Eufy from Anker lied to us about the safety of his security cameras

By | December 1, 2022

Anker has built a remarkable reputation for quality over the last decade, turning its phone charger business into an empire that encompasses all types of portable electronics – including the Eufy home security cameras we’ve recommended over the years. Eufy’s commitment to privacy is notable: it promises that your data will be stored locally, that it “never leaves the safety of your home”, that your images are transmitted only with military-grade “end-to-end” encryption, and that it will send only this footage “straight to your phone”.

So you can imagine our surprise to learn that you can stream video from a Eufy camera across the country without any encryption.

“All recorded footage is encrypted on the device and sent directly to your phone – and only you have the key to decrypt and watch the footage.”

a:hover]:text-gray-63 text-gray-63 dark:[&>a:hover]:text-gray-bd dark:text-gray-bd dark:[&>a]:text-gray-bd [&>a]:shadow-underline-gray-63 [&>a:hover]:shadow-underline-black dark:[&>a]:shadow-underline-gray dark:[&>a:hover]:shadow-underline-gray”>Screenshot of Sean Hollister / The Verge

Worse, it’s still unclear how widespread this might be – because instead of addressing it head-on, the company falsely claimed The Verge that this was not even possible.

On Thanksgiving Day, infosec consultant Paul Moore and a hacker known as Wasabi both claimed that Anker’s Eufy cameras can stream unencrypted through the cloud – just by connecting to a unique address on Eufy’s cloud servers with the free VLC Media Player.

When we asked Anker point-blank to confirm or deny this, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, Anker’s senior public relations manager, told me via email.

But The Verge can now confirm that this is not true. This week we’ve repeatedly watched live footage from two of our own Eufy cameras using the same VLC media player, from across the US – proving that Anker has a way to bypass encryption and access these supposedly secure cameras via the cloud. .

There’s good news: there’s still no evidence that this has ever been exploited in the wild, and the way we initially obtained the address required logging in with a username and password before Eufy’s website would release the unencrypted stream. (We’re not sharing the exact technique here.)

Also, it looks like it only works on cameras that are awake. We had to wait until our spotlight camera detected a passing car, or its owner pressed a button, before the VLC stream came to life.

Your camera’s 16-digit serial number – likely visible on the box – is most of the key

But it also gets worse: Eufy’s best practices seem to be so bad that bad guys can figure out a camera’s feed address – because that address largely consists of your camera’s serial number encoded in Base64, something you can easily reverse with a simple online calculator.

The address also includes a Unix timestamp that you can easily create, a token that Eufy’s servers don’t seem to be validating (we changed our token to “arbitrarypotato” and it still worked), and a four-digit random hex whose 65,536 combinations could easily be forced. brute.

“This is definitely not how it should be designed,” Mandiant vulnerability engineer Jacob Thompson it says On the edge. For one thing, serial numbers don’t change, so a bad actor could give, sell, or donate a camera to Goodwill and silently continue watching the feeds. But he also points out that companies don’t usually keep their serial numbers secret. Some put them right in the box they sell at Best Buy – yes, including Eufy.

On the plus side, Eufy’s serial numbers are 16 characters long and not just a growing number. “You won’t be able to just guess the IDs and start hitting them,” says Dillon Franke, a consultant for the Mandiant Red Team, calling this a possible “saving grace” of this disclosure. “It doesn’t look as bad as if it was UserID 1000, so you try 1001, 1002, 1003.”

Can be worse. When Georgia Tech security researcher and Ph.D. candidate Omar Alrawi was studying poor smart home practices in 2018, he saw some devices replacing your own MAC address for security—although a MAC address is only twelve characters long, and you can usually figure out the first six characters just by knowing which company made a gadget, he explains.

“The serial number now becomes critical to keep secret.”

But we also don’t know how else these serial numbers might leak, or whether Eufy might even unwittingly provide them to anyone who asks. “Sometimes there are APIs that return some of this unique ID information,” says Franke. “The serial number now becomes critical to keep secret, and I don’t think they treat it that way.”

Thompson also wonders if there are other potential attack vectors now that we know Eufy’s cameras aren’t fully encrypted: “If the architecture is such that they can command the camera to start transmitting at any time, anyone with administrator can access the IT infrastructure and keep an eye on the camera”, he warns. That’s a far cry from Anker’s claim that the footage is “sent directly to your phone – and only you have the key.”

By the way, there are other worrying signs that Anker’s security practices may be much, much worse than they let on. This whole saga started when infosec consultant Moore started tweeting accusations that Eufy violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission, and failed to delete stored private data🇧🇷 Anker supposedly admitted the former, but called it a misunderstanding🇧🇷

More worrying if true, he also claims that Eufy’s encryption key for his video is literally just the plain text string “[email protected]”. This phrase also appears in a 2019 GitHub repository.

Anker didn’t answer The VergeThe straightforward yes or no question about whether “[email protected]” is the encryption key.

We weren’t able to get more details from Moore either; he said The Verge he can’t comment anymore now that he started a legal process against Anker.

Now that Anker has been caught in some big lies, it’s going to be hard to trust what the company says next – but for some, it might be important to know which cameras behave this way and which don’t, if something will change, and when. When Wyze had a vaguely similar vulnerability, he swept it under the rug for three years; I hope Anker does much, much better.

Some may not be willing to wait or trust any longer. “If I came across this news and I had this camera inside the house, I would immediately turn it off and not use it, because I don’t know who can see it and who can’t,” Alrawi tells me.

Wasabi, the security engineer who showed us how to get a Eufy camera’s network address, says he’s trashing everything. “I bought this because I was trying to be safety conscious!” he exclaims.

With some specific Eufy cameras, you might want to try switching them to use Apple’s HomeKit Secure Video.

With reports and tests by Jen Tuohy and Nathan Edwards

Leave a Reply

Your email address will not be published. Required fields are marked *