Disclosure

Wyze Cam V2 was vulnerable to video clip upload man in the middle attack

Wyze’s Wyze Cam V2 running versions of firmware before 4.9.6.191 will accept self signed certificates for the Amazon Web Services S3 storage. When Wyze Cam detects a motion event it uploads a clip to AWS. This means that if an attacker has access to the local network the camera is on it is possible to carry out a man in the middle that intercepts unencrypted .mp4 video clips as they are being uploaded . The proof of concept page shows the steps required to carry out this attack. I believe it is a limitation of the tool that I am using, Cain and Abel, but not every attack on the camera’s connection to AWS is successful. More testing is required to determine why all connections are not intercepted but the fact that the camera will accept self-signed certs indicates something is wrong with how they are validated by the camera’s firmware. I tried multiple times to disclose this vulnerability to Wyze – once through customer support, and once through their bug report form.

What products were effected?

Wyze Cam V2 – Firmware versions 4.9.6.156 and previous are vulnerable, the bug was fixed in version 4.9.6.191

Disclosure Timeline

  • 8/9/2020: First contact with Wyze customer support
  • 8/10/2020: Description of vulnerability and steps to reproduce provided to customer support which they state was forwarded to engineering
  • 8/13/2020: Wyze customer support does not provide any new information after an update is requested
  • 8/13/2020: Request for update goes unanswered by Wyze customer support
  • 8/21/2020: Full details of vulnerability are provided to Wyze via their vulnerability report form
  • 8/27/2020: Vulnerability details are published and posted to Wyze’s subreddit r/wyzecam – Wyze responds to me on Reddit and to my original Customer Service thread.
  • 9/26/2020: Wyze releases a fix in firmware version 4.9.6.191