Security News > 2022 > March > Wyze Cam flaw lets hackers remotely access your saved videos
A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years.
Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions.
The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019.
The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.
It should be noted that the security updates have been made available only for Wyze Cam v2 and v3, released in February 2018 and October 2020, respectively, and not for Wyze Cam v1, released in August 2017.
If you're using an actively supported Wyze product, make sure to apply the available firmware updates, deactivate your IoTs when they're not used, and set up a separate, isolated network exclusively for them.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-30 | CVE-2019-9564 | Improper Authentication vulnerability in Wyze products A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. | 9.8 |