Three vulnerabilities in Wyze Labs cameras have been discovered, exposing users to device hijacking and footage access.

The first two flaws, described today by researchers from Bitdefender, permitted authentication evasion and remote code execution. At the same time, the third provided unverified access to the data in the SD card in each camera.

The authentication bypass, formally known as CVE-2019-9564, would enable an attacker to circumvent the login process by delivering a NULL authentication request. After gaining access, an attacker would have complete control over the system.

What the attacker can control

The attacker would be able to access motion control, the option to disable recording to the SD card, and the ability to switch the camera on and off.

However, due to the encryption utilized by the cameras, real-time access to the camera was not possible.

CVE-2019-12266 is a remote code execution vulnerability that allows an attacker to access a Wyze cam via a debugging functionality. The SD card vulnerability, which hasn’t been assigned a Common Vulnerabilities and Exposures identifier, permits the data on the card to be read without verification using a web server listening on port 80.

Old vulnerabilities

Notably, the CVE codes assigned to the first two bugs begin with 2019, indicating that they were identified that year. Some businesses are faster than others at reacting to vulnerability alerts, but Wyze was not one of them.

Bitdefender researchers tried contacting Wyze twice in March 2019 but got no reply. Wyze then issued two upgrades in April 2019 that resolved the vulnerabilities in part.

With no communication from Wyze, the Bitdefender researchers reserved CVE codes for the vulnerabilities, which were scheduled to be published in May. Wyze then released another version in September 2019 that corrected CVE-2019-9564 while still neglecting to reply to Bitdefender.

Also read: Vulnerability in Apache Cassandra opens door for remote code execution