Carding 4 Carders
Professional
- Messages
- 2,730
- Reaction score
- 1,516
- Points
- 113
Despite the release of the patch, you should expect active hacking of Wyze cameras.
Cybersecurity researcher Peter Geisler (known as bl4sty) discovered vulnerabilities in the Wyze Cam v3 security camera firmware that allow remote code execution on devices. The problems were identified in the latest firmware version and can be used to get the Reverse Shell and take control of the device.
Wyze Cam v3 is a popular low-cost surveillance camera that supports night vision, data storage on an SD card, management via the cloud using a smartphone, IP65 protection and other functions.
The first vulnerability is related to the issue of bypassing DTLS (Datagram Transport Layer Security) authentication in the iCamera daemon, which allows attackers to use arbitrary Pre-Shared Keys (PSK) during the TLS handshake to bypass security measures.
The second vulnerability occurs after an authenticated DTLS session is established, when the client sends a JSON object. The iCamera code that analyzes this object can be exploited due to incorrect processing of a certain array, which leads to Stack Buffer Overflow and writes data to unintended parts of memory.
Attackers can use the second vulnerability to overwrite the stack memory and, given the lack of security mechanisms such as Stack Canaries and position-independent execution in iCamera code, execute their code on the camera.
Geisler published on GitHub an exploit combining two vulnerabilities that provides attackers with an interactive Linux Root Shell, turning vulnerable Wyze v3 cameras into entry points and allowing cybercriminals to switch to other devices on the network. The exploit was successfully tested in firmware versions 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859.
On October 22, Wyze released firmware update version 4.36.11.7071, which fixes the issues, and recommended that users install this security update as soon as possible.
However, Geisler expressed dissatisfaction with Wyze's patch release strategy, publishing his exploit before most users could install the fix. Geisler pointed out that the release of the patch by Wyze immediately after registration for the Pwn2Own competition in Toronto ended forced several teams to abandon further actions, since they already had a working exploit.
Wyze claimed that the timing was coincidental and that the company was simply seeking to protect its customers from a threat they learned about just a few days ago. Wyze told another security researcher that the company was notified of flaws in the Wyze Cam v3 just days before the competition. Now the company checks whether there are vulnerabilities in the firmware of other devices.
At the moment, the PoC exploit (Proof-of-Concept) has become publicly available, so we can expect mass exploitation of vulnerabilities in the future, and users are advised to take immediate measures to fix the problem. If a firmware update cannot be applied, users must isolate their Wyze cameras from the networks that serve mission-critical devices.
Cybersecurity researcher Peter Geisler (known as bl4sty) discovered vulnerabilities in the Wyze Cam v3 security camera firmware that allow remote code execution on devices. The problems were identified in the latest firmware version and can be used to get the Reverse Shell and take control of the device.
Wyze Cam v3 is a popular low-cost surveillance camera that supports night vision, data storage on an SD card, management via the cloud using a smartphone, IP65 protection and other functions.
The first vulnerability is related to the issue of bypassing DTLS (Datagram Transport Layer Security) authentication in the iCamera daemon, which allows attackers to use arbitrary Pre-Shared Keys (PSK) during the TLS handshake to bypass security measures.
The second vulnerability occurs after an authenticated DTLS session is established, when the client sends a JSON object. The iCamera code that analyzes this object can be exploited due to incorrect processing of a certain array, which leads to Stack Buffer Overflow and writes data to unintended parts of memory.
Attackers can use the second vulnerability to overwrite the stack memory and, given the lack of security mechanisms such as Stack Canaries and position-independent execution in iCamera code, execute their code on the camera.
Geisler published on GitHub an exploit combining two vulnerabilities that provides attackers with an interactive Linux Root Shell, turning vulnerable Wyze v3 cameras into entry points and allowing cybercriminals to switch to other devices on the network. The exploit was successfully tested in firmware versions 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859.
On October 22, Wyze released firmware update version 4.36.11.7071, which fixes the issues, and recommended that users install this security update as soon as possible.
However, Geisler expressed dissatisfaction with Wyze's patch release strategy, publishing his exploit before most users could install the fix. Geisler pointed out that the release of the patch by Wyze immediately after registration for the Pwn2Own competition in Toronto ended forced several teams to abandon further actions, since they already had a working exploit.
Wyze claimed that the timing was coincidental and that the company was simply seeking to protect its customers from a threat they learned about just a few days ago. Wyze told another security researcher that the company was notified of flaws in the Wyze Cam v3 just days before the competition. Now the company checks whether there are vulnerabilities in the firmware of other devices.
At the moment, the PoC exploit (Proof-of-Concept) has become publicly available, so we can expect mass exploitation of vulnerabilities in the future, and users are advised to take immediate measures to fix the problem. If a firmware update cannot be applied, users must isolate their Wyze cameras from the networks that serve mission-critical devices.
