Wyze found out about a camera security flaw in 2019 and didn't tell anyone

XDA

Wyze knew for years that hackers could remotely access its cameras, but didn't tell anyone

By Corbin Davenport

Published Mar 31, 2022

Security researcher Bitdefender told Wyze in 2019 that hackers could remotely access Wyze Cam video feeds, but Wyze didn't tell anyone.

Wyze has been selling inexpensive smart security cameras since the original Wyze Cam in 2017, and has also branched out into other product categories (like earbuds). However, the company has also had its fair share of problems, and another significant issue has come to light — hackers could gain access to the video feeds from Wyze Cams.

Bitdefender publicly revealed a series of security vulnerabilities in Wyze's security cameras on Tuesday, which affected the Wyze Cam Pan v2 (prior to 4.49.1.47), Wyze Cam v2 (prior to 4.9.8.1002), Wyze Cam v3 (prior to 4.36.8.32), and the original Wyze Cam on all firmware versions. The first vulnerability, known as CVE-2019-9564, allowed hackers to bypass the login for Wyze devices and gain access to camera controls. Bitdefender also discovered a stack buffer overflow vulnerability (CVE-2019-12266), which when used in combination with the first security flaw, can be used to gain remote access to a camera's video feed.

Taking advantage of this security flaw requires knowing the initial camera ID, which is a random string that can only be recorded by joining the same local network as the camera. That significantly limits the scope of the security flaw, since a hacker would first have to gain access to your home network before accessing the video feed from a Wyze camera.

The main problem here isn't actually the security vulnerability, it's how Wyze handled the vulnerability. Bitdefender says it contacted Wyze twice, first on March 6, 2019, and again on March 15, 2019, and apparently received no response. Over the following months, Wyze updated some of its cameras with a partial fix for the login vulnerability, still without responding to Bitdefender. It wasn't until November 2020 that Wyze finally communicated with Bitdefender, and the final fixes weren't deployed until January 2022.

Screenshot of an email from Wyze: "Protecting you and your security is always top of mind, and for us to do that, we'll need you to update your Wyze app and update your Wyze Cam firmware. This will make sure your devices are in tip-top shape so you can breathe easy and know Wyze has your back."

Not only did Wyze not act quickly and work with Bitdefender to address the security issues, but the company also never acknowledged the vulnerability to its customers. Wyze told The Verge that the company has been transparent with its customers and "fully corrected the issue," but the original Wyze Cam never received a fix, and the company seemingly never told customers about this specific issue.

Wyze has not released a public statement about the security vulnerabilities on its Twitter account or other social media accounts, as of when this article was published.

Source: The Verge, Bitdefender