RCE exploit for Wyze Cam v3 publicly released, patch now

A information interrogator has published a proof-of-concept (PoC) utilization for Wyze Cam v3 devices that opens a reverse ammunition and allows nan takeover of susceptible devices.

Wyze Cam v3 is simply a top-selling, inexpensive indoor/outdoor information camera pinch support for colour nighttime vision, SD paper storage, unreality connectivity for smartphone control, IP65 weatherproofing, and more.

Security interrogator Peter Geissler (aka bl4sty) precocious discovered 2 flaws successful nan latest Wyze Cam v3 firmware that tin beryllium chained together for distant codification execution connected susceptible devices.

The first is simply a DTLS (Datagram Transport Layer Security) authentication bypass problem successful nan 'iCamera' daemon, allowing attackers to usage arbitrary PSKs (Pre-Shared Keys) during nan TLS handshake to bypass information measures.

The 2nd flaw manifests aft nan DTLS authenticated convention has been established erstwhile nan customer sends a JSON object.

The iCamera codification that parses that entity tin beryllium exploited owed to bad handling of a circumstantial array, starring to a stack buffer overflow wherever information is written into unintended parts of nan memory.

Attackers tin leverage nan 2nd vulnerability to overwrite nan stack representation and, fixed nan deficiency of information features for illustration stack canaries and position-independent execution successful nan iCamera code, execute their ain codification connected nan camera.

The exploit released by Geissler connected GitHub chains these 2 flaws to springiness attackers an interactive Linux guidelines shell, turning susceptible Wyze v3 cameras into persistent backdoors and allowing attackers to pivot to different devices successful nan network.

The utilization was tested and confirmed to activity connected firmware versions 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859.

Wyze released firmware update type 4.36.11.7071, which addresses nan identified issues, connected October 22, 2023, truthful users are recommended to use nan information update arsenic soon arsenic possible.

Patching controversy

In a backstage discussion, Geissler explained to BleepingComputer that he made his utilization disposable to nan nationalist earlier astir Wyze users could use nan spot to definitive his disapproval of Wyze's patching strategies.

Specifically, Wyze's spot came correct aft nan title registration deadline for nan recent Pwn2Own Toronto event.

Releasing nan fixes correct aft nan registration had caused respective teams that had a moving utilization successful their hands up until that infinitesimal to wantonness nan effort.

Wyze told nan interrogator that nan timing was a coincidence and that they were simply trying to safeguard their customers against a threat they had learned astir a fewer days before.

"I want to explain a fewer things; we didn't cognize astir this rumor for years, this is an rumor successful nan third-party room we usage and we sewage a study astir it conscionable a fewer days earlier pwn2own and erstwhile we sewage nan study successful our bugbounty programme we patched nan rumor successful 3 days and released to public," reads an email sent from Wyze.

While Geissler admits that it is communal for vendors to spot a bug that breaks utilization chains earlier nan competition, he accuses Wyze of singling retired that circumstantial instrumentality to debar antagonistic PR from nan competition, arsenic nan bug was allegedly not fixed successful different devices.

BleepingComputer reached retired to Wyze for a remark astir Geissler's accusations but has not received a consequence astatine this time.

However, Wyze told different information researcher that they were only notified of nan Wyze Cam v3 bug a fewer days earlier nan title and are now investigating whether it is successful different devices' firmware.

At this point, nan PoC is now public, truthful it is apt to spot wide exploitation successful nan future, and users are recommended to return contiguous action to hole nan bug.

If incapable to use nan firmware update, users should isolate their Wyze cameras from networks that service captious devices.