In a startling revelation, two vulnerabilities in the Wyze Cam V3 have opened the door for attackers to remotely seize control of the devices. Although Wyze released a security update to address these issues, they failed to clearly mention this in their release notes. A proof-of-concept exploit has already surfaced online, with the researcher responsible for discovering the vulnerability indicating that other Wyze products may also be at risk—yet remain unpatched.
Ambiguous Firmware Update
On October 22, Wyze rolled out a firmware update for its V3 camera, ambiguously noting in the release statement that the update included some “security improvements.” No further details were provided. A mere two days later, the Pwn2Own hacking competition took place in Toronto, featuring the Wyze V3 camera as one of its targets. The update that Wyze pushed just days before addressed several vulnerabilities, including an authentication bypass.
Pwn2Own Contest Reveals Unpatched Flaws
Researchers intending to exploit this security gap for the contest had to withdraw their entries when they realized the patch had already addressed it. “I think Wyze wanted to avoid a mini PR nightmare by hoping their camera wouldn’t get pwned during Pwn2Own. That didn’t work, as some other teams had different vulnerabilities that didn’t leverage the authentication bypass,” said Peter Geissler, the researcher who published the proof-of-concept exploit.
Exploit Grants Shell Access to Attackers
Geissler’s exploit takes advantage of two vulnerabilities, enabling an attacker to gain shell access on the device. This could potentially allow the attacker to maintain long-term access or attempt to compromise other devices on the network. “For anyone who believes Wyze’s narrative that they were only informed about the authentication bypass just before the competition, ask yourself why they’ve only fixed the problem in their V3 camera and not in their other vulnerable products,” Geissler added.
Wyze’s Response and Unanswered Questions
In its defense, Wyze stated they were unaware of the issue for years and only received the bug report a few days before the Pwn2Own event. They then patched the problem in three days and distributed the update. However, Geissler questions why the company has not extended this fix to its other products that share the same vulnerability.
As it stands, multiple researchers managed to compromise the Wyze V3 camera during the Pwn2Own competition, using different vulnerabilities for which no security updates are currently available. Wyze has indicated they are investigating whether other devices in their portfolio are also vulnerable, but for users, the questions—and risks—remain.