Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted

The URLs for accessing your camera streams are also way too easy to brute-force.

Kevin Purdy – Dec 1, 2022 8:57 PM | 143

Eufy's camera footage is stored locally, but with the right URL, you can also watch it from anywhere, unencrypted. It's complicated.

(Update 7:30 a.m. ET 12/2/2022: Eufy has issued a statement in response to findings from The Verge and a security researcher:

"eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions."

The original story follows.)

When security researchers found that Eufy's supposedly cloud-free cameras were uploading thumbnails with facial data to cloud servers, Eufy's response was that it was a misunderstanding, a failure to disclose an aspect of its mobile notification system to customers.

It seems there's more understanding now, and it's not good.

Eufy didn't respond to other claims from security researcher Paul Moore and others, including that one could stream the feed from a Eufy camera in VLC Media Player, if you had the right URL. Last night, The Verge, working with the security researcher "wasabi" who first tweeted the problem, confirmed it could access Eufy camera streams, encryption-free, through a Eufy server URL.

This makes Eufy's privacy promises of footage that "never leaves the safety of your home," is end-to-end encrypted, and only sent "straight to your phone" highly misleading, if not outright dubious. It also contradicts an Anker/Eufy senior PR manager who told The Verge that "it is not possible" to watch footage using a third-party tool like VLC.

Ars Video

The Verge notes some caveats, similar to those that applied to the cloud-hosted thumbnail. Chiefly, you would typically need a username and password to reveal and access the encryption-free URL of a stream. "Typically," that is, because the camera-feed URL appears to be a relatively simple scheme involving the camera serial number in Base64, a Unix timestamp, a token that The Verge says is not validated by Eufy's servers, and a four-digit hex value. Eufy's serial numbers are typically 16 digits long, but they are also printed on some boxes and could be obtained in other places.

We've reached out to Eufy and wasabi and will update this post with any further information. Researcher Paul Moore, who initially raised concerns with Eufy's cloud access, tweeted on November 28 that he had "a lengthy discussion with [Eufy's] legal department" and would not comment further until he could provide an update.

(Update, 5:42 pm ET: Ars chatted with wasabi, who confirmed that they could view Eufy camera streams from systems outside their network without authentication or other Eufy devices on that system. "It seems Eufy is trying to simply block people from viewing the data their (web) app sends instead of actually fixing the issue," they wrote.

Wasabi also noted that the way the remote URLs are configured, there are only 65,535 combinations to try, "which a computer can run through pretty quick.")

Vulnerability discovery is far more of a norm than an exception in the smart home and home security fields. Ring, Nest, Samsung, the corporate meeting cam Owl—if it has a lens, and it connects to Wi-Fi, you can expect a flaw to show up at some point, and headlines to go with it. Most of these flaws are limited in scope, complicated for a malicious entity to act upon, and, with responsible disclosure and a swift response, will ultimately make the devices and systems stronger.

Eufy, in this instance, is not looking like the typical cloud security company with a typical vulnerability. An entire page of privacy promises, including some valid and notably good moves, has been made largely irrelevant within a week's time.

You could argue that anyone who wants to be notified of camera incidents on their phone should expect some cloud servers to be involved. You might give Eufy the benefit of the doubt, that the cloud servers you can access with the right URL are simply a waypoint for streams that have to leave the home network eventually under an account password lock.

But it has to be particularly painful for customers who bought Eufy's products under the auspices of having their footage stored locally, safely, and differently from those other cloud-based firms only to see Eufy struggle to explain its own cloud reliance to one of the largest tech news outlets.

Ars Video

nproxy.org