All technology companies routinely face security concerns, working to squash bugs and ensuring any vulnerabilities are closed as soon as possible. There’s a reason your phone receives a monthly security patch, and for the most part, it should be the same with all of your other devices. Whether through bug bounty programs or dedicated organizations, all tech companies rely on third parties to report security concerns. Unfortunately, it seems like a major player in the smart home ecosystem took much longer than anyone would want to patch significant flaws in its hardware.
Bitdefender published a blog post outlining some security concerns surrounding Wyze, everyone’s favorite choice for budget smart home gear. Usually, this matter wouldn’t be a cause for concern — an organization reports a vulnerability to the company, the manufacturer takes action to close it, and once it’s safe, that first group can report its findings. In this case, Bitdefender did wait for Wyze to lock down its gadgets — it just took three years for any action to be taken.
According to Bitdefender, the group wanted to report its findings after 90 days — the standard timeframe most infosec experts wait before taking their research public. But smart home gear can be tricky, especially since it usually provides potential attackers with access to a camera and microphone right inside your home. The company contacted Wyze back in March of 2019, but when June rolled around — the end of that 90-day window — nothing had been fixed.
To make matters worse, the vulnerabilities reported by Bitdefender are about as bad as you could imagine for a smart cam manufacturer. Although Wyze’s cameras require an authentication process to connect, this group was able to circumvent it entirely, gaining full access to the device. That includes the ability to turn the camera on or off, disable SD card recording, and tilt and pan on supported devices.
Notably, researchers could not bypass the live feed’s encryption to view ongoing activities — at least, not without further action. A stack-based buffer overflow allowed for live access when combined with the authentication bypass — basically, a worst-case scenario — while attackers could also view recordings from the SD card through an unauthorized connection on the webserver.
The good news here, of course, is that Wyze has fixed these holes in its security — that’s why Bitdefender has finally published its white paper. But it’s certainly concerning that the group reported these vulnerabilities three years ago, only for these concerns to go unresolved. Even after issuing patches, not every Wyze user is safe — its earliest cameras are still unsafe. If you’re still running a first-gen Wyze Cam — and granted, that’s not most people — you should disconnect it and upgrade to a newer model as soon as possible. Support for that model ended in February, and it will not see any future updates.
