A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices.
Wyze Cam v3 is a top-selling, inexpensive indoor/outdoor security camera with support for color night vision, SD card storage, cloud connectivity for smartphone control, IP65 weatherproofing, and more.
Security researcher Peter Geissler (aka bl4sty) recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices.
The first is a DTLS (Datagram Transport Layer Security) authentication bypass problem in the ‘iCamera’ daemon, allowing attackers to use arbitrary PSKs (Pre-Shared Keys) during the TLS handshake to bypass security measures.
The second flaw manifests after the DTLS authenticated session has been established when the client sends a JSON object.
The iCamera code that parses that object can be exploited due to bad handling of a specific array, leading to a stack buffer overflow where data is written into unintended parts of the memory.
Attackers can leverage the second vulnerability to overwrite the stack memory and, given the lack of security features like stack canaries and position-independent execution in the iCamera code, execute their own code on the camera.
The exploit released by Geissler on GitHub chains these two flaws to give attackers an interactive Linux root shell, turning vulnerable Wyze v3 cameras into persistent backdoors and allowing attackers to pivot to other devices in the network.
The exploit was tested and confirmed to work on firmware versions 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859.
Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible.
Patching controversy
In a private discussion, Geissler explained to BleepingComputer that he made his exploit available to the public before most Wyze users could apply the patch to express his disapproval of Wyze’s patching strategies.
Specifically, Wyze’s patch came right after the competition registration deadline for the recent Pwn2Own Toronto event.
Releasing the fixes right after the registration had caused several teams that had a working exploit in their hands up until that moment to abandon the effort.
Wyze told the researcher that the timing was a coincidence and that they were merely trying to safeguard their customers against a threat they had learned about a few days before.
“I want to clarify a few things; we didn’t know about this issue for years, this is an issue in the third-party library we use and we got a report about it just a few days before pwn2own and once we got the report in our bugbounty program we patched the issue in 3 days and released to public,” reads an email sent from Wyze.
While Geissler admits that it is common for vendors to patch a bug that breaks exploit chains before the competition, he accuses Wyze of singling out that specific device to avoid negative PR from the competition, as the bug was allegedly not fixed in other devices.
BleepingComputer reached out to Wyze for a comment about Geissler’s accusations but has not received a response at this time.
However, Wyze told another security researcher that they were only notified of the Wyze Cam v3 bug a few days before the competition and are now investigating whether it is in other devices’ firmware.
At this point, the PoC is now public, so it is likely to see mass exploitation in the future, and users are recommended to take immediate action to fix the bug.
If unable to apply the firmware update, users should isolate their Wyze cameras from networks that serve critical devices.