Updated on 2022-12-05: Anker Eufy camera vulnerability
Security researchers have discovered that you can bypass authentication and encryption on Anker Eufy internet-connected cameras and access other people’s live feeds just by connecting to an IP address from Anker’s cloud using the VLC media player. When confronted by reporters about the issue, Anker denied that was possible but silently started making changes to its backend to address the issue. Read more: Anker’s Eufy lied to us about the security of its security cameras
Updated on 2022-12-04: Researcher says Eufy cameras aren’t as local-only as it claims
Anker’s Eufy smart home cameras promise that they’ll store your data locally. Your video footage “never leaves the safety of your home,” and is only transmitted to your phone via end-to-end encryption, with no way for Eufy to access the data. Except, @Paul_Reviews and The Verge found that it was possible to access a Eufy stream from the other side of the country using VLC Player on someone else’s network, with no encryption. Both presented compelling evidence of their claims, even if Anker largely denied (and ignored) key claims. Something weird is definitely going on, but it sounds like Eufy’s lawyers are already engaged, so make of that what you will. Read more:
- Anker’s Eufy lied to us about the security of its security cameras
- Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted
Just had a lengthy discussion with @EufyOfficial's legal department.
It's appropriate at this stage to give them time to investigate and take appropriate action; conversely, it's not right for me to comment further.
I will provide an update, as & when possible. Thanks!
— Paul Moore (@Paul_Reviews) November 28, 2022
Ah well, the cats out the bag now… so may as well tell you.
You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.
Please don't ask for a PoC – I can't release this one.
— Paul Moore (@Paul_Reviews) November 25, 2022
Updated on September 2022: Vulnerabilities in popular library affect Unix-based devices
Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project’s implementation of the C standard library. CVE-2022-29503 and CVE-2022-29504 are memory corruption vulnerabilities in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 126.96.36.199h, is affected by this vulnerability. Read more: uClibC and uClibC-ng libpthread linuxthreads memory corruption vulnerabilities
Overview: Eufy Security Camera Bug Exposed Users’ Video Streams
Some users of Eufy security cameras have reported that when they signed into their accounts, they were able to access other users’ accounts, allowing them to view both live and recorded video. Users also reported being able to control others’ cameras. Eufy says the bug has been fixed, and that users need to unplug and reconnect their devices and log out of the Eufy security app and log in again.
Note: Good lesson for anybody who blindly trusts access controls that you don’t have any insight into or that you are not able to review (for example, cloud providers). Assume they will break eventually. For security cameras specifically: They should not be placed in personal spaces or rooms where confidential information is discussed. (For home security, it is best to keep them outside.)
Read more in: