Wyze knew for years that hackers could remotely access its cameras, but did

[phillynewsnow]

Wyze knew for years that hackers could remotely access its cameras, but didn?t tell anyone



Wyze has been selling inexpensive smart security cameras since the original Wyze Cam in 2017, and has also branched out into other product categories (like earbuds). However, the company has also had its fair share of problems, and another significant issue has come to light — hackers could gain access to the video feeds from Wyze Cams.

Bitdefender publicly revealed a series of security vulnerabilities in Wyze’s security cameras on Tuesday, which affected the Wyze Cam Pan v2 (prior to 4.49.1.47), Wyze Cam v2 (prior to 4.9.8.1002), Wyze Cam v3 (prior to 4.36.8.32), and the original Wyze Cam on all firmware versions. The first vulnerability, known as CVE-2019-9564, allowed hackers to bypass the login for Wyze devices and gain access to camera controls. Bitdefender also discovered a stack buffer overflow vulnerability (CVE-2019-12266), which when used in combination with the first security flaw, can be used to gain remote access to a camera’s video feed.

Taking advantage of this security flaw requires knowing the initial camera ID, which is a random string that can only be recorded by joining the same local network as the camera. That significantly limits the scope of the security flaw, since a hacker would first have to gain access to your home network before accessing the video feed from a Wyze camera.

The main problem here isn’t actually the security vulnerability, it’s how Wyze handled the vulnerability. Bitdefender says it contacted Wyze twice, first on March 6, 2019, and again on March 15, 2019, and apparently received no response. Over the following months, Wyze updated some of its cameras with a partial fix for the login vulnerability, still without responding to Bitdefender. It wasn’t until November 2020 that Wyze finally communicated with Bitdefender, and the final fixes weren’t deployed until January 2022.