This Wyze smart camera could easily be abused to spy on your home

Abandon the hardware, researchers warn

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers have discovered that a popular internet-connectedsecurity camerais permanently vulnerable to a flaw that could allow threat actors to access recorded content and execute malicious code to further compromise theendpoint.

In a research report published earlier today, security firm Bitdefender states that its researchers started looking into the Wyze Cam IoT camera in 2019 and identified several vulnerabilities.

One of the bugs, tracked as CVE-2019-9564, is an authentication bypass, which allows threat actors to log into the device without knowing the login credentials.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Accessing the SD card

As the report explains, the vulnerability could be abused to take full control of the device, which includes the ability to change the direction it is facing, turn the camera on and off and disable recording tomicroSD card.

“We can’t view the live audio and video feed, though, because it isencrypted, and the value of ‘enr’ is unknown," the researchers explained. “We can bypass this restriction by daisy-chaining a stack buffer overflow which leads to remote code execution.”

The remote control execution flaw, caused by a stack-based buffer overflow, is tracked as CVE-2019-12266. “When processing IOCtl with ID 0x2776, the device does not check whether the destination buffer is long enough before copying the contents on the stack,” the report reads. “Exploiting this vulnerability is straight-forward.”

When it comes to the unauthenticated access to the contents of the SD card, the researchers say it can be done via the webserver listening on port 80 without authentication.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the webserver.”

CCTV vs smart home security cameras: What’s the difference and which is best?>We ask a former burglar: do smart security cameras really deter crime?>Do home security cameras invade your privacy?

Although the report says both vulnerabilities were addressed throughpatches(one in September 2019, and the other in November 2020), it adds that “logistics and hardware limitations on the vendor’s side” resulted in the company discontinuing the version 1 of the product.

That leaves existing owners “in a permanent window of vulnerability”, the researchers explained, concluding that customers should abandon the hardware altogether as soon as possible.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Black Friday is here: Sony XM5 over-ears drop to their lowest-seen price – act fast!