Do you have a Wyze Cam? If you’re not sure what that is, it’s an internet camera that offers a low-cost solution to those who are interested in playing around with video and not willing to spend a ton of money on it.
Unfortunately, in this instance it’s a budget option with a bite and a significant drawback. The camera has a bug in its firmware which allows for unauthenticated remote access to videos and images stored on the camera’s local memory cards.
Even worse, although this bug has never been assigned a CVE ID, it has been a known issue for more than three years. Any remote user listening on port 80 can access the contents of the SD card in the camera.
The issue is that upon inserting an SD card into the WyzeCam, the camera automatically creates a symlink to it in the www directory which is served by the WyzeCam webserver without any access restrictions whatsoever.
So basically, if you have one of these be very careful about what images and videos you store on it because literally anyone who wants to can snoop around your camera and see what you’ve been taking videos and pictures of.
Worst of all is that most of the people who use this type of equipment tend to use a “set and forget” philosophy, so you may have purchased one of these months or even years ago and not given the matter another thought.
If that’s the case, it pays to do some housekeeping. Review the contents of the SD card and possibly disconnect the camera. If that fails, relocate it and only turn it on when you’re sure you want to record something.
This is going to continue to be a problem with most of the equipment on the “Internet of Things” until we hold manufacturers to account. Not only should this not be an issue at all, but it also shouldn’t have lingered for so long without being attended to. That’s unfortunate.
