The Wyze Cam Vulnerability and How the Verge Blew it Out of Proportion

hey everybody it’s lon seidman and we review a lot of wise products here on the channel they are best known for making these super inexpensive security cameras that actually work pretty well and they also have a whole line of other iot products wise has never been a sponsor here on the channel but they have sent in products for us to look at primarily because you the audience are really interested in affordable things and i have bought a lot of these products over the years to control things around my home and i was certainly nervous as many of you were when a vulnerability was out in the news and a lot of this started with this editorial that appeared on the verge the other day now unfortunately the verge got a lot wrong here when this article was first posted and they’ve been very quietly changing it over the last 24 hours to better reflect the facts but i think it’s important to look at the instinct here at the verge to click first and ask questions later especially when they can attract a lot of clicks and get people in an uproar which they did so the initial version of this article had a lead paragraph which said that hackers could look into your home over the internet on these cameras and that wise kept it a secret for the past three years and what’s happened now if you go onto the verge’s website you’ll see a different version of this article and they added a couple of notes at the bottom about some things that they changed but the changes are actually pretty significant so let’s look at a comparison and the internet archive apparently now has this really cool comparison feature where you can compare two versions of a web page in their archive and they archive the initial version of the article and they also have the current version available so what you’re looking at on the left is the original article and the one on the right is the one that is currently published on their site anything that is highlighted in yellow has been removed from the article and everything in blue has been added since it was initially posted so let’s zoom in a little bit here to the original article now you’ll see here they removed a portion of the lead paragraph that says this vulnerability would let hackers look into your home they also took out a few things in the next paragraph in

regards to how the camera’s sd card would be accessible over the internet now if we look at the current version of the article you can see that the certainty of letting hackers in over the internet has been changed to theoretically let hackers access your video feeds over the internet they also added another theoretically to the second paragraph and they got rid of the access your camera’s sd card over the internet uh which was in the original version of the article and the reason why they’re changing all of this is because they uh published the article before they had all the facts about this vulnerability and they did a little mia culpa here saying that in fact the hacker had to be on the same network as the camera in order for these exploits to take place so in other words they’d have to be sitting in your home or close to it and on the wi-fi network because the camera if it’s behind a router is inaccessible to the public internet unless somebody put it directly on the internet or forwarded a port to it or something but in most cases when people get one of these cameras they attach it to their router and it’s inaccessible to the outside internet especially for a hack like this one and the article’s author sean hollister then goes on to apologize for misleading anyone in his initial article but of course the corporate culture is you got to click that button as quickly as possible to get the eyeballs and

the revenue and the facts and the truths can kind of come in a little bit later he does though rightly say that the company probably should have been better at disclosing things and that he is going to throw out his cameras he also tweeted something similar to uh his audience on that platform and then they also added some additional language to the article looks like in an attempt to balance it out and make it look a little less like a hit piece now and they referenced something that happened with google nest and a security issue that they did not disclose properly at least in the opinion of the author a few years back but let’s dive in and see what this vulnerability is all about because it does have some potential to be an issue provided the hacker had local access to the camera to begin with this was first uncovered by bitdefender way back in 2019 bitdefender is a security research firm they are only first publishing this now in 2022 for some reason and that’s something that i think bitdefender and wise need to explain better to people why this was kept quiet for so long even after it was patched but here we are and they also released this white paper the same day they published the blog post about how the exploit works and presumably how you as a hacker might be able to take advantage of it now there are three parts to how this works the first part is called the remote connection authentication bypass and what happens with these cameras is that they have to authenticate before they give away their secrets and the

bitdefender people again over the local network discovered that there was a way to bypass the authentication process and in doing so they were able to get full control of the device including motion controls for their pan and tilt cameras they could disable recording to the sd card they could turn the camera on and off and a few other functions but they could not view the live audio or video feed because that is encrypted and they could not decrypt that now this of course is the proverbial foot in the door because after that you can do a stack buffer overflow with the access that you’re able to gain to the camera that will replace some contents of the camera’s memory with your own code and after that you’ve got yourself full access to the camera’s web server and apparently when people insert an sd card into the wise camera it puts a sim link in the wise cameras web servers www directory and because they were able to get rid of the authentication step you could access that sd card through the camera’s web server on port 80 which would then allow for you to take the contents of that card out of the camera but again the cameras on the local network here although if you are a

hacker you probably know how to hack the local network to allow things from the outside to get in and that’s where the verges theoretically language comes in this is certainly a serious exploit i don’t want to minimize it but again it does require local access to execute all three of these steps and for good measure i did reach out to bit defenders public relations person just to confirm that this is the case and he did confirm here that it needs to all happen on the local network so why did this take so long to disclose well bitdefender did put up a disclosure timeline in their pdf document they claim they first reached out in march of 2019 when they first discovered this but they didn’t hear back from wise officially until november of 2020 but wise was making firmware updates along the way so about a month after this was first disclosed uh wise had a firmware update for their shipping cameras which was the version 2 camera at the time along with the wise cam pan the pan and tilt camera version one those initial patches were made in april of 2019 about a month later and that reduced the risk of the sd card exploit but it doesn’t appear at least according to bitdefender that it eliminated that risk completely along the way here additional firmware updates were made so there was a big one for version two in september of 2019 that fixed one of the part one and part 2 issues and then there was another firmware update in november of 2020 that patched up

the remaining vulnerabilities but they still had some back and forth and bitdefender claims that the vendor in this case wise did not release a final firmware fix until january 29th of 2022 but it looks as though wise was patching things up along the way here and now we’re in march and we’re hearing about this from bitdefender now the same day the bitdefender report came out wise released this statement on their website and the time frame that they talk about here is very close to what we saw on bitdefender’s time frame from their white paper pdf wise considers this thing closed as of february of 2022 bitdefender said it was done in january but it’s pretty close for the most part here wise also said that they want to be able to respond to these types of things quicker in the future certainly three years is a long time to fully patch up a security vulnerability and they have enhanced their security infrastructure and hired a new team they were financially constrained for a while in fact they have a video up on their youtube channel about how they nearly went bankrupt during the pandemic and they were rescued at the last minute by a bunch of venture capitalists so they may not have been able to afford to move quicker at the time which of course is also cause for concern now the other big part of this story is that they were able to patch the second version wise camera presumably the third version which is for sale now and the wise cam pan version one

and two but the original wise camera the camera that kind of launched their company is not able to get this patched and they did not say to customers that this camera was vulnerable up until this week when all this stuff came out and i think that’s part of the reason why a lot of customers are rightfully upset because they were told that the camera was not being supported any longer and that it could not get security updates but it was not clear that this camera had a gaping hole in it and i think that is why wise is getting a lot of negative attention here from customers and rightfully so because they should have said to people stop using the camera not just your camera’s not getting updates any longer and while they did disclose to people that the camera had reached its end of life it hadn’t been sold since march of 2018 they really should have told customers that there was a critical problem with this camera and they should stop using it and to the question as to why it took three years for us to find out about this both bitdefender and wise have said in separate statements this is the one coming from the wise blog that they wanted to get this risk completely mitigated before they talked about what the vulnerability was that’s a practice that does exist in the industry but it doesn’t usually take three years to go from the initial discovery to the final patch and i think that’s what is exacerbating this particular situation but it looks like as of now everything is patched up and

even if you are running with one of those version one cameras it is really difficult for somebody who doesn’t have access to your network to get to that camera unless they found some way to burrow into that network first so to the verges corrected language it is very much a theoretical risk at this point but the fact that that camera has very little memory and can’t be updated ever again i think it’s probably prudent to discontinue use of it at this point and switch to one of the newer cameras or maybe choose a different brand if you’re not happy with wise so that brings us to some best practices that you can pursue with your iot devices and i think one of the most important things you can do is to get them off the local network basically get them away from your computers and all the other things where you’ve got personal information that’s stored and the best way to do that is to put it on your router’s guest network now nothing is foolproof from completely being unhackable but this does add a layer of additional security that isolates your smart home devices which may not get updated all that often from the rest of your important stuff and that’s really easy to do and it’s something that i think everyone should do with these devices

irrespective of who manufactures it the next big one is to keep firmware up to date and on the wise app if you jump into their account section and go over to firmware update you can get everything updated all in one place and the app will keep track of where you’re at here my garage camera needs an update so i’m going to push that through and all of my y stuff is living on a network completely separate from the other stuff here i’ve actually got two basically two internet connections at my house now with my new service and i put all the wise stuff on that and all my other things on the other network and that’s been a way for me to isolate everything but the firmware updates are really critical and unfortunately a lot of this stuff doesn’t update automatically wise has been getting better about automatic updates i think most of their new products do update automatically but there’s a lot of brands out there that don’t have automatic updates and i think that’s where you might want to put something in your calendar every month or two to jump in and check through all of those devices to make sure they are up to date because even light bulbs can get hacked and become a source of aggravation or a violation of your privacy uh the next one here is to discontinue use of end of life products and i know we hate that notion of throwing out perfectly functional things but if they’re not getting updated they’re vulnerable and if there’s a lot of them out there like the wisecam version one that’s a juicy target for hacking groups because

they can put a script together and just deploy it across the internet automatically and it’ll pick up whatever it picks up we saw that with qnap so i think if you can just call up the local electronics recycler and just get all that discontinued stuff out of your house i think that will make you a lot safer so hopefully this video gave you a better sense as to what this vulnerability was all about again to really exploit this you have to be on the local network and most of these cameras are just not accessible to the outside world in a way that this exploit could have been done remotely that said i think it’s time to get those version one cameras off your network and it’s probably also a good time to isolate all of your iot devices not just the y stuff into their own network or onto your guest network keep those firmwares up to date and keep on it because the more stuff you have connected the more entry points you have and i think it’s really important to really stay on top of this stuff to prevent something bad from happening in the future where perhaps something might be accessible from the outside but for now i think for most people their risk for this exploit was quite low until next time this is lon seiben thanks for watching this channel is brought to you by the london tv supporters including gold level supporters jim tannis and tom albrecht hot sauce and video games and eric’s variety channel brian parker and frank goldman amda brown and matt zagaya and chris allegretta if you want to help the channel you can by contributing as little as a dollar a month head over to lawn dot tv support to learn more and don’t forget to subscribe

Read More: Blackberry Key2 LE vs Key2 What’s changed?