Security researchers say Eufy’s supposedly cloudless camera Upload thumbnails with face data to cloud serverEufy’s response was that it was a misunderstanding and did not disclose aspects of the mobile notification system to customers.
They seem to understand more now, which is not good.
Eufy did not respond to other allegations, including those from security researcher Paul Moore. Stream feed from Eufy camera with VLC Media Player, given the correct URL. Last night, The Verge worked with security researcher Wasabi to I tweeted the problem firstconfirmed that you can Access to Eufy camera streams, no encryptionvia the Eufy server URL.
This allows Eufy’s Privacy Promise Much of the footage that “never leaves the security of your home” is end-to-end encrypted and only sent “direct to your phone” is not entirely suspicious, but highly misleading. It also contradicts Anker/Eufy senior PR manager who told The Verge that it was “impossible” to view the footage using a third-party tool like VLC.
The Verge points out some caveats, similar to those applied to cloud-hosted thumbnails. Primarily, a username and password are usually required to reveal and access the stream’s unencrypted URL. “Normal”, i.e. the camera feed URL looks like a relatively simple scheme where the camera serial number in Base64, the Unix timestamp, and the token that The Verge says is not validated by Eufy’s servers. A hexadecimal value. Eufy serial numbers are typically 16 digits long, but are also printed on some boxes and available elsewhere.
We have reached out to Eufy and Wasabi and will update this post with any additional information. Researcher Paul Moore, who first expressed concern about Eufy’s cloud access, Tweeted on November 28th he had a long discussion with [Eufy’s] Legal department,” and we will have no further comment until he can provide an update.
Vulnerability discovery is much more common than exception in the smart home and home security space. ring, nest, samsung, corporate meeting cam owl—If you have a lens and are connected to Wi-Fi, expect a flaw to appear at some point and a headline to accompany it. is complex to deal with, and responsible disclosure and rapid response will ultimately strengthen our devices and systems.
Eufy in this example doesn’t look like your typical cloud security company with typical vulnerabilities.Ann Full page of our privacy promiseincluding some effective and particularly good moves, became largely irrelevant within a week.
It can be argued that someone who wants to be notified of camera incidents on their phones should expect some kind of cloud server to be involved. She might give Eufy the benefit of the doubt that the cloud server, accessible at the correct URL, is just a transit point for streams that must eventually leave her home network under her password lock.
However, for customers who purchased Eufy’s products with the intention of storing them locally, securely, and differently from other cloud-based companies, Eufy has maximized its dependence on the cloud. It’s especially painful just to see them having a hard time explaining to a company. Tech news outlet.
