Wyze knew for years that hackers could remotely access its cameras, but didn’t tell anyone
Wyze has been selling inexpensive smart security cameras since the original Wyze Cam in 2017, and has also branched out into other product categories (like earbuds). However, the company has also had its fair share of problems, and another significant issue has come to light — hackers could gain access to the video feeds from Wyze Cams.
Bitdefender publicly revealed a series of security vulnerabilities in Wyze’s security cameras on Tuesday, which affected the Wyze Cam Pan v2 (prior to 22.214.171.124), Wyze Cam v2 (prior to 126.96.36.1992), Wyze Cam v3 (prior to 188.8.131.52), and the original Wyze Cam on all firmware versions. The first vulnerability, known as CVE-2019-9564, allowed hackers to bypass the login for Wyze devices and gain access to camera controls. Bitdefender also discovered a stack buffer overflow vulnerability (CVE-2019-12266), which when used in combination with the first security flaw, can be used to gain remote access to a camera’s video feed.
Taking advantage of this security flaw requires knowing the initial camera ID, which is a random string that can only be recorded by joining the same local network as the camera. That significantly limits the scope of the security flaw, since a hacker would first have to gain access to your home network before accessing the video feed from a Wyze camera.
The main problem here isn’t actually the security vulnerability, it’s how Wyze handled the vulnerability. Bitdefender says it contacted Wyze twice, first on March 6, 2019, and again on March 15, 2019, and apparently received no response. Over the following months, Wyze updated some of its cameras with a partial fix for the login vulnerability, still without responding to Bitdefender. It wasn’t until November 2020 that Wyze finally communicated with Bitdefender, and the final fixes weren’t deployed until January 2022.
Not only did Wyze not act quickly and work with Bitdefender to address the security issues, but the company also never acknowledged the vulnerability to its customers. Wyze told The Verge that the company has been transparent with its customers and “fully corrected the issue,” but the original Wyze Cam never received a fix, and the company seemingly never told customers about this specific issue.
Wyze has not released a public statement about the security vulnerabilities on its Twitter account or other social media accounts, as of when this article was published.