Anker’s Eufy lied to us about the security of its security cameras

Date:

Over the past decade, Anker has built a remarkable reputation for quality, building its phone charger business into an empire encompassing all manner of portable electronics, including the Eufy home security cameras we’ve recommended over the years. Eufy’s commitment to privacy is remarkable: it promises that your data is stored locally, that it “never leaves the safety of your home”, that the images are only transmitted with “end-to-end” military-grade encryption, and that it will only send those images “directly to your phone”.

So you can imagine our surprise to learn that you can stream video from a Eufy camera, from across the country, without any encryption.

Part of Anker’s Eufy “privacy commitment”.
Screenshot of Sean Hollister / The Verge

Even worse, it’s not yet clear how widespread this could be – because instead of addressing it head-on, the company falsely claimed that The edge that it wasn’t even possible.

On Thanksgiving Day, infosec consultant Paul Moore and a hacker who goes by Wasabi both claimed that Anker’s Eufy cameras can stream encryption-free through the cloud – simply by connecting to a unique address on Eufy’s cloud servers with the free VLC Media Player.

When we asked Anker outright to confirm or deny that, the company categorically denied it. “I can confirm that it’s not possible to start a stream and view live footage using an external player like VLC,” Brett White, a senior PR manager at Anker, told me via email.

But The edge can now confirm that this is not true. This week we repeatedly watched live footage from two of our own Eufy cameras using the same VLC media player from across the United States – proving that Anker has a way to bypass encryption and access these supposedly secure cameras via the cloud.

There’s good news: there’s no evidence yet that this has been exploited in the wild, and the way we initially obtained the address required logging in with a username and password before Eufy’s website coughs up the encryption-free stream. (We’re not sharing the exact technique here.)

It also seems that it only works on cameras that are awake. We had to wait for our spotlight camera to detect a passing car or the owner to press a button for the VLC stream to come to life.

Your camera’s 16-digit serial number—probably visible on the box—is the bulk of the key

But it also gets worse: Eufy’s best practices seem so shoddy that malicious parties could potentially figure out the address of the camera feed – because that address largely consists of the serial number of your camera encoded in Base64, something you can easily reverse with a simple online calculator.

The address also includes a Unix timestamp that you can easily create, a token that Eufy’s servers don’t seem to really validate (we changed our token to “arbitrarypotato” and it still worked), and a four-digit random hex of which 65,536 combinations can be easily executed with brute force.

“This is definitely not how it should be designed,” said Mandiant Vulnerability Engineer Jacob Thompson tells The edge. For starters, serial numbers don’t change, so a bad actor can give or sell or donate a camera to Goodwill and quietly continue to watch the feeds. But he also points out that companies do not keep their serial numbers secret. Some stick them right on the box they sell at Best Buy – yes, including Eufy.

On the plus side, Eufy’s serial numbers are long at 16 characters and not just an ascending number. “You’re not going to be able to just guess at IDs and they start hitting,” says Mandiant Red Team adviser Dillon Franke, calling it a possible “savings” of this revelation. “It doesn’t sound too bad like it’s UserID 1000 then you try 1001, 1002, 1003.”

It could have been worse. When Georgia Tech security researcher and Ph.D. candidate Omar Alrawi studied poor smart home practices in 2018, he saw some appliances replaced their own MAC address just to be on the safe side – even though a MAC address is only 12 characters long, you can generally figure out the first six characters by knowing which company made a gadget, he explains.

“The serial number now becomes crucial to keep secret.”

But we also don’t know how else these serial numbers could leak, or if Eufy could even unknowingly provide them to anyone who asks. “Sometimes there are APIs that return some of that unique ID information,” says Franke. “The serial number now becomes crucial to keep secret, and I don’t think they will treat it that way.”

Thompson also wonders if there are other potential attack vectors now that we know Eufy’s cameras aren’t fully encrypted: “If the architecture is such that they can make the camera start streaming at any time, anyone with administrative access can access the IT infrastructure and watch your camera,” he warns, a far cry from Anker’s claim that footage is “sent straight to your phone – and only you hold the key.”

Besides, there are other disturbing signs that Anker’s security practices are much, much worse than they’ve let on. This whole saga started when infosec consultant Moore started tweeting accusations that Eufy had violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and not deleting stored private data. Anker reportedly gave in to the first, but called it a misunderstanding.

Most disturbing if true, he also claims that Eufy’s encryption key for its video footage is literally just the plaintext string “[email protected]”. That sentence also appears in a 2019 GitHub repo.

Anchor didn’t answer The edge‘s simple yes-or-no question whether “[email protected]” is the encryption key.

We couldn’t get more details from Moore either; he told The edge he cannot respond further now that he has started legal proceedings against Anchor.

Now that Anker’s been caught in some big lies, it’s getting hard to trust what the company says next – but for some it may be important to know which cameras do and don’t behave this way, if anything will be changed, and when. When Wyze had a vaguely similar vulnerability, it was swept under the rug for three years; hopefully Anker will do much, much better.

Some may not be willing to wait or trust anymore. “If I came across this news and had this camera in my house, I would immediately turn it off and not use it, because I don’t know who can see it and who can’t,” says Alrawi.

Wasabi, the security engineer who showed us how to get the network address of a Eufy camera, says he’s tearing his entire network out. “I bought this because I was trying to be safety conscious!” he exclaims.

With some specific Eufy cams, you might try switching them to use Apple’s HomeKit Secure Video instead.

With reporting and testing by Jen Tuohy and Nathan Edwards


The Valley Voice
The Valley Voicehttp://thevalleyvoice.org
Christopher Brito is a social media producer and trending writer for The Valley Voice, with a focus on sports and stories related to race and culture.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Share post:

Popular

More like this
Related

New York City machete attacker identified as Maine teen Trevor Bickford

Law enforcement sources have confirmed to ABC News that...

Flooding, hazards, road closures remain

Clear skies over a Bay Area mopping Sunday revealed...

2023 starts with 6-11 inches of snow expected in Sioux Falls, NWS says

Minnehaha County and surrounding areas will be under a...