This Wyze smart camera could easily be abused to spy on your home

Date:
Tue, 29 Mar 2022 14:03:49 +0000

Description:
A popular smart camera has left users in "a permanent window of vulnerability".

FULL STORY ======================================================================

Cybersecurity researchers have discovered that a popular internet-connected security camera is permanently vulnerable to a flaw that could allow threat actors to access recorded content and execute malicious code to further compromise the endpoint .

In a research report published earlier today, security firm Bitdefender
states that its researchers started looking into the Wyze Cam IoT camera in 2019 and identified several vulnerabilities.

One of the bugs, tracked as CVE-2019-9564, is an authentication bypass, which allows threat actors to log into the device without knowing the login credentials. TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a 100 Amazon gift card (or equivalent in USD). Thank you for taking part.

Click here to start the survey in a new window << Accessing the SD card

As the report explains, the vulnerability could be abused to take full
control of the device, which includes the ability to change the direction it is facing, turn the camera on and off and disable recording to microSD card .

We cant view the live audio and video feed, though, because it is encrypted , and the value of 'enr' is unknown," the researchers explained. "We can bypass this restriction by daisy-chaining a stack buffer overflow which leads to remote code execution.

The remote control execution flaw, caused by a stack-based buffer overflow,
is tracked as CVE-2019-12266. When processing IOCtl with ID 0x2776, the
device does not check whether the destination buffer is long enough before copying the contents on the stack, the report reads. Exploiting this vulnerability is straight-forward.

When it comes to the unauthenticated access to the contents of the SD card, the researchers say it can be done via the webserver listening on port 80 without authentication.

This is due to the fact that, after an SD card is inserted, a symlink to the card mount directory is automatically created in the www directory, which is served by the webserver. Read more

CCTV vs smart home security cameras: Whats the difference and which is

best?

We ask a former burglar: do smart security cameras really deter crime?

Do home security cameras invade your privacy?

Although the report says both vulnerabilities were addressed through patches (one in September 2019, and the other in November 2020), it adds that logistics and hardware limitations on the vendors side resulted in the
company discontinuing the version 1 of the product.

That leaves existing owners in a permanent window of vulnerability, the researchers explained, concluding that customers should abandon the hardware altogether as soon as possible. Here's our rundown of the best antivirus solutions right now



======================================================================
Link to news story: https://www.techradar.com/news/this-wyze-smart-camera-could-easily-be-abused-t o-spy-on-your-home/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)