This Wyze smart camera could easily be abused to spy on your home

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)

Cybersecurity researchers have discovered that a popular internet-connected security camera is permanently vulnerable to a flaw that could allow threat actors to access recorded content and execute malicious code to further compromise the endpoint.

In a research report published earlier today, security firm Bitdefender states that its researchers started looking into the Wyze Cam IoT camera in 2019 and identified several vulnerabilities. 

One of the bugs, tracked as CVE-2019-9564, is an authentication bypass, which allows threat actors to log into the device without knowing the login credentials. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Accessing the SD card

As the report explains, the vulnerability could be abused to take full control of the device, which includes the ability to change the direction it is facing, turn the camera on and off and disable recording to microSD card.

“We can’t view the live audio and video feed, though, because it is encrypted, and the value of 'enr' is unknown," the researchers explained. "We can bypass this restriction by daisy-chaining a stack buffer overflow which leads to remote code execution.”

The remote control execution flaw, caused by a stack-based buffer overflow, is tracked as CVE-2019-12266. “When processing IOCtl with ID 0x2776, the device does not check whether the destination buffer is long enough before copying the contents on the stack,” the report reads. “Exploiting this vulnerability is straight-forward.”

When it comes to the unauthenticated access to the contents of the SD card, the researchers say it can be done via the webserver listening on port 80 without authentication. 

“This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the webserver.”

Although the report says both vulnerabilities were addressed through patches (one in September 2019, and the other in November 2020), it adds that “logistics and hardware limitations on the vendor’s side” resulted in the company discontinuing the version 1 of the product.

That leaves existing owners “in a permanent window of vulnerability”, the researchers explained, concluding that customers should abandon the hardware altogether as soon as possible.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.