Proof of Concept

What you will need: Computer running Windows 7, Wyze Cam V2, Cain and Abel (ARP andMITM Toolkit)

Step 1: Open Cain and Abel, turn on the sniffer and scan the network for the camera and the gateway.

Step 2: Under the ARP tab select the gateway and Wyze Cam as targets

Step 3: Letting Cain and Able generate its own self signed certs for each connection seems to work but I’ve opted for chained certs based on my own CA cert.

Step 4: With Cain and Abel’s default settings hitting the big yellow button will turn on ARP spoofing and the generation of self-signed certificates for all SSL connections

Step 5: If ARP spoofing is successful, we will start to see routed connections listed below

Step 6: When a motion alert is triggered the Wyze Cam connects out to wyze-device-alarm-file.s3.us-west-2.amazonaws.com, accepts the chained self-signed cert from Cain and Abel and a text file of the transaction is captured in cleartext.