Wyze Left Security Cameras Open to Hacking for Three Years
Wyze has made its name offering capable home security products for startlingly low prices. Whereas you might pay $200 for a Google Nest security camera, Wyze offers devices that are almost as good for literally one-tenth the price. It turns out that $20 security camera on your shelf might not be such a good deal. A new disclosure from security firm Bitdefender reveals that the company’s cameras had a major security vulnerability that could allow an attacker to remotely access your video, and Wyze has known about it for three years. Plus, the Wyze V1 is still broken and will not be fixed. It almost goes without saying, but if you’ve got a Wyze V1 around, get rid of it.
Unlike Google, Ring, or the other makers of popular security cameras, Wyze does not make its own hardware. It re-badges products from China with new firmware and app support. It offers cheap security cameras, but also robot vacuums, headphones, smart scales, smartwatches, and more. They’re all priced below competing products and generally are not quite as good. But hey, a $20 security camera? Wyze sold a boatload of them.
The issue lies in how the cameras use their internal microSD card storage. The camera creates a symlink in the www directory, giving the webserver direct access to the videos stored on the camera so you can stream them to your app. However, Wyze implemented no access restrictions in this system, and that means an attacker can use a pair of vulnerabilities to collect the UID (unique identification number) and the ENR (AES encryption key). At that point, they can access your camera as if they were you.
Wyze’s response to this was insufficient. It quietly discontinued the V1 camera early this year, and it patched the newer versions. It said that continuing to use the original cam carried “increased risk.” It didn’t say anything about the risk of using it for the last three years with a gaping security hole. The newer V2 and V3 cameras were patched to block the exploit.
We’re used to security flaws being patched and/or disclosed in relatively short order, usually measured in weeks or months. But three years? Bitdefender initially reached out to Wyze in March 2019, and it didn’t hear back until November 2020. According to The Verge, Bitdefender gave Wyze some leeway because of the severity of the bug and Wyze’s slow progress toward fixing it. Wyze didn’t even have a security framework in place to address bugs like this until 2021.
But at the end of the day, this is a $20 security camera — not a major investment. It’s one that I have actually used in the past, and I would have appreciated knowing that it was wide open to remote exploitation. I would have happily chucked it in the recycling without a moment’s hesitation. As for newer Wyze products that are supposedly safe, I’m skeptical enough that I won’t plug them in at all. Wyze owes its customers an apology.
Continue reading
Elon Musk: SpaceX Will Send People to Mars in 4 to 6 Years
SpaceX and Tesla CEO Elon Musk likes to make bold claims. Sometimes he comes through, and we end up with a reusable Falcon 9 rocket, but Musk also has a tendency to get carried away, particularly when it comes to Mars. The SpaceX CEO has long promised a Mars colony on an aggressive, and some…
Astronomers Have Detected a Planet’s Radio Emissions 51 Light-Years Away
The researchers claim this marks the first time an exoplanet has been detected in the radio bands.
One Developer Is Fixing SNES Game Lag After 30 Years
One dedicated developer is releasing 'FastROM' patches to emulate Nintendo's SA1 chip in games that never had it, eliminating the annoying slowdowns that have plagued gamers for almost 30 years.
PC Sales Up 26 Percent in Q4, 13 Percent Year-on-Year
PC sales have skyrocketed in 2020, and the trend should continue into 2021.