Three security vulnerabilities have been disclosed in the popular Wyze Webcam gadgets that approve destructive actors to carry out approximate code and access camera feeds in addition to unauthorizedly read the SD cards, the latter of which remained unsettled for nearly 3 years after the initial discovery.
The security defects connect to an authentication bypass (CVE-2019-9564), a remote code execution bug stemming from a stack-based buffer overflow (CVE-2019-12266), and a case of unauthenticated access to the contents of the SD card (no CVE).
Effective exploitation of the bypass vulnerability might enable an outside attacker to completely control the gadget, including disabling tape-recording to the SD card and turning on/off the electronic camera
, not to point out chaining it with CVE-2019-12266 to view the live audio and video feeds. Romanian cybersecurity company Bitdefender, which found the shortcomings, stated it reached out to the vendor way back in Might 2019, following which Wyze released spots to repair CVE-2019-9564 and CVE-2019-12266 in September 2019 and November 2020, respectively. However it wasn’t till January 29, 2022, that firmware updates were launched to remediate the issue related to unauthenticated access to the contents of the
SD card, around the same time when the Seattle-based wireless cam maker stopped selling version 1.< img alt ="CyberSecurity"data-src=" https://thehackernews.com/new-images/img/a/AVvXsEjaTgAp88VhU4VFlJ_PU8VQX15i_tz3jK4y0rAjaZ920ivKIKwWzBoxVCYtFnVvihCwzEx-6YUNHTO_TveW-zxlJMumYjrnkYbfht6Q6xP-BITctZ1yZAtrMceEcvDaTkybWCLGZm3GvobVHOljShT4hAzHzLosChAtVt7TzWTInUk3HS-pJ1ypa0srkw=s728-e100"src="image/png; base64, iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5 +i1 +56 pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg=="width="728"height="90"/ > This likewise indicates that only Wyze Web cam versions 2 and 3 have been covered versus the aforementioned vulnerabilities while leaving variation 1 completely exposed to prospective threats.”House users must keep a close eye on IoT devices and separate them as much as possible from the local or guest network,”the scientists warned.”This can be done by establishing a dedicated SSID solely for IoT devices
, or by moving them to the visitor network if the router does not support the production of additional SSIDs.”Source
