Türkiye'de Mostbet çok saygın ve popüler: en yüksek oranlarla spor bahisleri yapmayı, evden çıkmadan online casinoları oynamayı ve yüksek bonuslar almayı mümkün kılıyor.
Search for:
Polskie casino Mostbet to setki gier, zakłady sportowe z wysokimi kursami, gwarancja wygranej, wysokie bonusy dla każdego.
  • Home/
  • Technology/
  • Eufy van Anker lied to us about the security of his security cameras

Eufy van Anker lied to us about the security of his security cameras

Over the past decade, Anker has built a remarkable reputation for quality, building its phone charger business into an empire encompassing all manner of portable electronics, including the Eufy home security cameras we’ve recommended over the years. from Eufy commitment to privacy is notable: it promises that your data is stored locally, that it “never leaves the safety of your home”, that its images are only sent with military-grade “end-to-end” encryption, and that it only sends images “straight to your phone.”

So you can imagine our surprise to learn that you can stream video from a Eufy camera, from across the country, without any encryption.

Part of Anker’s Eufy “privacy commitment”.
Screenshot of Sean Hollister / The Verge

Even worse, it’s not yet clear how widespread this could be – because instead of addressing it head-on, the company falsely claimed that The edge that it wasn’t even possible.

On Thanksgiving Day, infosec consultant Paul Moore and a hacker who goes by Wasabi both claimed that Anker’s Eufy cameras can stream encryption-free through the cloud – simply by connecting to a unique address on Eufy’s cloud servers with the free VLC Media Player.

When we asked Anker outright to confirm or deny that, the company categorically denied it. “I can confirm that it’s not possible to start a stream and view live footage using an external player like VLC,” Brett White, a senior PR executive at Anker, told me via email.

But The edge can now confirm that this is not true. This week we repeatedly watched live footage from two of our own Eufy cameras using the same VLC media player from across the United States – proving that Anker has a way to bypass encryption and access these supposedly secure cameras via the cloud.

There’s good news: there’s no evidence yet that this has been exploited in the wild, and the way we initially obtained the address required logging in with a username and password before Eufy’s website coughs up the encryption-free stream. (We’re not sharing the exact technique here.)

It also seems that it only works on cameras that are awake. We had to wait for our spotlight camera to detect a passing car or the owner to press a button for the VLC stream to come to life.

Your camera’s 16-digit serial number—probably visible on the box—is the bulk of the key

But it also gets worse: Eufy’s best practices seem so shoddy that malicious parties could potentially figure out the address of the camera feed – because that address largely consists of the serial number of your camera encoded in Base64, something you can easily reverse with a simple online calculator.

The address also includes a Unix timestamp that you can easily create, a token that Eufy’s servers don’t seem to really validate (we changed our token to “arbitrarypotato” and it still worked), and a four-digit random hex of which 65,536 combinations can be easily executed with brute force.

“This is definitely not how it should be designed,” said Mandiant Vulnerability Engineer Jacob Thompson tells The edge. For starters, serial numbers don’t change, so a bad actor can give or sell or donate a camera to Goodwill and quietly continue to watch the feeds. But he also points out that companies do not keep their serial numbers secret. Some stick them right on the box they sell at Best Buy – yes, including Eufy.

On the plus side, Eufy’s serial numbers are long at 16 characters and not just an ascending number. “You’re not going to be able to just guess at IDs and they start hitting,” says Mandiant Red Team adviser Dillon Franke, calling it a possible “salvation” of this revelation. “It doesn’t sound too bad like it’s UserID 1000 then you try 1001, 1002, 1003.”

It could have been worse. When Georgia Tech security researcher and Ph.D. candidate Omar Alrawi studied poor smart home practices in 2018, he saw some appliances replaced their own MAC address just to be on the safe side – even though a MAC address is only 12 characters long, you can generally figure out the first six characters by knowing which company made a gadget, he explains.

“The serial number now becomes crucial to keep secret.”

But we also don’t know how else these serial numbers could leak, or if Eufy could even unknowingly provide them to anyone who asks. “Sometimes there are APIs that return some of that unique ID information,” says Franke. “The serial number now becomes crucial to keep secret, and I don’t think they will treat it that way.”

Thompson also wonders if there are other potential attack vectors now that we know Eufy’s cameras aren’t fully encrypted: “If the architecture is such that they can make the camera start streaming at any time, anyone with administrative access can access the IT infrastructure and watch your camera,” he warns, a far cry from Anker’s claim that footage is “sent straight to your phone – and only you hold the key.”

Besides, there are other disturbing signs that Anker’s security practices are much, much worse than they’ve let on. This whole saga started when infosec consultant Moore started tweeting accusations that Eufy had violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and not deleting stored private data. Anker reportedly gave in to the first, but called it a misunderstanding.

Most disturbing if true, he also claims that Eufy’s encryption key for its video footage is literally just the plaintext string “ZXSecurity17Cam@”. That sentence also occurs in a 2019 GitHub repositoryat.

Anchor didn’t answer The edge‘s simple yes-or-no question whether “ZXSecurity17Cam@” is the encryption key.

We couldn’t get more details from Moore either; he told The edge he cannot respond further now that he has started legal proceedings against Anchor.

Now that Anker’s been caught in some big lies, it’s getting hard to trust what the company says next – but for some it may be important to know which cameras do and don’t behave this way, if anything will be changed, and when. When Wyze had a vaguely similar vulnerability, it was swept under the rug for three years; hopefully Anker will do much, much better.

Some may not be willing to wait or trust anymore. “If I came across this news and had this camera in my house, I would immediately turn it off and not use it, because I don’t know who can see it and who can’t,” says Alrawi.

Wasabi, the security engineer who showed us how to get the network address of a Eufy camera, says he’s tearing his entire network out. “I bought this because I was trying to be safety conscious!” he exclaims.

Of some specific Eufy camsyou might try switching them to use Apple’s HomeKit Secure Video instead.

With reporting and testing by Jen Tuohy and Nathan Edwards

Shreya has been with australiabusinessblog.com for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider australiabusinessblog.com, Shreya seeks to understand an audience before creating memorable, persuasive copy.

Leave A Comment

All fields marked with an asterisk (*) are required