Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 16, 2022 - TuxCare expert team
Eufy denies claims that its cameras can be live streamed without encryption.
Eufy stated that it does not upload identifiable footage to the cloud from its camera streams using VLC without encryption simply by connecting to a supposedly unique cloud server address.
“eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions,” Eufy said.
Adding that the idea of Eufy’s cloud-free cameras uploading thumbnails with facial data to cloud servers was a misunderstanding, as was the company’s failure to disclose a feature of its mobile notification system to customers. When asked about it, Brett White, a senior public relations manager at Anker, Eufy’s parent company, said; “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC.”
All of these claims were made after a security engineer, identified on Twitter as Wasabi Burns, discovered vulnerabilities that allow access to their footage via VLC player, and was supported by Information Security Consultant, Paul Moore, and Sean Hollister of The Verge.
To back up these claims, The Verge editors were able to watch live footage from two Eufy cameras from across the United States by first obtaining an IP address and then entering a username and password to gain access to a feed, demonstrating that Anker has a way to bypass encryption and access these ostensibly secure cameras via the cloud. Security experts claim that it only works on active cameras, and all of this is happening despite Anker’s loud marketing promise that it will not.
Although the method is now more difficult to implement, which may indicate that eufy is now addressing the issue, threat actors can still figure out the address of a camera’s feed because that address largely consists of a camera’s serial number encoded in Base64, which can be easily reversed with a simple online calculator.
The sources for this piece include an article in ArsTechnica.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...