Flaws in Wyze cam devices allow their complete takeoverSecurity Affairs

Wyze Cam devices are affected by three security vulnerabilities that can allow attackers to takeover them and access camera feeds.

Bitdefender researchers discovered three security vulnerabilities in the popular Wyze Cam devices that can be exploited by threat actors to execute arbitrary code and access camera feeds.

The three flaws reported by the cybersecurity firm are:

  • An authentication bypass tracked CVE-2019-9564
  • A stack-based buffer overflow, tracked as CVE-2019-12266which could lead to remote control execution.
  • An unauthenticated access to contents of the SD card

A remote attacker could exploit the CVE-2019-9564 flaw to take over the device, including turning on / off the camera.

An attacker could chain the above issue with the CVE-2019-12266 flaw to access live audio and video feeds.

The flaws were reported to Wyze in May 2019, the company addressed the CVE-2019-9564 and CVE-2019-12266 flaws in September 2019 and November 2020, respectively.

The vendor addressed the unauthenticated access to the contents of the SD card with the release of firmware updates on January 29, 2022.

According to the experts, there are 3 version of Wyze Cam devices on the market and the first one has been discontinued and will not receive security updates to address the flaws.

The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes. ” reads the report published by the security firm. Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited.

Source Informative Point website

Bitdefenders also provided the following recommendations to prevent attacks against IoT devices:

“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” reads the post. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Wyze cam devices)













Source

Wyze Cam devices are affected by three security vulnerabilities that can allow attackers to takeover them and access camera feeds.

Bitdefender researchers discovered three security vulnerabilities in the popular Wyze Cam devices that can be exploited by threat actors to execute arbitrary code and access camera feeds.

The three flaws reported by the cybersecurity firm are:

  • An authentication bypass tracked CVE-2019-9564
  • A stack-based buffer overflow, tracked as CVE-2019-12266which could lead to remote control execution.
  • An unauthenticated access to contents of the SD card

A remote attacker could exploit the CVE-2019-9564 flaw to take over the device, including turning on / off the camera.

An attacker could chain the above issue with the CVE-2019-12266 flaw to access live audio and video feeds.

The flaws were reported to Wyze in May 2019, the company addressed the CVE-2019-9564 and CVE-2019-12266 flaws in September 2019 and November 2020, respectively.

The vendor addressed the unauthenticated access to the contents of the SD card with the release of firmware updates on January 29, 2022.

According to the experts, there are 3 version of Wyze Cam devices on the market and the first one has been discontinued and will not receive security updates to address the flaws.

The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes. ” reads the report published by the security firm. Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited.

Source Informative Point website

Bitdefenders also provided the following recommendations to prevent attacks against IoT devices:

“Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network,” reads the post. “This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Wyze cam devices)













Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!