The issue was evident for a long time.

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on whatsapp

If you buy something from a this link, myelectricsparks Media may earn a commission. See our Read More.

Wyze knew about camera flaws that allowed others to see your feeds and videos.

WTF? Have you been making faithful users of Wyze cameras? If so, there’s a sad account of a discovered security flaw that permits unauthorized Remote access for Wyze’s cameras used for homes, and it took Wyze more than three years to fix the problem.

Researchers from Bitdefender discovered three weaknesses within Wyze cameras in 2019. A vulnerability lets attackers bypass authentication to gain remote control and access to the cameras. This allowed them to tilt or turn off the cameras, even though they could not see an encrypted feed remotely. The third issue was a common stack buffer overflow type that let hackers gain access to live feeds while ensuring security and security for remote authentication.

The third flaw permitted access to data stored in an SD card within the camera via an internet server running on port 80 but without authentication. A small percentage of users choose to not pay for cloud subscriptions and instead save their pictures on a local SD card. Also, it contains log files for the camera, such as The UID (unique identification number) and the ENR (AES encryption key). 

Bitdefender first contacted Wyze at the beginning of March 2019 to share information about these vulnerability proof-of-concept vulnerabilities. The flaw in the authentication bypass (CVE-2019-9564) was fixed by an upgrade to Wyze Security update. Wyze Security update. The update was published on September 24, 2019; however, it was not released until November 9 20th, 2020 – 21 months after the first time that an update of the app corrected the vulnerability that allowed remote execution (CVE-2019-12266 ).

Editor suggested articles :

The issue with SD cards was believed to be addressed more severely with Wyze. The problem was resolved with a firmware upgrade launched on January 29, 2022. It was only available to Wyze Cam V2 and v3, which came out in October 2018, February and October 2018. Bleeping Computer discovered that Wyze Cam Version 1, launched on August 17, 2017, was a vulnerability. According to the Bleeping Computer. Wyze stopped producing the camera in January without providing reasons for this.

 

Wyze knew about camera flaws that allowed others to see your feeds and videos.

Wyze had informed users from Wyze that “your continued use of WyzeCam beyond February 1, 2022, WyzeCam after January 1, 2022, poses riskier, and is not suggested from Wyze and is at your own risk. “

Most researchers give companies a grace period of generally from 30 to 90 days in which they disclose any vulnerabilities they find before making the same announcement themselves. Sometimes, the people who discover a vulnerability do not hesitate until the final minute, as was the situation in 2018. Epic Games blasted Google for releasing its Fortnite Android exploit early. What’s the problem that makes Bitdefender takes so long to get back to you? The director of PR at the business Steve Fiore told The Verge:

Our findings were so severe that our decision, regardless of our usual 90-day-with-grace-period-extensions-policy, was that publishing this report without Wyze’s acknowledgement and mitigation would expose millions of customers to unknown implications, particularly since the company didn’t have (to us) security procedure or framework in the first place. Wyze implemented one last year due to our findings.

We’ve delayed the report’s release (iBaby monitor cameras) for more extended periods for the same reasons as before. The consequences of releasing findings and the absence of information on the capacity of the company to manage the products led us to delayed publication.

HTML0We understand that this isn’t a standard procedure in other research groups, but divulging the results before the release of patches could place many in danger. Thus, when Wyze did notify us and provided us with evidence-based data on their ability to address the issues, we decided to allow the vendor time to fix the problem. They also permitted extension.