1 min read

Wyze Cam Vulnerabilities Could Let Attackers Access the Live Feed, Research Finds

Silviu STAHIE

March 29, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Wyze Cam Vulnerabilities Could Let Attackers Access the Live Feed, Research Finds

Bitdefender’s security researchers investigated all iterations of the Wyze Cam device and found three vulnerabilities that would have given attackers direct access to the cameras, including recordings stored on the SD card.

Smart cameras are always a sensitive subject because of their importance in a household. They are often used to monitor children, backyards and other areas, meaning they collect data that should never end up in the hands of attackers.

The Wyze Cam investigation revealed a series of vulnerabilities that could have been easily weaponized in the wrong hands. Typically, the window for responsible disclosure is 90 days, but Bitdefender contacted the vendor all the way back in March 2019. Publishing details on the vulnerability in the absence of a patch is problematic when it comes to smart cameras, so Bitdefender waited until the vendor fixed the issues.

First of all, security researchers managed to bypass the authentication process for remote connection and obtained almost total control.

“After authentication, we can fully control the device, including motion control (pan/tilt), disabling recording to SD, turning camera on/of, among others,” explained the researchers in the whitepaper. “We can’t view the live audio and video feed, though, because it is encrypted.”

The second vulnerability is a more standard stack buffer overflow, which would have given attackers access to the live feed combined with the remote authentication bypass.

Finally, the third vulnerability was more of an oversight because it allowed users to view the contents of the SD card via the webserver listening on port 80 without authentication.

“This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the web server,” the researchers also explained.

The company issued patches to fix these issues, but three generations of cameras are affected. While versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and no longer receives security fixes. If you have one of these unsupported cameras, switching to a supported model is recommended.

Download the research paper here


tags


Author



Right now

Top posts

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read