When security researchers discovered that Eufy’s supposedly cloudless cameras were uploading thumbnails with facial data to cloud servers, Eufy’s response was that it was a misunderstanding, a failure. to disclose an aspect of its mobile notification system to customers.
There seems to be more understanding now, and that’s not good.
Eufy has not responded to other claims by security researcher Paul Moore and others, including that one could stream a Eufy camera’s stream in VLC Media Player, if you had the correct URL. Last night, The Verge, in conjunction with security researcher “wasabi” who first tweeted the problemconfirmed that he can access Eufy camera feeds, without encryption, via a Eufy server URL.
This makes Eufy’s privacy promises of footage that “never leaves the security of your home”, is end-to-end encrypted, and only sent “straight to your phone” very misleading, if not downright dubious. It also contradicts a senior Anker/Eufy PR manager who told The Verge that “it’s not possible” to watch footage using a third-party tool like VLC.
The Verge notes a few caveats, similar to those that applied to the cloud-hosted thumbnail. Mainly, you would usually need a username and password to reveal and access the URL without encrypting a stream. “Typically”, i.e. because the camera stream URL appears to be a relatively simple scheme involving the camera’s Base64 serial number, a Unix timestamp, a token which, according to The Verge, n is not validated by Eufy’s servers and a four-digit code. hexadecimal value. Eufy serial numbers are usually 16 digits long, but they are also printed on some boxes and can be obtained elsewhere.
We have contacted Eufy and wasabi and will update this post with any additional information. Researcher Paul Moore, who initially raised concerns about Eufy’s cloud access, tweeted November 28 that he had “a long discussion with [Eufy’s] legal department” and will not comment further until he can provide an update.
(Update, 5:42 p.m. ET: Ars spoke with Wasabi, who confirmed that they can view Eufy camera feeds from systems outside their network without authentication or other Eufy devices on that system. “It looks like Eufy is just trying to prevent people from seeing the data sent by their (web) app instead of solving the problem,” they wrote.
Wasabi also noted that the way remote URLs are set up, there are only 65,535 combinations to try, “which a computer can browse pretty quickly.”)
The discovery of vulnerabilities is much more a norm than an exception in the fields of smart home and home security. Ring, Nest, Samsung, the Owl business meeting camera – if it has a lens and it connects to Wi-Fi you can expect a fault to show up at some point and the big ones titles accompany it. Most of these flaws are limited in scope, make it more difficult for a malicious entity to act, and with responsible disclosure and prompt response, will ultimately harden devices and systems.
Eufy, in this case, doesn’t look like the typical cloud security company with a typical vulnerability. A whole page of privacy promises, including some valid and notably good measures, were rendered largely irrelevant in a week.
You could say that anyone who wants to be notified of camera incidents on their phone should expect some cloud servers to be involved. You could give Eufy the benefit of the doubt, that the cloud servers you can access with the correct URL are simply a waypoint for streams that eventually need to leave the home network under an account password lock.
But it must be especially painful for customers who have purchased Eufy’s products under the auspices of having their images stored locally, securely, and differently from those other cloud-based companies to see Eufy struggling to explain its own cloud addiction to one of the biggest tech news outlets.
#Eufys #local #storage #cameras #streamed #encryption