When security researchers discovered that Eufy was supposedly cloudless cameras uploading thumbnails with face data to cloud serversEufy’s response was that it was a misunderstanding, an aspect of the mobile notification system not being disclosed to customers.
There seems to be more understanding now, and that’s not good.
Eufy has not responded to the claims by security researcher Paul Moore and others Stream feed from Eufy camera in VLC Media Player, if you had the correct URL. Last night The Verge, working with security researcher “Wasabi”. first tweeted the issueconfirmed that it could be Access Eufy camera streams, without encryptionThrough the Eufy server URL.
This is Eufy promises of confidentiality Footage that “never leaves the security of your home” is end-to-end encrypted and only sent “directly to your phone,” which is highly misleading if not completely suspicious. This also contradicts a senior Anker/Eufy PR executive who told The Verge that it is “impossible” to view footage using a third-party tool like VLC.
The Verge points out some caveats similar to those for cloud-hosted thumbnails. Basically, you’ll usually need a username and password to discover and retrieve the unencrypted URL of a stream. “Usually,” that is, the camera feed URL appears to be a relatively simple scheme that includes the camera’s serial number in Base64, a Unix timestamp, a token that The Verge says is not verified by Eufy’s servers, and a four-digit number. hex value. Eufy’s serial numbers are usually 16 digits long, but they are also printed on some boxes and available elsewhere.
We’ve reached out to Eufy and Wasabi and will update this post with any additional information. Researcher Paul Moore, who first expressed concerns about Eufy’s cloud access, he tweeted on November 28 said that he had a long discussion with [Eufy’s] legal department,” and would not comment further until he provides an update.
Vulnerability detection is more the norm than the exception in the smart home and home security fields. Ring, nest, Samsungthe corporate meeting Cam Owl— if you have a lens and it’s connected to Wi-Fi, you can expect the glitch to show up at some point, and the titles along with it. Most of these vulnerabilities are limited in scope, complex for a malicious organization to act on, and will ultimately make devices and systems stronger with responsible disclosure and rapid response.
Eufy, in this case, doesn’t seem like a typical cloud security company with a typical vulnerability. Moment entire page of privacy promisesincluding some reliable and pretty good moves, it was largely trivialized in a week.
You could argue that anyone who wants to be notified of camera incidents on their phone should expect some cloud servers to be involved. You can give Eufy the benefit of the doubt that the cloud servers you can access with the correct URL are simply a gateway for streams that need to leave your home network under account password lock.
But for customers who bought Eufy’s products under the auspices of keeping them local, secure, and unlike other cloud-based firms, it must be especially painful to see Eufy struggling to explain its cloud trust to one of the biggest cloud-only firms. tech news outlets.
