When security researchers discovered that supposedly cloud-free Eufy cameras were Upload thumbnails with facial data to cloud serversEufy’s response was that it was a misunderstanding that it had failed to disclose an aspect of its mobile notification system to customers.
It seems that there is more understanding now, which is not good.
Eufy has not responded to other allegations from security researcher Paul Moore and others, including those that one might Stream feed from Eufy Camera in VLC Media Player, if you have the correct URL. Last night, The Verge, you work with security researcher “Wasabi” who… The problem first tweetedconfirmed that it can Access to Eufy Cam streams, free of encryptionthrough the Eufy server URL.
This makes Eufy’s Privacy promises Shots that “never leave your house” are end-to-end encrypted, and only sent “directly to your phone” is very misleading, if not downright suspicious. It also contradicts Anker/Eufy’s PR manager who told The Verge that it’s “not possible” to view the footage with a third-party tool like VLC.
The Verge notes some caveats, similar to those applied to cloud-hosted thumbnails. Basically, you will normally need a username and password to detect and access the encryption-free URL for streaming. “Usually,” because the URL to the camera feed looks like a relatively simple scheme that includes the camera’s serial number in Base64, a Unix timestamp, a token that The Verge says hasn’t been validated by Eufy’s servers, and four hexadecimal value digits. Eufy serial numbers are usually 16 digits long, but they are also printed on some boxes and may be obtained in others.
We’ve reached out to Eufy and Wasabi and will update this post with any additional information. Researcher Paul Moore, who initially raised concerns about Eufy’s cloud reach, Tweet on November 28 He had a lengthy discussion with him [Eufy’s] Legal Department” and will not comment further until it can provide an update.
Spotting vulnerabilities is more of a norm than an exception in the areas of home security and smart home. bellAnd the LiveAnd the samsungThe Company meeting cam owl—If it has a lens, and connects to Wi-Fi, you can expect a defect to pop up at some point, and the headlines go along with it. Most of these flaws are limited in scope and complex for the malicious entity to act upon, and with responsible detection and rapid response, will ultimately make hardware and systems stronger.
Eufy, in this case, doesn’t look like your typical cloud security company with your typical vulnerability. that A page full of privacy promisesincluding some remarkably correct and good moves, became largely irrelevant within a week.
You could argue that anyone who wants to be notified of camera crashes on their phone should expect some cloud servers to be involved. Giving Eufy the benefit of the doubt, the cloud servers you can access with the correct URL are simply a waypoint for streams that eventually have to leave your home network under account password lock.
But it must have been especially painful for customers who bought Eufy products under the auspices of storing their snapshots locally, securely, and differently from those of other cloud-based companies only to see Eufy struggle to explain its dependence on the cloud to one of the largest tech news outlets.
“Unapologetic communicator. Wannabe web lover. Friendly travel scholar. Problem solver. Amateur social mediaholic.”