Wyze has a daemon (iCamera) that listens on UDP port 32761 speaking some derivative of the TUTK protocol. The outer layer of the protocol consists out of scrambled/XOR'd frames using a funny constant
|Wyze Cam v3 RCE Exploit
|Exploits And POCs
Wyze has a daemon (iCamera) that listens on UDP port 32761 speaking some derivative of the TUTK protocol. The outer layer of the protocol consists out of scrambled/XOR’d frames using a funny constant (shout out to Charlie; the engineer!). Inside of this custom framing format you can establish a DTLS session with the camera. The only supported ciphersuite is
ECDHE-PSK-CHACHA20-POLY1305 and a typical attacker does not have access to the (device unique) PSK. However there was a fallback method where you could specify a PSK identity that starts with ‘AUTHTKN_’ during the TLS handshake in order to be able to pick an arbitrarily chosen PSK.
The exploit will use the vulnerabilities described above to spawn an interactive (connectback)shell. I have taken the liberty to backport the exploit to some older Wyze cam V3 versions as well, just because.
The exploit has been tested on the following firmwares: