Posted on April 3, 2022 at 5:45 PM
Cybersecurity firm Bitdefender recently published a report that detailed three cybersecurity bugs it discovered in Wyze security cameras, which led to a lot of criticisms against the product manufacturer and the cybersecurity firm.
Although the vulnerabilities were patched in January this year, both the Wyze and Bitdefender were criticized for the manner they handled the findings. Bitdefender said it reported the vulnerability to Wyze in March 2019.
Cameras Were Exposed To Hacking
The first bug enables the threat actor to bypass the account of the log-in process to gain access to users’ cameras. The second enables threat actors to run their software code on compromised cameras, while the third vulnerability gives threat actors access to saved footage on cameras that utilize SD cards.
Wyze stated that based on its findings, the three bugs cannot be exploited unless the hackers have access to the home’s WiFi network.
Based on the findings, the vulnerability impacts the following Wyze camera types: Wyze Cam 3, Wyze Cam Pan V2, Wyze Cam Pan 1, and Wyze Cam V1.
The SD Card Flaw Was Not Patched
Although Wyze has successfully patched all the other vulnerabilities, it couldn’t patch the SD card flaw in the Wyze Cam V1 due to limitations on the hardware.
As a result, the firm had to stop the support for the camera in February 2022. After ending the support, it advised its customers to discontinue its use. However, it didn’t say what flaw it was not able to patch or how critical it was at the time. This brought a lot of criticisms from users who were meant to know about the vulnerability this year.
Consumer Reports have also carried out tests on the various camera types, as well as on data security ad data privacy.
It noted that Wyze Cam V3 was tested in March 2021 while the Cam Pan V2was tested in November and December 2021. However, the Wyze Cam V2 was tested much earlier in November 2019.
Three Camera Vulnerabilities Were Tested
Consumer Reports stated that the three cameras it tested received very good ratings when it comes to data security. However, it discovered flaws in the Wyze Cam V2, which was reported to the company.
Cody Feng, who tested products for security and privacy at Consumer Reports stated that no internet of Things (IoT) device is perfect. However, companies must patch vulnerabilities once they are discovered to keep the devices as secure as possible. The practice of delaying fixing a vulnerability is not a good one, Feng reiterates. He added that flaws that are left unfixed will put users’ data privacy and data security in danger.
Users were critical of the way and manner both Bitdefender and Wyze handled the vulnerability issue. It all began in March 2019 when Bitdefender sent its findings to Wyze. Even after trying to reach the company in two attempts, it could not receive any feedback.
Then in April 2019, Wyze released patches for Wyze Cam Pan V1 and Wyze Cam V2, which reduced the risk but did not eliminate them. The patch still left the SD card vulnerable.
.In September 2019, Wyze patched the Wyze Cam V2 vulnerability that patches the account log-in flaw.
And in November 2020, the manufacturer provided updates for its smartphone app. This fixed the flaw that enable threat actors to run their codes on camera. Finally, Wyze responded to Bitdefender.
In August and September 2021, Bitdefender contacted Wyze to know its approach regarding the patch of the vulnerabilities. After getting the follow-up, it informed the manufacturer that it will be publishing the findings.
Both Firms Did Not Take Immediate Actions Against The Bug
In January 2022, Wyze released the firmware updates to the SD card vulnerability and the patch on all affected cameras. But the patch for the Wyze Ca V1 was not released alongside the others. Wyze announced that it will stop offering support to the device from February 1, 2022, and advises owners to stop using the product. However, no additional detail regarding the patch or the type of vulnerability was disclosed.
Bitdefender said it reached out to Wyze immediately after the vulnerability was discovered, but the company showed a slow response, taking them a long time to et the patches for the flaws ready. Bitdefender admitted that the security team was limited to when the patch to the vulnerability could be available.