Security Vulnerabilities in Eufy Cameras

Eufy cameras claim to be local only, but upload data to the cloud. The company is basically lying to reporters, despite being shown evidence to the contrary. The company’s behavior is so egregious that ReviewGeek is no longer recommending them.

This will be interesting to watch. If Eufy can ignore security researchers and the press without there being any repercussions in the market, others will follow suit. And we will lose public shaming as an incentive to improve security.

Update:

After further testing, we’re not seeing the VLC streams begin based solely on the camera detecting motion. We’re not sure if that’s a change since yesterday or something I got wrong in our initial report. It does appear that Eufy is making changes—it appears to have removed access to the method we were using to get the address of our streams, although an address we already obtained is still working.

Tags: , , , ,

Posted on December 9, 2022 at 7:11 AM14 Comments

Comments

Brenden Walker December 9, 2022 9:12 AM

I think the general population is burning out on worrying about security. Mind numbing mandatory training at work, the plethora of insecure products that everyone has been convinced they ‘need’. I suspect many people just don’t care anymore.

Clive Robinson December 9, 2022 10:18 AM

@ Brucr, ALL,

“And we will lose public shaming as an incentive to improve security.”

We already have, it’s just that we don’t want to belive it.

The first indicators were some years ago with the step up in what many indicated was needless security.

Well it was not needless as both Ed Snowden, Julian Assange and many others some known to us others not have shown.

The US and other Western governments are abusing security to cover up things that oversight, ethics, morals and an inate sence of both decency and shame should have adiquately prevented.

Instead we now have an active state of lying to oversight under oath being not just legal but abused beyond most decent peoples comprehension and an active abuse of legislation against joutnalists and whistleblowers as policy to keep the lid on much that is not just imoral, illegal, or deeply shamefull, it actively causes innocent citizens to be attacked, killed, mained or harmed, because of the kickback of such deeply shamefull brhaviours.

Corporations directors and senior managment actively see themselves as above Government. Thus any behaviour governments carry out that directors and managment consider “usefull” will be adopted.

The fact that government legislators and regulators do not take propperly punitive action against the directors and managers just “green lights” them to further deeply shamefull behaviours.

The recent quite justifiable conviction of a corporate security chief for doing what he knew to be unlawful, is frankly “to little to late”.

The only real result is the C-Suits will become more opaque, they will keep things “out of record” in fairly easy ways that under current rules will prevent further such convictions, bit not the activities.

As with all such human perspective issues of “good or bad” it is a “movable feast” or pendulum that swings either way bassed on the defensive argument you can make, that actually has nothing to do with good/baf right/wrong but everything to do with,

“‘Might is right’ and ‘We’re the good guys’ thinking.”

Not only have we opened a veritable Pandoras Box of issues, we did it by letting the genie out of the bottle.

Where we go from here, almost certainly not be decided by you, me, and the other voting citizens, but by lobyists with a free hand on off shore funds we have no conception of.

But hey,

“That’s the free market way”

From their point of view you and your lifestyle is entirely due to them, so their view will br,

“How dare you question or complaine”

Reply December 9, 2022 11:08 AM

That company doesn’t stand behind its other products. When that product breaks, the only consolation, if you could call it that, is that they will send you a discount coupon to buy another one, at the same price that you can get on Amazon.

Gunter Königsmann December 9, 2022 3:08 PM

What I don’t understand: If you want the cloud to store your data that is expensive – which sounds logical: the cloud provider has to buy all those SSDs.
If you don’t want your data in the cloud someone pays for those SSDs, anyway. Are my Fotos really worth all that money to someone else?

Clive Robinson December 9, 2022 3:46 PM

@ Gunter Königsmann, Brenden Walker,

Re : A picture paints a thousand words.

“Are my Fotos really worth all that money to someone else?”

I guess that depends on two unknowns

1, Who you realy are.
2, Who the customer might be.

But most if not all the home security cameras appear to work on the fact that “access to images has value”.

The two worst offenders were,

1, Amazon Ring for giving access to “street images” to law enforcment.
2, Palantir for acquiring access via their systems to law enforcment.

You might or might not know that Palantir’s aims is to make all Law Enforcment detectives either redundant or hopelessly hooked on their systems. They aquire data where ever they can…

For instance they did a backroom deal to get all the health records of UK Citizen’s into their databases, why is not known. But it’s been said they had connections with Cambridge Analytica that was alledged to have significantly manipulated US voting and been involved with supply of illegal money from Russia to atleast two UK political organisations who’s intent was to get the UK out of Europe. Oh and behind Cambridge Analytica was the Hegdge Fund billionair Mercer family that had tried to gain control of the US GOP (Republicans). Whilst the father is “retired” the daughter is very much upto the old political tricks.

Understanding the “Dark Tetrad” mentality these players appear to exude in excess is shall we say “Difficult at best”.

Which should be of a very great concern to every voting citizen and anyone who cares even a small amount about both National and Global Security.

However as @Brenden Walker notes above,

“I think the general population is burning out on worrying about security.”

Yes, and it’s only going to get wotse as we head into this Global Recession where the price of food is rising at many times the increase in wages/salaries, and likewise energy. In both cases one major attributable cause is as a direct result of idiot politicians receiving benifit from these people. Thus arguably, they are “Creating the market, by which they will profit” and we are letting them due to being to “careworn with just trying to survive”.

Ismar December 9, 2022 5:00 PM

Interesting, just wandering about the owners of these cameras being in the situation they are in due to previous positive ReviewGeek’s reviews of Eufy ?

Clive Robinson December 9, 2022 6:27 PM

@ Ismar, ALL,

Re : Someone to blaim.

“… just wandering about the owners of these cameras being in the situation they are in due to previous positive ReviewGeek’s reviews…”

Humans have as an over generalised statment, “a number of failings”. Two of which are,

1, We are usually not competent, lazy or both.
2, We do not like being embarrassed.

The result being we do not like taking responsability for our uninformed actions, so seek to blaim others.

The real problem is as a race we are both overly trusting and thus too optomistic, despite many warnings to the contrary such as,

“Buyer beware”
“If it looks to good to be true, then it probably is to good to be true”

And heaps more, but there is also a flip side, which is dangerous,

“Never look a gift horse in the mouth”

Etc.

Our over trust and optimism leads us to ignore downsides and only see upsides… Or we look at “Profit Potential” not “Bottom line loss”. Many are surprised when shown evidence that less than one in ten consumer products going to market ever breaks even, let alone makes a profit… So for most of us,

“Life is not what it seems”

Which also means that there are some who take advantage and we get sold a pile of junk…

I guess my first experience that hit hard enough to hurt, was when I was quite small. Prior to Christmas there were toy adverts, and one series from a well known toy manufacturer looked fun, exciting and a lot more than it realy turned out to be. Looking back I would say the adverts were designed to quite deliberately mislead. It was called “Radar” and it was a realy poor implementation of “battle-ships” at a well over inflated price. Had I been able to look at it in a toy store I would have quickly realised it was a pile of xxxx in about thirty seconds (as I did on Christmass morning).

Back then, the fact that it was not available to “try before you buy” in the shops would perhaps have been a warning sign to an older child, I don’t know. All I can say is that another toy a different year called “Mastermind” proved endlessly enjoyable (and some years later ended up with me writing a computer program to play as a college project and as it beat just about everyone, got my project top marks).

I put my hand up over “Radar” being a memorably sad Christmass event, and it was me that had pushed my parents to get it.

My excuse, the adverts made it look exciting, there was no try before you buy.

And that’s what is going on with modern technology.

Nobody has time to do a full market search on “claimed features” let alone hidden deliberatly or othereise defects, not even proffesional reviewers. If you think about it for even a short while, they can not due to the way technology is often made to work.

Which means that those who do deliberatly hide defects get away with it because we the customers are generally to embarrassed to admit we were duped and so hold them to account.

They know that which just makes them worse…

whatev December 9, 2022 7:28 PM

@ Gunter Königsmann

“Are my Fotos really worth all that money to someone else?”

Apparently, since the cloud storage mechanism did not appear by itself

JonKnowsNothing December 9, 2022 8:39 PM

@ Gunter Königsmann

re: “Are my Fotos really worth all that money to someone else?”

All photos are worth something to LEAs globally. Palantir is s USA CIA Front for collecting them from “legit business” but they get loads of them other ways.

The NSA+Google have a geo-mapping project where any photo without a geo-tag can be mapped to the precise location, time of day, time of year using massive amounts of the same photos in an overlay to make the identification.

  • ex: 1,000 pictures of standing on the beach. 1 picture with no geo-tag. The 1,000 pictures are tagged by every identifiable item in the pictures: rocks, trees, landscape ridges etc. The no-tag picture is set into the overlay until they find a fit. Sort of like fitting in jigsaw puzzle piece. They work it until if fits perfectly.

It’s not just the USA CIA, it’s global in scope.

Not too long ago, this technique was used by Canada to determine a USA Hunter had illegally crossed into Canada to kill a trophy animal. The hunter has posted a no-geo-tag image, cropped down to display the hunter with the dead animal (classic pose). The Canadians knew this type of animal is very hard to find on the USA side of the border, so they started poking at the image. They were able to map the skyline to part of Canada and the trees and shrubs to those shown in the hunter’s post. Then the Canadians went exactly to that spot with a GPS, took their picture in the same spot proving the USA Hunter was untruthful about how, where and when the kill happened.

A 2017 mystery story (1), while the story is make believe, had a rather detailed view of how the French police and security services are able to use such technologies to identify, track, trace and determine personal and family relationships based on a very simply partial image, identification, location. It’s quite thorough in description.

So, yep, your photos are used by people to do things you could never imagine. People who you have never met, and who you can certainly hope to never meet in your lifetime.

However, if you travel internationally, you have every chance to run into one or more of them.

===

1) Bruno, Chief of Police Series: The Templars’ Last Secret. 2017 Martin Walker

Ted December 10, 2022 12:00 PM

Researchers Paul Moore and Wasabi really touched on a nerve. People no like sneaky companies. Especially those who purvey smart home video services.

There’s a few roaring pitchfork parties going on over on Eufy’s security community forum. (Class action lawsuit, spread the word.) I’d be shocked if a complaint hasn’t been floated up to a GDPR authority.

There’s even a tweet of someone running over Eufy equipment with their car. Eufy would be wise to get some consultation stat and liberally hose down their marketing gin.

PS: Here’s Paul Moore being shocked by an AES key.

lurker December 10, 2022 7:00 PM

@Ted

Until proved otherwise I’ll stick with Hanlon’s Razor at work here. Yet one has to wonder when a user observes

I noticed on my router the connections to aws so I blocked the camera from the Internet and the app would no longer show local video! I called tech support and was told the camera needs access to the internet to function.

I and @Clive are still asking Why?

Sure, your pixels are worth $omething to somebody, but innocent me wonders are these eufy guys just dumb and not know how to firewall an intranet. Of course most of their users may be even dumber, and the hand-holding needed may be too expensive for such a lowend device. Imagine what would happen if all soho routers booted with a default
RULE 1 FROM ALL TO ALL DENY

Clive Robinson December 10, 2022 7:26 PM

@ lurker, Ted, ALL,

Re : The route to a quiet life.

“Imagine what would happen if all soho routers booted with a default
RULE 1 FROM ALL TO ALL DENY”

Ahh for those not in first line customer support it would be bliss for a while 😉

But the fact is the first C in CCTV should tell even the dumbest of managment and marketing wonks, that the Internet should not be a requirment for operation of “Closed Circuit TeleVision”(CCTV).

Maybe we should rename it to OSTV for “Open Stupidity TeleVison” or “Opposit of Secure TV” etc.

Ted December 10, 2022 10:02 PM

@lurker, Clive, All

At this stage it’s hard to pinpoint exactly where this system has gone off the tracks.

One thing that seems clear is that the advertising was misleading. On top of that Anker (Eufy’s Chinese parent company) denied that certain actions were possible (like watching live footage) even after researchers demonstrated it was possible.

These discoveries have even made it onto Wikipedia.

https://en.m.wikipedia.org/wiki/Anker_Innovations#Controversies

It sounds like there are legal actions in the works. So hopefully we’ll know more. In the meantime if anyone can’t live without their Eufy cameras miken32, a commentor on Ars Technica, shared some thoughts on how to cut off the camera from the outside.

@Clive

“Opposit of Secure TV” is an excellent name. No security for everyone lol 😉

lurker December 11, 2022 11:39 AM

@Ted, Clive, All

It needs UDP port 123 for NTP? Are 3rd parties now demanding accurate timestamps? Wait for port 123 UDP to be used to carry other traffic other places …

As the Ars commenter noted it’s already spraying its ID in plaintext on other UDP ports.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.