Was my camera Hijacked

Should I be concerned? Set up the Wyze Pan scan, and on my Fing box it showed up as WyzeCam… and showed the IP… then it shows Wyze Labs and shows the MAC…

Nearly 2 days later, my Fing Box reports of an intrusion - trying to access my internet… looked at the Fing app and seen the WyzeCam showing as offline - Greyed out, but yet camera was clearly on … and the intrusion was from - Shenzhen RF-Link Technology… slightly different IP, and a different MAC… but this is what took over from WyzeCam… as it could be viewable from that name.

I then blocked that device ( Shenzen ) and the feed from the Wyze stopped… so I then had to re-set the WyzeCam and start over again, which has worked perfect since.

Just wondered if it had been hacked, or hijacked by Shenzen… or anything else that I should be concerned about?

I don’t recognize Shenzen, but the cams do have a bug in their firmware that will occasionally make them change from a Wyze MAC address to a Nova Electronics MAC address. “Shenzhen RF-Link Technology” sounds a little like a network card, wonder if they second-sourced the cards.

What was the first 6 digits of the new hardware address? Maybe we can get WyzeGwendolyn to ask engineering if this is a new card.

Thanks for reply information… yeah, it is an annoyance to think it (Shenzen) bumped over Wyze to gain access… which the Fing disallowed - All hail the Fingbox… I allowed Wyze into my network but not the unknown Shenzen who dresses up as Wyze… so not very happy it tried to sneak in there uninvited.

If it is, as you suggest, then why would that kill off the Wyze credentials and assume Wyzes’ identity? Tiss a very strange set of affairs, but since Fing has blocked it, I doubt it would be able to conjour up another IP and MAC on its own acvord to try and sneak back in.

Not sure if my screenshot has uploaded but the numbers I think you are after are - IP - 192.168 and the MAC - C4:6E:7B:45:3E:B3

If it is the firmware bug, no one is “sneaking in”. It would simply be a matter of the network card’s manufacturer’s MAC address not being properly overwritten by the new Wyze camera MAC address. Just two different ways of describing the same physical camera.

Fing is simply disallowing it because it is a different address.

Assuming that’s what this is, anyway. Like I say, I don’t think we’ve seen a “Shenzen” network card yet. However, if it is the bug, you will only ever see 2 addresses. The network card address, and the Wyze address.

Yep, C4:6E:7B crosses to manufacturer “SHENZHEN RF-LINK TECHNOLOGY CO.,LTD.”. Just a way of describing the manufacturer of the card. Now we just need engineering to say they are using the cards.

This is interesting. My FingBox is showing the following:

Wyze%20MAC

The top entry is a Wyze cam I purchased back in August of 2018. The other two were purchased in the last couple of months.

A4DA22 is an early Wyze address sometimes listed as “IEEE Registration Authority”. I also have that on my first cam, bought in May of '18. After that they went to 2CAA8E, which more properly crosses to Wyze Labs.

Thanks again for info… makes me feel more at ease knowing what you described there… and indeed, my Wyze is now back showing the correct 2C:AA:8E. Blocking Shenzhen has not affected the Wyze in any shape or form, so hope that continues if, as you say, it was not properly written over with the Wyze MAC.

The only effect of blocking the Shenzen MAC address is a probable non-working cam if that address should reappear.

You might want to submit a ticket on this. The developers are interested in the conditions under which this occurs, so your camera log could be useful to them.

Yeah for sure… but Im brand new here tonight so need a little guidance on how to submit a ticket, and where to find my log to send in to them.

Sure. To submit a log, this has to be done from within the app:

Press the Account tab, then Help & Feedback, Report an Issue.

The Subject can be “MAC Address Change”. Detail that the address changed while the camera was running (or at startup, whichever it was), and that we tell you no one has seen this manufacturer before. Then tell then the first 6 digits of the Shenzhen address. Along with any other details you’d like to add, of course.

Then select the camera in question, and make sure “Send Log Files” is checked.

Let us know what they say. Thanks!

PS – It may take a couple weeks for a response, I hear they are really backlogged. However you are working, so that should be no problem.

When I complete the form as you suggested, and click submit… it just opens my contacts list? When i then close thst list, the page I have filled out erases everything I typed? Whats went wrong? Screenshot_20190612-023321

It will send the report using your email. Do you use email on that device? If not, do you have another device with the Wyze app that has email active?

Ahhhh ok… will use email… thanks, will return to update when they reply as it may help others asking same thing in the future?

Yes. We are curious if what we think is true, this is a new situation. Thanks!

Thanks very much again… have now submitted the report to Wyze Support, along with the Log file.
I shall report back with their reply.

Shenzen is the high tech district where most of China’s electronics firms are based. It could still be either an attempt to dial home for some reason (malicious or otherwise) or an intrusion. Hard to say.

Best advice is lock down your router as best as possible. Turn off UPnP. Restrict access to local only for the cameras if possible, Never enable port forwarding. If you need remote veiwing, set up a VPN.

Although RF-LINK is located in Shenzhen, what you see above is not an originating location for a connection. It’s a simple database lookup of a manufacturer ID from a MAC address prefix. The C4:6E:7B prefix simply crosses to manufacturer “SHENZHEN RF-LINK TECHNOLOGY CO.,LTD.” in a database. Nothing more.

So let’s not make it more nefarious than it is. It does not reflect whether a device is dialing home, it only reflects that there is an unknown MAC address on your network. In this case his camera stopped working when it was blocked, exactly what you would expect with the current firmware bug.

3 Likes

The same thing happened to me several versions ago. Support said it was an issue previously and they had addressed it in an update. They recommended reflashing the camera and said they would make sure it was resolved in another release. The reflashing resolved the issue and I have not had the issue for at least the last two updates.

Here is the initial response from support.

“Thanks for reaching out to us! Your case was brought to my attention, and I’m happy to help in any way I can.

All Wyze Cams have a MAC address assigned during manufacturing for the camera as a whole, but the WiFi component has its own MAC which we’ve suppressed through the firmware. We’ve seen a bug in the past which caused the WiFi component’s MAC to become recognized as the camera’s MAC, but we pushed a fix for this out in a firmware upgrade last year.

I tried looking up the MAC you sent with your original email, and it doesn’t appear to be associated with any of our cameras’ associated MACs. This tells me that it could potentially be the WiFi component. Are you able to verify that it’s specifically associated with one of the Wyze Cams? For example, if you unplug the camera, do both MACs disappear at the same time?”