Cve-2021-32934

It’s these guys :upside_down_face:

[mod edit] Hackers are worldwide and not just in 3rd world countries, I’m willing to bet there hackers even in [US City] :rofl:

MOD NOTE: Post edited to conform to the Community Guidelines.

So not a parody post then. :frowning:

As noted this statement is inane - your firewall doesn’t protect Wyze camera traffic. I suspect you don’t really know what it is. Complacency puts your customers in danger. Not to mention your dismissal of those who use these same cheap cameras to monitor things they consider private. I’m slightly shocked that you are seriously playing the “nothing to hide” surveillance state defense. Shameful in my opinion.

2 Likes

WyzeDon

2 Likes

Lol…yeah seriously though…anyone I know who “takes security that seriously” isn’t using $25-$30 Wyze cameras (sorry Wyze LOL), they’re using Hikvision or Dahua.

Exactly, Wyze cams a considered home/hobbyist cameras and definitely not a camera I would install commercially. In a commercial environment I install closed network systems with a DVR and High-End cameras such as Axis, Cohu, or WTI Sidewinder / Viper.

Vulnerabilities reported via CERT have a non-disclosure period where companies are prohibited from discussing it with their customers. This is to protect all companies that use the vulnerable product (ex. If company A patched it and started releasing info on the vulnerability but company B, C, etc haven’t patched it yet, it would put them higher risk). The 90 day non-disclosure period just ran out, so they are only now able to discuss it.

Edit: also note that NOZOMI (the vulnerability) discoverer FAILED to follow CERT guidelines by disclosing the vulnerability on 6/15/21. They are not helping consumers by doing so and lose a lot of credibility as “security researchers.”

I bet Wyze still will keep their head in the sand and NOT answer our questions on this SDK vulnerability :rage:

We don’t even know if Wyze was even impacted. It only affected customers that used both ThroughTek’s P2P connection (“heartbeat”) AND authentication services. To narrow it down ever further if they do use both it still only affected ThroughTek’s customers that failed to implement certain security settings.

2 Likes

ThroughTek says 83 million devices made by other brands, such as the camera vendor Wyze, run its software.

Mandiant, CISA urge ThroughTrek customers to fix software bug WYZE cameras…

@RLBK has brought this up in another post Cause for concern?!

It is way past time for WYZE to respond to this issue.

I am considering starting a Class Action Lawsuit if WYZE is unwilling to address and fix this issue.

Have you removed your cameras from service due to this possible issue?

FYI, since you don’t apparently know the law well enough. A class-action lawsuit can only be brought against a company if they knowingly caused you irreparable harm. Since this vulnerability originated after Wyze began using ThroughTek as a vendor, it would be nearly impossible to prove that Wyze had some type of insider knowledge of what another company was doing. In actuality Wyze, at least in legal context, has no obligation to fix any vulnerabilities after the point of sale. Again though, we do not even know if Wyze was even impacted (see my explanation above). ThroughTek is a widely used vendor in the Camera/IoT space and 83 million could easily be achieved even without the inclusion of any Wyze cameras/devices (not saying they are not but playing devils advocate and not making assumptions).

That is why I said “Considering” a Class Action Lawsuit…
I am not a lawyer and will speak with my attorney…

Good luck with that.

1 Like

All of my cameras are outside so No I have not or will not likely remove my cameras from service.

I do however think it is way past time for Wyze to address our concerns and answer our questions as to this.

I would not install cameras indoors anyways knowing there could be an issue like this in the future (and now the future has arrived)

What about me ?

1 Like

More press on this. CVSS score is 9.6, meaning bad, but it does not appear there is public exploit available. https://www.zdnet.com/article/critical-iot-security-camera-vulnerability-allows-attackers-to-remotely-watch-live-video-and-gain-access-to-networks/?ftag=TRE-03-10aaa6b&bhid={%24external_id}&mid={%24MESSAGE_ID}&cid={%24contact_id}&eh={%24CF_emailHash}

Also, the CVE has not yet been removed from “RESERVED” status (even though the 90 days has elapsed) this can also prevent public disclosure by affected companies.

We’re aware of the potential vulnerabilities with the third-party system and have been actively addressing the issue since before the public announcement. But with some security topics, it can be more appropriate to be prudent about the information we share so we won’t be giving further details yet. We always prioritize our customers’ safety and we appreciate your patience.

9 Likes

My Raccoon Guilielmus Antonius Aloysius Maria thanks you too :upside_down_face:. Petronella Philomena Possum has not commented yet and the cat doesn’t care.

4 Likes