Wyze has reportedly finally gotten around to fixing a serious security flaw in its cameras nearly three years after it was first spotted. The flaw in question applied to the authentication method used to connect to Wyze cameras. And effectively allowed non-authorized users to turn cameras off or on, disable SD card recordings, and even control pan or tilt actions on compatible devices.
Worse, by implementing a further exploit, using a stack-based buffer overflow, the cameras were vulnerable to live feed viewing. As well as reviewing recordings from the SD card. Whether they were supposed to have access to your smart home devices or not.
What was the vulnerability?
Now, the vulnerability in question was — as noted already — one in the authentication process itself. As reported by the Bitdefender team responsible for finding the vulnerability, it was able to be bypassed. That, in turn, gave access to controls for the camera but not the live feed.
The issue only made viewing possible via a secondary measure. In effect, combining a stack-based buffer overflow with the bypass method. Providing access to the above-mentioned controls and both live footage and SD card footage via an unauthorized connection to the appropriate web server.
What took Wyze so long in fixing this security flaw in its cameras and is everything safe now?
Less certain, of course, is why it took so long for Wyze to fix its cameras’ security flaw. Bitdefender reported the vulnerability to Wyze back in March of 2019.
The standard practice for security flaws, once found, is to report them to the company. Security firms then typically wait over the course of a 90-day period before publishing findings. Giving the company time to sort out a fix and implement it to the overwhelming majority of its userbase. Wyze only just fixed the vulnerability, allowing the publishing of the above-linked white paper, in January 2022.
That discrepancy in time between discovery and a fix flies in direct opposition to its messaging about how secure its products are.
Moreover, likely in part because of the wait, the update won’t fix the problem for everybody. Wyze didn’t fix the associated vulnerabilities for the first-gen Wyze Cam. And no further updates are planned for the device since support ended in February. Users of those devices will need to upgrade to a new device to get rid of the problem. Even if that means only updating to a newer Wyze camera.