Eufy Cameras Exposed, Chinese Company Accused Of Lying About Security Risks
Eufy cameras are a high security risk and the Chinese Company Anker, which manufactures them, has been caught out lying about the encryption protocols that was supposed to be in place to stop people getting access to a Eufy camera.
This is not the first time that the manufacturer of the Eufy security has been exposed for their risks associated with their cameras.
Widely sold at retail stores in Australia including Super Cheap Auto, JB Hi Fi, Amazon, Officeworks and The Good Guys, the Chinese brand’s cameras has been found to have none of their so-called military grade encryption, with US publication The Verge claiming that security experts were able to use a free VLC Media player to access a stream from a Eufy camera.
If you listen to Anker the manufacturer of the high-risk cameras your data will be stored locally, and that it “never leaves the safety of your home,”.
The manufacturer even brags that footage from their cameras only gets transmitted with “end-to-end” military-grade encryption, and that it will only send that footage “straight to your phone.”
The reality is that there is no encryption and that by using a free VLC Media player coupled with a unique address Eufy’s cloud servers can be accessed by Eufy staff and Chinese security services as well as hackers and people with a little knowledge about IT systems.
Distributed in Australia by Directed Electronics who also distribute other Anker products including security doorbells and headphones the business also sells robot vacuum cleaners that include cameras that can film inside a home 24 hours a day.
This week an Infosec consultant Paul Moore and a hacker who goes by Wasabi both claimed that Anker’s Eufy cameras can stream encryption-free through the cloud — just by connecting to a unique address at Eufy’s cloud servers
When the Verge asked Anker point-blank to confirm or deny the risks associated with an Eufy product Chinese company spokesperson Brett White a senior PR Manager based in the USA categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” he said.
Now the Verge has come out claiming this is blatantly not true.
Editors were able to repeatedly watch live footage from two Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.
The way the Verge was able to do this was to initially obtain the IP address and when a username and password was typed in, they got access to a feed. The Verge is refusing to publish how they did this as they don’t want
Security experts claim that it only works on cameras that are awake. We had to wait until our camera’s owner pressed a button before the VLC stream came to life.
A Eufy camera’s 16-digit serial number which is visible on the box at retailers can also be used.
The Verge claimed that Eufy’s best practices appear to be so shoddy that worst guys will be able to figure out the address of a camera’s feed — because that address largely consists of a camera’s serial number encoded in Base64, something you can easily reverse with a simple online calculator.
The address also includes a Unix timestamp you can easily create, plus a token that Eufy’s servers don’t actually seem to be validating (we changed our token to “arbitrarypotato,” and it still worked), and a four-digit random hex whose 65,536 combinations could easily be brute forced.
“This is definitely not how it should be designed,” Mandiant vulnerability engineer Jacob Thompson told The Verge.
This is not the first time the Eufy cameras have been exposed as a high security risk.
Back in June 2022, security experts found three security vulnerabilities in Eufy’s Homebase 2 video storage and management device that could have allowed hackers to take control of the hub, control it remotely, or steal video footage.
Then in May 2021, Eufy was forced to apologize for a bug that exposed the camera feeds of users to strangers with neighbours able to watch other people in their homes.
Some security observers are now concerned as to whether there are other potential attack risks now that Eufy’s cameras have been exposed as not being wholly encrypted: “If the architecture is such that they can order the camera to start streaming at any time, anyone with admin access has the ability to access the IT infrastructure and watch your camera,” one expert said.
“That’s a far cry from Anker’s claim that footage is “sent straight to your phone—and only you have the key.”
Other worrying signs that Anker’s security practices may be much, much poorer than it has let on came about when claims were made that Eufy had violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and failing to delete stored private data.
Anker when confronted on this called it a misunderstanding.
Eufy’s encryption key for its video footage is literally a plaintext string “ZXSecurity17Cam@”.
That phrase also appears in a GitHub repo from 2019, too.
Anker didn’t answer The Verge’s straightforward yes-or-no question about whether “ZXSecurity17Cam@” is the encryption key.
The Verge concluded ‘Now that Anker has been caught in some big lies, it’s going to be hard to trust whatever the company says next — but for some, it may be important to know which cameras do and do not behave this way, whether anything will be changed, and when”.