Some Wyze devices use vulnerable ThroughTek IoT SDK (SN 833)

This is a duplicate of a post I made on GRC forums. Not much interest there for some reason. When I looked into this, there wasn’t much on Wyze forums about this, and they still haven’t said much, now a month on.

SN 833 discussed the Mandient/FireEye research into ThroughTek’s IoT SDK and some major vulnerabilities. The FireEye post said “Mandiant was not able to create a comprehensive list of affected devices…” Ha! This is typical of vulnerability research. Very rarely do you get lists of devices, unless they were specifically tested. FireEye doesn’t even tell us that. They say “ThroughTek’s clients include IoT camera manufacturers, smart baby monitors, and Digital Video Recorder (“DVR”) products.” The IoT camera link goes to which ThroughTek has taken down.

Fortunately, we have the Internet Archive (why not make a donation for their valuable service!).

Partners | ThroughTek

This reveals the one widely recognizable name in ThroughTek’s partners is Wyze . I guess that’s how you sell a camera for $30.

The complete list of clients on their page (as of 17 Aug 2021):

Their “partner” list includes industry consortiums for computer makers, cloud service providers, and an electric vehicle platform.

“What could go wrong?”

1 Like