On March 6th of 2019, security researchers at Bitdefender tried to warn Wyze about three major vulnerabilities in its smart security cameras. The worst of these flaws, which gives hackers unauthorized access to a Wyze Cam’s SD card, went unfixed for three years and remains a problem in discontinued Wyze Cam V1 models.
Here’s the good news; you probably weren’t impacted by this particular exploit. Other outlets reporting on this story missed key details, including how the remote access exploit works. But Wyze’s inaction is alarming, and customers should absolutely question whether the company is worth trusting.
How Does the Exploit Work?
As described in Bitdefender’s report, hackers could gain access to the contents of a Wyze Cam’s SD card “via a websever listening on port 80.” This is due to the fact that all SD card contents are accessible without authorization in the camera’s web directory, which makes sense, as recordings saved to your SD card need to be viewable through your local network.
If that sounds complicated, let me bring it down to layman’s terms. Hackers who manage to access your local network could dig through your Wyze Cam’s SD card. They could also access SD card contents if your Wyze Cam’s port is exposed to the internet—something that you would need to manually set up through port forwarding.
Hackers who follow the above steps can use the Wyze Cam’s hello.cgi script to view SD card contents. From there, hackers can navigate to /SDPath/path and download files from the SD card.
Your Wyze Cam SD card contains a ton of important data, not just video clips. Hackers can look through Wyze Cam log files, for example, to find the device’s UID and enr. This data could enable remote access and other exploits.
If your Wyze Cam is up to date, then it’s not vulnerable to this exploit. The only Wyze Cam that remains unpatched is the Wyze Cam V1. It will probably never receive the patch, though, as it’s discontinued.
Your Cameras Probably Weren’t Hacked
There’s a decent chance that hackers exploited this Wyze Cam vulnerability—Bitdefender and Wyze haven’t clarified that part of the story. But your cameras probably weren’t hacked.
As I mentioned earlier, this vulnerability requires access to port 80 on your camera. There are only a handful of ways for hackers to establish a connection with this port. Either they connect to your local network (which may be a guest network for some customers), or they intercept the port because you forwarded it to the internet.
If you have a tech-savvy neighbor who’s crazy enough to crack your Wi-Fi password, they could absolutely pull off this exploit on an unpatched camera. But at that point, you’re already knee-deep in a security nightmare. Camera recordings would be the least of your worries. (If you have smart home devices on a passwordless guest network, now’s the time to rethink that decision.)
And if you port forwarded your Wyze Cam to remotely monitor its status (on/off), then you may have accidentally screwed yourself. Hackers could have remotely accessed the camera’s contents without touching your local network.
I should note that some Wyze Cam customers port forwarded their cameras using an unofficial guide on the Wyze forums, which explicitly states that the process could be insecure. That said, Wyze doesn’t seem to discourage this behavior.
Wyze’s Inaction Is the Biggest Concern
The average Wyze Cam owner can walk away from this story knowing that they probably weren’t hacked. You should definitely update your existing Wyze Cams and ditch any Wyze Cam V1 models that you own, but otherwise, you’re all good.
But this story is still disturbing. Wyze was not transparent with its customers and sat on a concerning security flaw for three years—are there any other vulnerabilities that we need to know about?
Wyze didn’t even tell customers about this flaw when it was patched on January 29th. And when the company discontinued the Cam V1 two days earlier, it simply explained that the camera couldn’t “support a necessary update.” It’s very hard to trust Wyze after it knowingly kept us in the dark.
The researchers at Bitdefender are also in bad water. Like most security groups, Bitdefender tries to give companies a 90-day “grace period” to patch any vulnerabilities in their products. It’s a good system that keeps vulnerabilities from going public before they can be fixed, which makes sense.
But Bitdefender ended up giving Wyze a three-year grace period. The group could have published its findings early to give Wyze a kick in the pants, but instead, it decided to wait. In a statement to The Verge, Bitdefender explains that Wyze didn’t have a security system in place when this flaw was discovered—perhaps Bitdefender didn’t trust Wyze’s ability to solve the problem, which is frustrating but understandable.
Given the circumstance, you may feel the need to replace your Wyze cameras. I suggest going with a large company like Google, not because such companies are invulnerable to security flaws, but because they face more scrutiny from security groups. I’m frustrated that Bitdefender wore the kid gloves with Wyze, but I trust that it will be more proactive when dealing with large brands.