Eufy’s camera streams URLs offers hackers easy brute-force option

December 16, 2022 - TuxCare PR Team

Eufy denies claims that its cameras can be live streamed without encryption.

Eufy stated that it does not upload identifiable footage to the cloud from its camera streams using VLC without encryption simply by connecting to a supposedly unique cloud server address.

“eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions,” Eufy said.

Adding that the idea of Eufy’s cloud-free cameras uploading thumbnails with facial data to cloud servers was a misunderstanding, as was the company’s failure to disclose a feature of its mobile notification system to customers. When asked about it, Brett White, a senior public relations manager at Anker, Eufy’s parent company, said; “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC.”

All of these claims were made after a security engineer, identified on Twitter as Wasabi Burns, discovered vulnerabilities that allow access to their footage via VLC player, and was supported by Information Security Consultant, Paul Moore, and Sean Hollister of The Verge.

To back up these claims, The Verge editors were able to watch live footage from two Eufy cameras from across the United States by first obtaining an IP address and then entering a username and password to gain access to a feed, demonstrating that Anker has a way to bypass encryption and access these ostensibly secure cameras via the cloud. Security experts claim that it only works on active cameras, and all of this is happening despite Anker’s loud marketing promise that it will not.

Although the method is now more difficult to implement, which may indicate that eufy is now addressing the issue, threat actors can still figure out the address of a camera’s feed because that address largely consists of a camera’s serial number encoded in Base64, which can be easily reversed with a simple online calculator.

The sources for this piece include an article in ArsTechnica.

Watch this news on our youtube channel: https://www.youtube.com/watch?v=urdz4AaEMo8

Summary