates by Wyze in April 2019 then partially addressed the issues. With still no contact from Wyze, the Bitdefender researchers reserved CVE numbers for the vulnerabilities pending publication in May. In September 2019, Wyze then issued another update that fixed CVE-2019-9564 while still not having responded to Bitdefender.
Forward to November 2020 and Wyze releases a fix for the other CVE and finally acknowledges the Bitdefender researchers. In August 2021, Bitdefender followed up on the patch program and then in September told Wyze that it intends to publish the details. In January, Wyze finally released a firmware update to fix the SD card issue with the details then published today.
It’s an extraordinarily long timeline of three years from vulnerability report to publication and credit to the Bitdefender researchers for continually following up.
While having fixes is positive, the fixes only apply to Wyze Cam v2 and v3. The vulnerabilities also exist in Wyze Cam v1 but the company no longer supports the product.
“This report should be a wake-up call to the broader issue of IoT devices as the most vulnerable part of an organization’s attack surface,” Bud Broomhead, chief executive officer at enterprise IoT security platform company Viakoo Inc., told SiliconANGLE. “IP cameras, in general, have many known vulnerabilities, not just these ones.
Mike Parkin, senior technical engineer at cyber risk management firm Vulcan Cyber Ltd. noted that “the real surprise is a vulnerability release timeline that spans three years. Though the vendor released patches long before the release, it begs the question of whether any malicious actors found and leveraged, this vulnerability during that time.”
“Unfortunately, IoT devices pose a number of security risks, from slow, or no, response from vendors, to having low visibility, low priority, or both, for organizations that use them,” Parkin added. “However, there are ways to mitigate the risk, from keeping them isolated from production networks to making sure they are included in any vulnerability, patch, and risk management programs.”