Eufy cameras with “local storage” can stream from anywhere unencrypted.
When security researchers discovered that Eufy’s supposedly cloudless cameras were uploading face data thumbnails to cloud servers, Eufy responded that it was a misunderstanding, failing to disclose to customers an aspect of its mobile notification system.
It seems that now there is more understanding, and this is not good.
Eufy has not responded to other claims by security researcher Paul Moore and others, including that it would be possible to stream from Eufy’s camera to VLC Media Player if you had the correct URL. Last night, The Verge, working with security researcher “wasabi”who first tweeted about the issue, confirmed that it could access Eufy’s camera streams without encryption via the Eufy server URL.
This makes Eufy’s privacy promises of footage that “never leaves the security of your home”, end-to-end encrypted and only sent “straight to your phone”highly misleading, if not outright dubious. It also contradicts Anker/Eufy’s senior PR manager, who told The Verge that it’s “impossible”to watch the footage with a third-party tool like VLC.
The Verge notes some caveats similar to those applied to cloud-hosted thumbnails. Basically, you will generally need a username and password to open and access the stream URL without encryption. “Usually,”that is, because the camera’s URL seems to be a relatively simple scheme, including the camera’s serial number in Base64, a Unix timestamp, a token that The Verge says is not verified by Eufy’s servers, and a four-digit hex value. Eufy serial numbers are usually 16 digits long, but they are also printed on some boxes and can be obtained elsewhere.
We have contacted Eufy and Wasabi and will update this post with any additional information. Researcher Paul Moore, who initially raised concerns about Eufy’s cloud access, tweeted on November 28 that he had “a lengthy discussion with [Eufy’s] legal department”and would not comment on further action until he provided an update.
(Update 5:42 pm ET: Ars spoke to Wasabi, who confirmed he can view Eufy camera feeds from systems outside of his network without authentication or other Eufy devices on that system. “Eufy seems to be trying to just block people from viewing. data that their (web) app sends instead of actually solving the problem,” they wrote.
Wasabi also noted that due to the way the remote URLs are set up, there are only 65,535 combinations that can be tried, “which a computer can do pretty quickly.”)
Vulnerability detection is the norm rather than the exception in smart home and home security. Ring, Nest, Samsung, Owl’s corporate meeting camera – if it has a lens and connects to Wi-Fi, you can expect a flaw to show up at some point, and headlines with it. Most of these flaws are limited in scope, difficult for an attacker to exploit, and with responsible disclosure and rapid response, they will ultimately make devices and systems more reliable.
In this case, Eufy doesn’t look like a typical cloud security company with a typical vulnerability. An entire page of privacy promises, including some valid and especially good moves, became largely out of date within a week.
You can argue that anyone who wants to be notified of camera incidents on their phone should expect some cloud servers to be involved. You can convince Eufy that the cloud servers you can access with the correct URL are just a waypoint for streams that must eventually leave the home network under the protection of the account password.
But it must be especially painful for customers who have bought Eufy products under the pretext that their footage is stored locally, securely and unlike other cloud firms, only to see Eufy struggle to explain its cloud reliance to one of the largest technical news releases.
Leave a Reply