This is a duplicate of a post I made on GRC forums. Not much interest there for some reason. When I looked into this, there wasn’t much on Wyze forums about this, and they still haven’t said much, now a month on.
SN 833 discussed the Mandient/FireEye research into ThroughTek’s IoT SDK and some major vulnerabilities. The FireEye post said “Mandiant was not able to create a comprehensive list of affected devices…” Ha! This is typical of vulnerability research. Very rarely do you get lists of devices, unless they were specifically tested. FireEye doesn’t even tell us that. They say “ThroughTek’s clients include IoT camera manufacturers, smart baby monitors, and Digital Video Recorder (“DVR”) products.” The IoT camera link goes to https://www.throughtek.com/case-studies/ which ThroughTek has taken down.
Fortunately, we have the Internet Archive (why not make a donation for their valuable service!).
This reveals the one widely recognizable name in ThroughTek’s partners is Wyze . I guess that’s how you sell a camera for $30.
The complete list of clients on their page (as of 17 Aug 2021):
- Cubo AI - maker of baby monitors - https://us.getcubo.com
- Wyze - maker of inexpensive cameras/IoT and personal devices - https://www.wyze.com
- MI.com (Xiaomi) - seems to be maker of almost every electronic device - 小米台灣官網
- Simshine - maker of baby and other cameras - https://simshine.ai
- OTUS Imaging - maker of dash-cams - https://www.otusimaging.com/
Their “partner” list includes industry consortiums for computer makers, cloud service providers, and an electric vehicle platform.
“What could go wrong?”