The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication.
It should be noted that the security updates have been made available only for Wyze Cam v2 and v3, released in February 2018 and October 2020, respectively, and not for Wyze Cam v1, released in August 2017.
The older model has reached the end of life in 2020, and since Wyze hadn’t fixed the issue until then, those devices will remain vulnerable to exploitation forever.
If you’re using an actively supported Wyze product, make sure to apply the available firmware updates, deactivate your IoTs when they’re not used, and set up a separate, isolated network exclusively for them.
The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019.
The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery.
The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.