Tag Archives: Unencrypted

Technology

Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul

Leave a comment

Enlarge / Anker’s Eufy division has said its web portal was not designed for end-to-end encryption and could allow outside access with the right URL.

Eufy

After two months of arguing back and forth with critics about how so many aspects of its “No clouds” security cameras could be accessed online by security researchers, Anker smart home division Eufy has provided a lengthy explanation and promises to do better.

In multiple responses to The Verge, which has repeatedly called out Eufy for failing to address key aspects of its security model, Eufy has plainly stated that video streams produced by its cameras could be accessed, unencrypted, through the Eufy web portal, despite messaging and marketing that suggested otherwise. Eufy also stated it would bring in penetration testers, commission an independent security researcher’s report, create a bug bounty program, and better detail its security protocols.

Prior to late November 2022, Eufy had enjoyed a distinguished place among smart home security providers. For those willing to trust any company with video feeds and other home data, Eufy marketed itself as offering “No Clouds or Costs,” with encrypted feeds streamed only to local storage.

Then came the first of Eufy’s woeful revelations. Security consultant and researcher Paul Moore asked Eufy on Twitter about several discrepancies he discovered. Images from his doorbell camera, seemingly tagged with facial recognition data, were accessible from public URLs. Camera feeds, when activated, were seemingly accessible without authentication from VLC Media Player (something later confirmed by The Verge). Eufy issued a statement stating that, essentially, it hadn’t fully explained how it used cloud servers to provide mobile notifications and pledged to update its language. Moore went quiet after tweeting about “a lengthy discussion” with Eufy’s legal team.

Days later, a different security researcher confirmed that, given the URL from inside a Eufy user’s web portal, it could be streamed. The encryption scheme on the URLs also seemed to lack sophistication; as the same researcher told Ars, it took only 65,535 combinations to brute-force, “which a computer can run through pretty quick.” Anker later increased the number of random characters required to guess URL streams and said it had removed media players’ ability to play a user’s streams, even if they had the URL.

Eufy issued a statement to The Verge, Ars, and other publications at that time, noting it “adamantly” disagreed with “accusations levied against the company concerning the security of our products.” After continued pressure by The Verge, Anker issued a lengthy statement detailing its past errors and future plans.

Among Anker/Eufy’s notable statements:

  • Its web portal now prohibits users from entering “debug mode.”
  • Video stream content is encrypted and inaccessible outside the portal.
  • While “only 0.1 percent” of current daily users access the portal, it “had some issues,” which have been resolved.
  • Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
  • Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
  • Outside of the “recent issue with the web portal,” all other video uses end-to-end encryption.
  • A “leading and well-known security expert” will produce a report about Eufy’s systems.
  • “Several new security consulting, certification, and penetration testing” firms will be brought in for risk assessment.
  • A “Eufy Security bounty program” will be established.
  • The company promises to “provide more timely updates in our community (and to the media!).”



Read original article here

Technology

Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted

Leave a comment

Enlarge / Eufy’s camera footage is stored locally, but with the right URL, you can also watch it from anywhere, unencrypted. It’s complicated.

When security researchers found that Eufy’s supposedly cloud-free cameras were uploading thumbnails with facial data to cloud servers, Eufy’s response was that it was a misunderstanding, a failure to disclose an aspect of its mobile notification system to customers.

It seems there’s more understanding now, and it’s not good.

Eufy didn’t respond to other claims from security researcher Paul Moore and others, including that one could stream the feed from a Eufy camera in VLC Media Player, if you had the right URL. Last night, The Verge, working with the security researcher “Wasabi” who first tweeted the problem, confirmed it could access Eufy camera streams, encryption-free, through a Eufy server URL.

This makes Eufy’s privacy promises of footage that “never leaves the safety of your home,” is end-to-end encrypted, and only sent “straight to your phone” highly misleading, if not outright dubious. It also contradicts an Anker/Eufy senior PR manager who told The Verge that “it is not possible” to watch footage using a third-party tool like VLC.

The Verge notes some caveats, similar to those that applied to the cloud-hosted thumbnail. Chiefly, you would typically need a username and password to reveal and access the encryption-free URL of a stream. “Typically,” that is, because the camera-feed URL appears to be a relatively simple scheme involving the camera serial number in Base64, a Unix timestamp, a token that The Verge says is not validated by Eufy’s servers, and a four-digit hex value. Eufy’s serial numbers are typically 16 digits long, but they are also printed on some boxes and could be obtained in other places.

We’ve reached out to Eufy and Wasabi and will update this post with any further information. Researcher Paul Moore, who initially raised concerns with Eufy’s cloud access, tweeted on November 28 that he had “a lengthy discussion with [Eufy’s] legal department” and would not comment further until he could provide an update.

Vulnerability discovery is far more of a norm than an exception in the smart home and home security fields. Ring, Nest, Samsung, the corporate meeting cam Owl—if it has a lens, and it connects to Wi-Fi, you can expect a flaw to show up at some point, and headlines to go with it. Most of these flaws are limited in scope, complicated for a malicious entity to act upon, and, with responsible disclosure and a swift response, will ultimately make the devices and systems stronger.

Eufy, in this instance, is not looking like the typical cloud security company with a typical vulnerability. An entire page of privacy promises, including some valid and notably good moves, has been made largely irrelevant within a week’s time.

You could argue that anyone who wants to be notified of camera incidents on their phone should expect some cloud servers to be involved. You might give Eufy the benefit of the doubt, that the cloud servers you can access with the right URL are simply a waypoint for streams that have to leave the home network eventually under an account password lock.

But it has to be particularly painful for customers who bought Eufy’s products under the auspices of having their footage stored locally, safely, and differently from those other cloud-based firms only to see Eufy struggle to explain its own cloud reliance to one of the largest tech news outlets.



Read original article here

Technology

Eufy Cameras Have Been Uploading Unencrypted Footage to Cloud

Leave a comment

The Eufy SoloCam E40.
Photo: Florence Ion / Gizmodo

Eufy, the company behind a series of affordable security cameras I’ve previously suggested over the expensive stuff, is currently in a bit of hot water for its security practices. The company, owned by Anker, purports its products to be one of the few security devices that allow for locally-stored media and don’t need a cloud account to work efficiently. But over the turkey-eating holiday, a noted security researcher across the pond discovered a security hole in Eufy’s mobile app that threatens that whole premise.

Paul Moore relayed the issue in a tweeted screengrab. Moore had purchased the Eufy Doorbell Dual Camera for its promise of a local storage option, only to discover that the doorbell’s cameras had been storing thumbnails of faces on the cloud, along with identifiable user information, despite Moore not even having a Eufy Cloud Storage account.

After Moore tweeted the findings, another user found that the data uploaded to Eufy wasn’t even encrypted. Any uploaded clips could be easily played back on any desktop media player, which Moore later demonstrated. What’s more: thumbnails and clips were linked to their partner cameras, offering additional identifiable information to any digital snoopers sniffing around.

Android Central was able to recreate the issue on its own with a EufyCam 3. It then reached out to Eufy, which explained to the site why this issue was cropping up. If you choose to have a motion notification pushed out with an attached thumbnail, Eufy temporarily uploads that file to its AWS servers to send it out. Moore had enabled the option manually, which is how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text-only and don’t have the same issue, since there’s nothing to upload.

Though Eufy says its practices comply with Apple’s Push Notification Service terms of use and Google’s Firebase Cloud Message standards, it’s since patched some of the issues discovered by Moore. The company told Android Central that it would do the following to communicate to its users about how it’s storing data:

1. We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.

2. We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.

Unfortunately, this isn’t the first time Eufy has had an issue regarding security on its cameras. Last year, the company faced similar reports of “unwarranted access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to patching things up.



Read original article here