Smart-device company Eufy admits major camera security breach
Another day, another breach; which companies can you trust?
As 2022 came to a close, yet another security breach was disclosed (albeit only partially) by a large smart device manufacturer. On November 23, 2022, a security researcher and YouTuber named Paul Moore uploaded a video claiming that Eufy devices were sending photos and videos to the cloud, despite Eufy’s insistence that all photo and video analysis was performed by the devices themselves, rather than in the cloud.
Moore’s research alleged that user images and facial recognition data were (and still are) being uploaded to an AWS server either maintained by Anker (parent company of Eufy) or Eufy themselves. Since late November, Moore has updated his initial findings, telling us that some of these security issues have been patched, although with no way to verify Anker’s and Eufy’s claims that previously-stored cloud data are actually being deleted.
As the saga unfolded, The Verge uncovered that unencrypted camera streams from Eufy cameras could be accessed by video playback software such as VLC. The Verge questioned an Anker representative about this security vulnerability, to which Brett White, a senior PR manager at Anker, responded that it was not possible to initiate an unencrypted stream to a Eufy camera from a third-party video client like VLC.
The Verge tested this claim and found that Anker lied:
“But The Verge can now confirm that’s not true. This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.”
The Verge continues that, in spite of this disturbing revelation, there is no evidence that the vulnerability has been exploited in the wild. However, the method for connecting to cameras over the Internet involves simply knowing the cameras’ serial numbers, which are 16-digit codes encoded in Base64; decoding these addresses with freely available online calculators is trivial.
This “unique” address also consists of a Unix timestamp, which is easily created by an attacker, as well as some sort of identity token which Eufy’s servers don’t appear to actually validate. Finally, a four-digit random hex code is needed to complete this process; such codes can also be easily brute-forced, as only 65,536 possible combinations of four-digit hex exist.
Anker’s responses to these findings and allegations have varied from half-hearted admissions, to flat denials (even when faced with very damning evidence), to mere radio silence. Paul Moore, who initially broke the story, has initiated a lawsuit against Eufy and parent company Anker, as he alleges their security policies have violated GDPR regulations in Europe (Moore lives in the United Kingdom).
But it gets worse. A few weeks after the initial story broke, The Verge wrote a follow-up article to their original investigative piece. They claim that Eufy has not answered any of their questions about these vulnerabilities, instead opting to remove the ten so-called “privacy promises” from their website that had been publicly visible on Eufy’s site until December 8th, 2022.
The ten bullet points in Eufy’s now-defunct “privacy promise” follow:
“To start, we’re taking every step imaginable to ensure your data remains private, with you.”
“[Y]our recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
“Here at eufy, we’re not just all talk and no action.”
“With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone.”
“All recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage. Data during transmission is encrypted.”
“There is no online link available to any video.”
“You need to use Eufy software and your account to decrypt the clips for viewing. No one else can access or read this data.”
“For Your Eyes Only”
It doesn’t seem surprising, then, that Eufy memory-holed these items from its website, given the potential legal ramifications of leaving them up, especially assuming that Eufy is already undergoing investigation from government regulators in other countries.
But it does speak to the casual attitude that so many companies take toward data security and user privacy. Many of Eufy’s sins in this case come down to failure to implement basic information security best practices. These things are well-understood, well-documented, and increasingly given to regulatory scrutiny if not implemented properly.
So what should you do? If you own any Eufy products, get rid of them. Anker and Eufy have amply demonstrated how they feel about their users’ security, given their responses to the very fair questions the media and security consultants have asked them.
But this is not an isolated problem. Eufy is not the first smart device maker to have an unflattering spotlight shined on their information security practices. Wyze has been similarly implicated in failing to address security vulnerabilities in their security camera platform. Wyze also suffered a large data breach in 2019 when it failed to secure customer databases stored in the cloud.
This leaves prospective customers with something of a dilemma: do I buy nothing or buy the least-bad option? When you use a device maker’s cloud services you’re agreeing to a certain amount of risk. A cloud server is just someone else’s computer, after all.
When you buy an Internet-connected camera and pay for cloud video storage, AI recognition, and streaming, you’re implicitly trusting that device manufacturer to do the right thing and to be rigorous in their security policies. The only way to reduce this risk is to keep your smart devices off the Internet, which rather reduces their effectiveness, especially in the case of security cameras.
Your best path forward consists of a multi-part strategy which I encourage everyone who has an interest in (or owns) smart devices to employ:
Vet your suppliers: research the companies you’re buying your products from. Have they had data breaches or other security incidents? How did they respond to them? Has there been more than one such incident?
Segregate your network traffic: don’t put smart devices on the same network your computers use. VLANs (virtual networks) suit this purpose perfectly. By creating a special network just for your smart devices, you ensure that they cannot communicate with sensitive data on your main home network. A compromised IoT device can wreak havoc, but the damage will be minimized if that device can’t talk to the rest of your network.
Don’t rely solely on cloud solutions: companies like Eufy and Wyze want you to buy their cloud subscription services for things like video storage, as these are their cash cows, offsetting the often low price you pay for their hardware. These cloud storage and authentication solutions, as we’ve seen so many times before, are often breached, leak your data, or are otherwise compromised due to poor security practices and unpatched software and firmware vulnerabilities. Look for cameras that support local video recording by way of a microSD card or other local storage device.
Use your firewall: create rules to prevent your cameras and other IoT devices from “phoning home” to remote servers that you don’t recognize, or that these devices needn’t otherwise communicate with. When performing a traffic analysis of these devices, you’ll often find they routinely ping a number of cloud servers (often Amazon Web Services servers). In the case of cloud-connected devices which need access to remote servers in order to upload photos and videos, this is expected and necessary behavior, but what about if you have no cloud subscriptions? What if the server it’s trying to access isn’t a legitimate server?
When you consider the Chinese government’s hostility toward Western countries like ours, and that most of these devices are made in China with China-backed servers, these are important questions to ask. Retain a network engineer, if necessary, to perform an actual traffic analysis for you, to ensure that your devices aren’t actually making your home less secure.
Finally, there is always the option of building a local-only security solution that doesn’t connect to the Internet at all. In this way, you’ll find your options in terms of hardware and software are numerous compared to the closed ecosystems that most IoT and smart device companies are selling you. Again, though, an offline security solution isn’t much use to a customer who wants to check in on their home, pets, or loved ones when they’re out of town, at work, or on an errand. However, you still have options to convert an offline system to a more secure online system by using our favorite smart device aggregation platform, HomeAssistant.
HomeAssistant requires considerably more manual configuration and setup than any plug-and-play smart device, but it rewards users with greater security and emphasizes local control rather than handing your information to unknown, possibly malicious, third parties. Geek Housecalls has experience in installing and configuring HomeAssistant for home users, as well as businesses, with security foremost in mind. Contact us today for a free consultation!