Wyze Cam Security Flaw Gave Hackers Access To Video; Went Unfixed For Almost Three Years

An anonymous reader quotes a report from 9to5Mac: A major Wyze Cam security flaw easily allowed hackers to access stored video, and it went unfixed for almost three years after the company was alerted to it, says a new report today. Additionally, it appears that Wyze Cam v1 -- which went on sale back in 2017 -- will never be patched, so it will remain vulnerable for as long as it is used.

Bleeping Computer reports: "A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years. The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication. Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions."

And as if that weren't bad enough, it gets worse. Many people re-use existing SD cards they have laying around, some of which still have private data on them, especially photos. The flaw gave access to all data on the card, not just files created by the camera. Finally, the AES encryption key is also stored on the card, potentially giving an attacker live access to the camera feed. Altogether, Bitdefender security researchers advised the company of three vulnerabilities. It took Wyze six months to fix one, 21 months to fix another, and just under two years to patch the SD card flaw. The v1 camera still hasn't been patched, and as the company announced last year that it has reached end-of-life status, so it appears it never will.

Maybe time to reconsider

[Gim Tom]

I have been thinking of getting one or more of their cameras since the price is good and the image quality seems better than some others, but this kind of inattention to a major security flaw has me rethinking this idea.

In any case I don't think I want to put things like this on my main network. I think my TP Link gateway router might let me set up a separate LAN or VLAN and keep it and any other IOT stuff separate and put a separate WIFI access device on that segment. Not sure, since things have changed a lot since I retired 15 years ago!

Re:

[andydread]

Same here now i'm wary of getting their stuff. It seems like having to put IOT stuff on a different VLAN or wifi network or DMZ or whatever just makes it a pain in the ass when one needs to access such device from devices on the trusted network. Yes once can complicate things by setting up routing to pass specific devices back and forth but it's a real pain if you want to just pop up your phone or TV and view your cameras or access whatever other IOT device in the DMZ.

It is a great, cheap outdoor RTSP camera!

[SpzToid]

On one hand, I totally agree with common Slashdot sentiment that this is an especially egregious handling of device security, of a device manufactured in an authoritarian dictatorship so there's also the question of support, warranty, etc.

On the other hand I recently bought a Wyze cam v3 solely for use with RTSP and Open Broadcast Studio (OBS) [obsproject.com], so nothing is saved to any SD-card, (and the source of this particular security error if I understand correctly). For this specific purpose, I am amazed with the quality of the cheap outdoor streaming camera, day and night, in color, using default settings only so far. Seriously it is fun to play with!

To further clarify my purpose: In the recent past, my webcam meeting/interview setup was abysmal and the engineer in me realized to make changes, so I bought a roll-down green screen and am still busy trying to absorb this fun YouTube channel [youtube.com]. To tweak the natural fisheye distortion of the wide angle Wyze cam v3 lens, a search engine told me to install the OBS fisheye shader filter and input a slightly negative value and it works well!

Wyze makes an identical version of their software available with RTSP [wyze.com], although it is not open-source, and of course you have to install it yourself using an SD-card to upload the firmware. If you are using RTSP it would be resource-redundant to also be using the cloud services Wyze otherwise wants to sell you a subscription for.

For my purposes, the camera is an amazing tool, especially for the price, but I have it outside pointing at a busy, interesting city scene which I 'project' as a background layer, so no real security concerns. The layer over that is a photo-shopped image of my actual house indoors with a paned window behind me. In real-life, my desk arrangement does *not* place me in front of the same window in any practical way. And I sit in front of a green screen with an adjustable studio light. My loft is tiny, but tweaked via photoshop (GIMP actually) & OBS I make something awkward look studio-quality nice for online meetings. Also because I'm (hopefully) done with having to relocate just to keep working.

One big thing I learned from this engineering project that I had no clue about going in, was about all the interchangeable photo-studio mounting parts available, along with their interconnection fittings. That's been a rabbit-hole I went down! For example this cheap, useful item [amazon.com] as a starting point.

I'd replace Wyze's firmware with something open-source if I knew of something better to use.

Re:

[AmiMoJo]

TP Link cameras are decent. For the router, OpenWRT or pfSense are good and let you create a separate isolated network with no internet access.

It's worth getting cameras that have open source firmware available. Hikvision ones are popular because they have good optics, but many of the cheaper ones can be reflashed too.

Looks like nobody cares

[gweihir]

Most/all of these cams will not have interesting footage of any kind on storage anyways. Cameras are basically "feel good" anyways. They do not really offer any security benefits except if they are monitored 24/7. Almost nobody can afford that and hackers will not have the time or motivation to look through weeks of boring footage either.

Re:

[gamefaces]

I agree no individual attacker would likely look through huge volumes of footage. That would be a silly use of human time IMO. Far better to automate this. I'm thinking running the video through image classification jobs trained on nudity. The attacker could then use identified nude videos of people for blackmail.

Re:

[Powercntrl]

The attacker could then use identified nude videos of people for blackmail.

What year do you think we're living in? Nobody actually cares about any of that anymore. You could probably include a link to your OnlyFans on a resume these days and still get the job.

It's far more profitable for hackers these days to just run ransomware schemes and cryptocurrency scams/heists.

Re:

[gweihir]

Indeed. Unless it is a known CEO and some wired unusual fetish thing is shown, nobody cares. And even in that case, it is not assured anybody will care. That is one of the positive effects of "the Internet is for porn". Also, in many countries it is actually illegal to show footage like that or pictures from it, so even that CEO may be safe because the press cannot make much from it. Well maybe not if, for example, he is known to be violently anti-gay and the footage shows him getting it on with a man. That

Re:

[Powercntrl]

Most/all of these cams will not have interesting footage of any kind on storage anyways.

I honestly have to wonder what the hell people are doing with these things if they're worried about privacy issues. I have two cameras at my home, one's a Ring doorbell, and the other is a cheap outdoor Tuya camera which utilizes servers in China. Both of them show the same sort of view that neighbors can see when looking outside.

There's absolutely nothing titillating that goes on outside. If someone hacks my shit because they really want to watch cars passing by and grass growing in realtime, that's on

Re:

[gweihir]

Exactly.

Re:

[AmiMoJo]

Cameras can be useful when paired with other security devices, like silent alarms. The police generally won't attend an alarm going off unless the owner also has a camera and can see the people who broke in.

Re:

[gweihir]

Soo, you will give the police access to your cameras?

Re:

[AmiMoJo]

No need, you just have to tell them that you have a camera and can see the criminals. Of course if you lie you will be in trouble when they ask for the video or notice that you don't really have cameras at that location.

Re:

[gweihir]

Ah, so this is a person alerting the police. Yes, that would work.

Any local only options?

[MrLogic17]

These things keep happening. Maybe it's time to go for a camera that doesn't leave the local network at all.

Does anyone make home grade cameras without any internet connectivity?

Re:

[TwistedGreen]

You CAN run these Wyze cams without internet connectivity. The cloud functionality is entirely option, and they'll even continue to record without Wifi connectivity. If you want to just record video to the SD card then it's a great little device for that.

Re:

[SpzToid]

If you don't want to deal with the SD-card and related security bugs as per TFA, use the RTSP version of the firmware [wyze.com] and switch off all phone-home/cloud services which aren't necessarily applicable to RTSP users. (And if there's an open-source option, please comment.)

Re:

[tlhIngan]

These things keep happening. Maybe it's time to go for a camera that doesn't leave the local network at all.

Does anyone make home grade cameras without any internet connectivity?

Eufy cameras can store to local storage and be accessible on the local network. No cloud or internet service required, no subscription fees, etc. Network is required to access it, of course.

But if you set it up yourself, you can view the contents of the video offsite.

Just cancelled my Wyze "Cam Plus" subscription...

[thatseattleguy]

FWIW (especially in case Wyze mgmt is reading, which I of course doubt)....
.
I was actually paying Wyze a small amount each month for their "Cam Plus" (formerly "Person Detection") service. Just cancelled that with their support chat folks (easy - points in their favor there) and I'll be putting my remaining Wyze camera on Craigslist later tonight.

Ignoring gaping security holes - and a corporate culture that allows that to happen - has consequences.

So what? Misleading headline.

[TwistedGreen]

Is this really a big deal? If you read the actual details, it's only considered "remote access" because it requires local WLAN access, but wouldn't be accessible to anyone on the public Internet. Unless you've set one of these things to the DMZ or have no Wifi password, this is hardly a big risk. Unless you have untrustworthy actors on your WLAN then you're fine. No need to overreact to this misleading headline.

Re:

[SpzToid]

If I understand correctly, for the default user buying into Wyze's cloud services, (which are required it seems, to make use of the cheap camera), this is a very serious security matter.

For these folks, an internal SD-card must also be purchased and installed. The device records locally and streams up to the cloud upon API calls (like motion detection, which is a paid-for service). It's a camera on the LAN connecting to a cloud somewhere, unless you are a nerd using it with RTSP. The firmware bug discusse

As we suspected

[Ichijo]

We users of Wyze webcams knew for a while that they were phoning home to China, and Wyze never fixed it or even made a public statement about it to my knowledge. (I think there was a binary blob in the firmware that even they couldn't modify.) So we all had to assume the worst.

I used mine for an exterior security camera for a while, and I still think it's fine for that purpose, especially if it's firewalled from the rest of the network. Just don't point it inside your walls. But I would never point any webc