While looking into the Wyze Cam security devices, security researchers found several security vulnerabilities that let an outside attacker access the camera feed or execute malicious code to further compromise the device.
BitDefender says the attackers could gain complete control of a vulnerable camera if successfully exploited. According to security researchers, vulnerabilities include:
- Authentication bypass (CVE-2019-9564)
- Remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266)
- Unauthenticated access to contents of the SD card
Security researchers analyzed several versions of the device, including Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. They observed that while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and no longer receives critical security updates. Therefore, users who use Wyze Cam version 1 are no longer protected and risk having their devices exploited.
The security vulnerabilities are cause for urgent action, especially the ability of threat actors to access SD card files, says Bud Broomhead, CEO at Viakoo. Because IP cameras, including the Wyze Cams, are meant to create video evidence that can be used in investigations or legal proceedings, these security vulnerabilities could invalidate the use of video as evidence, mainly due to the potential for evidence tampering, Broomhead explains.
The Bitdefender report should be a wake-up call to the broader issue of Internet of Things (IoT) devices as the most vulnerable part of an organization’s attack surface, Broomhead says, mainly because IP cameras, in general, have many known vulnerabilities. In the past two years, there have been several IoT security vulnerabilities involving IP cameras, including the RealTek-based devices used by botnets, Exterity IPTV devices with zero-day vulnerabilities, and hacktivists gaining access to video surveillance feeds from Iran and Belarus. “All these stories, including today’s, have a commonality — unpatched IoT devices that remain vulnerable and open to exploit,” Broomhead says.
According to Broomhead, the challenge is that organizations cannot afford to treat IoT devices like IP cameras the same ways that IT devices are — organizations must ensure they are as secure as IT devices. Much of the problem stems from IoT devices like IP cameras being managed by non-IT organizations, such as facilities, physical security, and manufacturing, who may not have the training or budget to ensure that all IoT devices are kept on the most secure version of firmware, Broomhead says. Often, this results in long delays in patching these vulnerable devices, thus keeping the attack window open for much longer than traditional IT systems.
In addition, another challenge is that IoT devices like cameras are often distributed widely. “Think of a camera hanging outside a building — it makes the process of updating them very time consuming unless an automated solution is used,” Broomhead explains. A number of IoT devices like IP cameras also get obsoleted by the manufacturer (therefore, no new patches to fix vulnerabilities), yet continue to be used by organizations as long as they are functional.
However, there are ways to mitigate several security risks posed by the Wyze Cam vulnerabilities. Broomhead suggests organizations and users take a current and detailed inventory of all Wyze assets, plan for either automating patching current devices or replacing obsolete devices with ones that can be patched, as well as a new process to onboard new devices that ensures the latest version of firmware is used (since many IP cameras ship with out of date firmware). “Longer-term organizations should extend their zero trust initiatives to include IoT devices by deploying certificates. IoT devices should be subject to information security policies that would normally apply to IT devices,” Broomhead says.