ClickCease Eufy’s camera streams URL offers hackers easy brute-force option

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Eufy’s camera streams URLs offers hackers easy brute-force option

Obanla Opeyemi

December 16, 2022 - TuxCare expert team

Eufy denies claims that its cameras can be live streamed without encryption.

Eufy stated that it does not upload identifiable footage to the cloud from its camera streams using VLC without encryption simply by connecting to a supposedly unique cloud server address.

“eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions,” Eufy said.

Adding that the idea of Eufy’s cloud-free cameras uploading thumbnails with facial data to cloud servers was a misunderstanding, as was the company’s failure to disclose a feature of its mobile notification system to customers. When asked about it, Brett White, a senior public relations manager at Anker, Eufy’s parent company, said; “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC.”

All of these claims were made after a security engineer, identified on Twitter as Wasabi Burns, discovered vulnerabilities that allow access to their footage via VLC player, and was supported by Information Security Consultant, Paul Moore, and Sean Hollister of The Verge.

To back up these claims, The Verge editors were able to watch live footage from two Eufy cameras from across the United States by first obtaining an IP address and then entering a username and password to gain access to a feed, demonstrating that Anker has a way to bypass encryption and access these ostensibly secure cameras via the cloud. Security experts claim that it only works on active cameras, and all of this is happening despite Anker’s loud marketing promise that it will not.

Although the method is now more difficult to implement, which may indicate that eufy is now addressing the issue, threat actors can still figure out the address of a camera’s feed because that address largely consists of a camera’s serial number encoded in Base64, which can be easily reversed with a simple online calculator.

The sources for this piece include an article in ArsTechnica.

Eufy’s camera streams URLs offers hackers easy brute-force option
Article Name
Eufy’s camera streams URLs offers hackers easy brute-force option
Eufy denies claims that its cameras can be live streamed without encryption. Eufy claim it does not upload identifiable footage to the cloud.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023