Wyze has a daemon (iCamera) that listens on UDP port 32761 speaking some derivative of the TUTK protocol. The outer layer of the protocol consists out of scrambled/XOR’d frames using a funny constant (shout out to Charlie; the engineer!). Inside of this custom framing format you can establish a DTLS session with the camera. The only supported ciphersuite is ECDHE-PSK-CHACHA20-POLY1305
and a typical attacker does not have access to the (device unique) PSK. However there was a fallback method where you could specify a PSK identity that starts with ‘AUTHTKN_’ during the TLS handshake in order to be able to pick an arbitrarily chosen PSK.
The exploit will use the vulnerabilities described above to spawn an interactive (connectback)shell. I have taken the liberty to backport the exploit to some older Wyze cam V3 versions as well, just because.
The exploit has been tested on the following firmwares:
- v4.36.10.4054
- v4.36.11.4679
- v4.36.11.5859
What do you think?
It is nice to know your opinion. Leave a comment.