Anker's Eufy lied to us about the safety of its security cameras

Anker’s Eufy lied to us about the safety of its security cameras

Anker has built a remarkable reputation for quality over the past decade, growing its phone charger business into an empire spanning all manner of portable electronics, including the Eufy home security cameras we’ve recommended over years. Eufy’s commitment to privacy is remarkable: it promises that your data will be stored locally, that it “never leaves the security of your home”, that its images are only transmitted with military-grade encryption “end-to-end”, and that they will only send those images “directly to your phone”.

So you can imagine our surprise to learn that you can stream video from a Eufy camera on the other side of the country without any encryption.

a:hover]:text-gray-63 text-gray-63 dark:[&>a:hover]:text-gray-bd dark:text-gray-bd dark:[&>a]:text-grey-comics [&>a]:shadow-underline-gray-63 [&>a:hover]:shadow-underline-dark black:[&>a]:shadow-underline-dark gray:[&>a:hover]:shadow-underline-gray”>Screenshot by Sean Hollister / The Verge

Worse still, it’s not yet clear how widespread it might be – because instead of addressing it head-on, the company has falsely claimed The edge that was not even possible.

On Thanksgiving Day, infosec consultant Paul Moore and a hacker who calls himself Wasabi both alleged that Anker’s Eufy cameras can stream without encryption via the cloud – simply by connecting to a single address on Eufy’s cloud servers with the free VLC media player.

When we asked Anker to confirm or deny this, the company flatly denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, senior PR manager at Anker, via email.

But The edge can now confirm that this is not true. This week we’ve repeatedly watched live footage from two of our own Eufy cameras using that same VLC media player, from all over the US – proving that Anker has a way to bypass encryption and gain access to these supposedly cloud-secured cameras.

There’s good news: there’s no evidence yet that this was exploited in the wild, and the way we originally got the address required logging in with a username and password. passes before Eufy’s website spits out the stream without encryption. (We don’t share the exact technique here.)

Also, it seems to only work on cameras that are awake. We had to wait for our floodlight camera to detect a passing car or its owner pressing a button before the VLC stream came to life.

Your camera’s 16-digit serial number – likely visible on the box – is the biggest part of the key

But it’s also getting worse: Eufy’s best practices seem to be so poor that bad actors might be able to figure out a camera’s stream address – because that address largely consists of the serial number of your camera Base64 encoded, something you can easily reverse with a simple online calculator.

The address also includes a Unix timestamp that you can easily create, a token that Eufy’s servers don’t seem to actually validate (we changed our token to “arbitrary potato” and it still worked), and a random hex to four digits including 65,536 combinations could easily be brutally forced.

“It’s definitely not how it should be designed,” said Mandiant vulnerability engineer Jacob Thompson. recount The edge. For one, the serial numbers don’t change, so a bad actor could give or sell or donate a camera to Goodwill and still watch the streams quietly. But also, he points out that companies don’t tend to keep their serial numbers secret. Some stick them right on the box they sell at Best Buy – yes, including Eufy.

On the plus side, Eufy serial numbers are 16 characters long and not just an increasing number. “You won’t be able to just guess IDs and start punching them,” says Mandiant Red Team consultant Dillon Franke, calling it a possible “saving grace” of the disclosure. “That doesn’t sound as bad as if it was UserID 1000, so you try 1001, 1002, 1003.”

It could be worse. When Georgia Tech security researcher and Ph.D. candidate Omar Alrawi was studying smart home malpractices in 2018, he saw certain devices substitute their own MAC address for security – even though a MAC address is only twelve characters long, and you can usually figure out the first six characters just by knowing which company made a gadget, he explains.

“The serial number now becomes essential to keep secret.”

But we also don’t know how those serial numbers could leak, or if Eufy might even unwittingly provide them to anyone asking. “Sometimes there are APIs that will return some of those unique credentials,” Franke says. “The serial number now becomes essential to keeping the secret, and I don’t think they would treat it that way.”

Thompson also wonders if there are other potential attack vectors now that we know Eufy’s cameras aren’t fully encrypted: “If the architecture is such that they can order the camera to start stream at any time, anyone with admin access has the ability to access the IT infrastructure and look at your camera,” he cautions. This is a far cry from Anker’s claim that the footage is ” sent directly to your phone and only you have the key”.

By the way, there are other worrying signs that Anker’s security practices may be much, much worse than they let on. This whole saga began when infosec consultant Moore started tweeting accusations that Eufy violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and do not delete stored private data. Anker would have admitted first, but called it a misunderstanding.

More worrying if true, he also claims that Eufy’s encryption key for its footage is literally just the plaintext string “ZXSecurity17Cam@”. This phrase also appears in a GitHub repository from 2019 as well.

Anker did not respond The edgeThe simple yes or no question of whether “ZXSecurity17Cam@” is the encryption key.

We were also unable to get more details from Moore; he said The edge he cannot comment further now that he has started legal proceedings against Anker.

Now that Anker has been caught in some big lies, it’s going to be hard to trust anything the company says next – but for some it can be important to know which cameras behave and don’t behave this way. way, if anything will be changed, and when. When Wyze had a vaguely similar vulnerability, he swept it under the rug for three years; hopefully Anker will do much, much better.

Some may no longer be willing to wait or trust. “If I came across this news and had this camera in my house, I would turn it off immediately and not use it, because I don’t know who can see it and who can’t,” Alrawi tells me.

Wasabi, the security engineer who showed us how to get the network address of a Eufy camera, says he rips everything out of him. “I bought these because I was trying to be safety conscious!” he exclaims.

With some specific Eufy cameras, you may be able to try changing them to use Apple’s HomeKit Secure Video instead.

With reports and tests by Jen Tuohy and Nathan Edwards

#Ankers #Eufy #lied #safety #security #cameras

Leave a Comment

Your email address will not be published. Required fields are marked *