Sunday, April 10, 2022

Don't Believe Everything You Read on the Internet

I guess the title of this post is obvious but from time to time I just have to repeat it.

You'll remember that I'm a big fan of Wyze. But that doesn't lower my expectation of them.

The Verge did a "The Sky is Falling" story on Wyze's v1 camera. Incidentally, Wyze stopped selling them in 2018. They continued supporting it until January 2022.

The security research firm Bitdefender discovered a vulnerability in the v1 camera in March 2019. For some unclear reason, Bitdefinder didn't go public with this after a responsible time. Nor did Wyze share the vulnerability with it's customers.

Then the media started piling on. Read some here.

Even my favorite security podcast featured the vulnerability as "Not So Wyze."

Squarely in the doghouse this week is WYZE whose super-popular webcams have problems which are just as serious as those of the company itself... and, oh!, the authentication bypass details, which I'll share, are SO wonderful!

But don't stop listening there. Listen on to 1:31:12. Someone in the chat room asked "Would it be safe to use a Wyze cam v1 behind a firewall?" Steve answered "I think so. ... The threat model is that you might have mapped a port through it so that you had access to the camera directly, remotely ..."

Listen folks, if you have mapped a port through your firewall to your security camera, you get what you deserve.

No comments: