Thursday, July 25, 2019

Wyze Cameras - Keeping Honest Vendors Honest - Part II – Test Results

By Tony Lee

Quick Recap from part I in the series:
It can be difficult for a security nerd to inherently trust cloud vendors and products that do not keep all data on-premises—especially when it comes to home automation IoT devices such as cameras since they can record sensitive data. One such product with excellent reviews, ample capability, and a very reasonable price is the ever-popular Wyze Camera. So, I snatched up a Wyze Cam v2 triple pack that went on-sale, but became concerned after reading reviews and even a Reddit thread found here (https://www.reddit.com/r/wyzecam/comments/beq0sk/do_you_trust_wyze/) and here (https://www.reddit.com/r/wyzecam/comments/7cykgf/wyzecam_sending_data_to_servers_other_than_aws/) mentioning the data is possibly going to China. Note: while no country is perfect, not all countries condone state-sponsored corporate espionage and mass general population data collection.  Just sayin...

One positive note at the time was that it seemed that the manufacturer was chiming in on the Reddit threads explaining that they attempted a fix and that they needed someone to test again. So, in order to test the validity of the reviews and to help answer WyzeTao in the second article:  “We are asking help from some Reddit forum helpers to help check.”, we needed to set up our own environment.  This blog series outlines both the setup involved and then the results.
If you are setting this up yourself, you should refer to Part I - Setup here:   http://www.securitysynapse.com/2019/07/wyze-cameras-keeping-honest-vendors-honest-I.html

Spoiler:
Our camera arrived with firmware version 4.9.2.52 (Release date: October 22, 2018) and we upgraded to the latest version at the time of: 4.9.3.64 (Release date: December 17, 2018). We found that the other reviewers were correct in that the data was going to China (and other countries) due to a content distributor that Wyze useshowever, after working with the very responsive manufacturer, Wyze corrected the issue for everyone. So a huge thanks goes to Tao And Martin at Wyze for their great handling of this responsible disclosure.  Now, please update your mobile app and camera to the latest version (or newer) found below :-)

Corrected Versions:
Mobile app:  V2.4.24 (release date:  July 9th, 2019)
Wyze Cam v2 Firmware V4.9.4.108 (Release date: July 8, 2019)  <-- Update your camera firmware!



Traffic Analysis

After completing the setup in Part I of this series and opening wireshark, it is now time to analyze the traffic. We mentioned previously that we set a display filter (ex:  ip.addr==192.168.8.214) to narrow in on only traffic to and from the Wyze Camera.

Figure 5:  Wyze Cam v2 traffic


As you can see, the Wyze Camera is making DNS requests for:

  • gm.iotcplatform.com
  • cm.iotcplatform.com


These FQDNs resolved to the following IP addresses:
gm.iotcplatform.com

  • 52.79.197.188
  • 50.7.98.242
  • 198.16.70.58


cm.iotcplatform.com

  • 120.24.59.150


Using MaxMind GeoIP2, these IPs are located in the following countries:


Figure 6:  GeoIP resolution


This leaves us with the following:
gm.iotcplatform.com

  • 52.79.197.188 - Incheon, South Korea - Amazon.com
  • 50.7.98.242 - Los Angeles, United States - FDCservers.net
  • 198.16.70.58 - Amsterdam, Netherlands - FDCservers.net 


cm.iotcplatform.com

  • 120.24.59.150 - China - Hangzhou Alibaba Advertising Co.,Ltd.


Traffic Sent

If you were wondering if actual camera traffic was sent through China (via 120.24.59.150), it was indeed.


Figure 7:  Traffic sent to China


That said, the data by default does not use RTSP and could not easily be interpreted. Per Wyze, “The contents are encrypted via AES 128-bit encryption to protect the security of the live stream and playback data. During the connection process, every device in the process has its own secret key and certification, so that we can validate their identity during handshake. Even if a hacker intercepts the data package, the data cannot be decrypted.”

Source:  https://support.wyzecam.com/hc/en-us/articles/360009314072-Security-Privacy- 


Working with Wyze

After reporting the issue to Wyze tech support, they were extremely professional and concerned that the previous patch did not work. They worked quickly to provide a solution and test firmware (test version 4.9.4.44) that appeared to fix the issue.

Instead of the previous firmware querying "gm.iotcplatform.com" and "cm.iotcplatform.com", the new firmware queries "us-master.iotcplatform.com".  Just to be thorough, we let it run a bit and monitored for other traffic and found the following:

api.wyzecam.com

  • 34.208.107.136
  • 35.161.164.220
  • 35.167.190.246


wyze-iot.s3-us-west-2.amazonaws.com

  • 52.218.160.49


a24rq1e5m4mtei-ats.iot.us-west-2.amazonaws.com

  • 35.160.15.131


us-master.iotcplatform.com

  • 50.19.254.134
  • 50.7.98.242

Figure 8:  New GeoIP results


Conclusion

The initial contact took a little while, however over a one month period of working with the vendor, they were able to correct the issue. The level of detail and follow-through was greatly appreciated. Wyze engineers took our concerns seriously and delivered an acceptable solution. Based on our interactions, they appear to be an honest and transparent company that is focused on doing right by their customers. That is just one more reason in my book for us to purchase more Wyze cameras.


Disclaimer:  We do not work for Wyze (or any of the vendors mentioned) and do not benefit from this article in anyway. All cameras were purchased the same as anyone else.  We do like their customer service, quality of the goods, and prices though.  :-)

2 comments:

  1. This is great information, and it helps knowing where it is sending data. However, just because it is initially sending your data to a local or "friendly" country, does not mean your data is not then transferred to another. For it to be secure, and for your data to not be viewed by unwanted people, the settings should have an option to fully disable communications to an outside network. Yes, this will disallow you from connecting to the camera with your phone, from the internet, but they could make it work on internal networks. In summary, the update is nothing more than a smoke screen and your data still can be accessed by unknown sources.

    ReplyDelete
    Replies
    1. Thanks for your comments and valid points. There will always be a certain amount of trust given to providers of anything. For example: Google, Microsoft, Apple, 23&Me, your employer, your bank, your doctor, your local library, and so on. I don't even like entrusting the privacy of my name with majority of that list, but sometimes that is difficult to avoid--your library needs your name. ;-)

      Fortunately, in this case, there are some other options if you still want to use the remarkably affordable hardware from Wyze.

      1) You can use a partially open source firmware from openipcamera called OpenIPC: https://github.com/openipcamera/openipc-firmware

      - Or -

      2) You can flash the camera with a version of firmware from Wyze that enables Real Time Streaming Protocol (RTSP) and send it to a local IP camera server: https://support.wyzecam.com/hc/en-us/articles/360026245231-Wyze-Cam-RTSP

      When I get more spare time, I will try out both of them and let you know. Either way, at least you have some additional options.

      Thanks again!
      -Tony

      Delete