Security News > 2022 > March > Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds

Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds
2022-03-31 19:23

Three security vulnerabilities have been disclosed in the popular Wyze Cam devices that grant malicious actors to execute arbitrary code and access camera feeds as well as unauthorizedly read the SD cards, the latter of which remained unresolved for nearly three years after the initial discovery.

The security flaws relate to an authentication bypass, a remote code execution bug stemming from a stack-based buffer overflow, and a case of unauthenticated access to the contents of the SD card.

Successful exploitation of the bypass vulnerability could allow an outside attacker to fully control the device, including disabling recording to the SD card and turning on/off the camera, not to mention chaining it with CVE-2019-12266 to view the live audio and video feeds.

Romanian cybersecurity firm Bitdefender, which discovered the shortcomings, said it reached out to the vendor way back in May 2019, following which Wyze released patches to fix CVE-2019-9564 and CVE-2019-12266 in September 2019 and November 2020, respectively.

It wasn't until January 29, 2022, that firmware updates were released to remediate the issue related to unauthenticated access to the contents of the SD card, around the same time when the Seattle-based wireless camera maker stopped selling version 1.

"Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network," the researchers cautioned.


News URL

https://thehackernews.com/2022/03/bugs-in-wyze-cams-could-let-attackers.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-30 CVE-2019-9564 Improper Authentication vulnerability in Wyze products
A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices.
network
low complexity
wyze CWE-287
critical
9.8
2022-03-30 CVE-2019-12266 Out-of-bounds Write vulnerability in Wyze products
Stack-based Buffer Overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to run arbitrary code on the affected device.
network
low complexity
wyze CWE-787
critical
10.0