Jump to content

More Eufy Flaws Found (including remote unencrypted feed viewing)

ars3n1k
By ars3n1k
in Tech News
 Share
Posted (edited)

Summary

Twitter user @spiceywasabi discovered that you can brute force an RTMP link out of Eufy cameras. He also posted that Eufy tried to patch the information that can lead to the brute force but noted it’s only trying to mask the information in Web Inspector, not actually do anything about the leak. 

 

Quotes

Quote

 When security researchers found that Eufy's supposedly cloud-free cameras were uploading thumbnails with facial data to cloud servers, Eufy's response was that it was a misunderstanding, a failure to disclose an aspect of its mobile notification system to customers.

It seems there's more understanding now, and it's not good.

 

My thoughts
What seemingly was a bad week last week for Eufy seems to have gotten much worse. It makes me glad that I don’t own any of these Security Swiss cheese cameras. Anker themselves, who have usually been trustworthy for their Hardware, seems to have fallen majorly, majorly short with their subsidiary. 

 

Sources

https://arstechnica.com/gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-feed-viewing/

 

 

Edited by ars3n1k
Removing italicized text since I was sleepy and forgot
Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, ars3n1k said:

it’s only trying to mask the information in Web Inspector, not actually do anything about the leak.

At this point Eufy/Anker has shown their hand. This is not a leak, this is an active effort to deceive and spy on their customers. If it was a leak they would have actually shut off the web feeds and data exfiltration instead of throwing a sheet over it and hoping nobody looks too hard. They're committed to keeping their covert access to your cameras and won't be backing down.

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
6 minutes ago, BobVonBob said:

At this point Eufy/Anker has shown their hand. This is not a leak, this is an active effort to deceive and spy on their customers. If it was a leak they would have actually shut off the web feeds and data exfiltration instead of throwing a sheet over it and hoping nobody looks too hard. They're committed to keeping their covert access to your cameras and won't be backing down.

Is it covert if it’s out there in the open? Perhaps more suitable words may include: Brazen, Overt, Obvious, Glaring, failed Metal Gear Solid VR. 

My eyes see the past…

My camera lens sees the present…

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

https://community.anker.com/t/how-to-setup-rtsp-on-eufycam-to-stream-video-to-your-compatible-nas/64833

 

This seems highly overblown it's a feature and a if a user misconfigured their firewall yes they are exposed. You normally would not route rtsp traffic by default. They could just disable it all in FW. But that would actually remove a feature. It's ironic actually that a feature for experts can be expertly misused. Until they post other accounts live feeds that can be activated remotely I don't see an issue. A misconfigured firewall is a bad idea.

 

And a serial number that is unique and a user account id that is also unique is a security feature if they just used incrementing serials and user IDs that would be a problem but I have not seen any proof that it can be exploited by anyone but the user debugging their own cameras which already have the feature and give the rstp url answer in the app. 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
8 hours ago, Somerandomtechyboi said:

333532863_download(9).jpeg.858600cbaa3b3b8841045da130f82525.jpeg

I think I hit send right as I was going to sleep. I derped 😂😂

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, riawoias said:

This seems highly overblown it's a feature and a if a user misconfigured their firewall yes they are exposed

There are a few major issues though, specifically this report doesn't mention anything about it requiring a "misconfiguration".  It's exposed with Eufy's servers, so that means the connection is bridged using the Eufy server (or initiated) so your network will gladly accept the connection.

 

Specifically their advertising says: "end-to-end encryption."

They talk about privacy in their support with the following: "All recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage"

 

If hypothetically it is only a local feed, it still creates a major issue.  They claim everything is end-to-end encrypted, yet it's not.  There is a major issue when a company is advertising features that are not true.

 

They also made a claim to the media that it wasn't possible to do so.

 

Also, this is accessed OUTSIDE of your network using Eufy's servers to get the connection.  While I doubt people really would be using a non-eufy video player to see the stream, as anyone who would attempt it would already realize it's not encrypted...it still means if you chose to do so you would open yourself up to people spying.

 

The basics of how to access the camera remotely.  You need the serial number (which who knows, might be doable), unix timestamp (can be generated), token (which Eufy doesn't validate), and a 4 byte (represented in hex).  So you could brute force the 4 byte one, the serial is on the original box (if someone goes trash digging).  To figure out the URL though I guess you would need to log into the account, but the way they talk about things I wouldn't be surprised if someone discovers a way to circumvent that.

 

A major note about this as well (as a potential attack vector).  If your wifi has been compromised, or lets say you had a friend over who you gave the wifi password to.  If you accessed Eufy, they could have done snooping on the network.  Since Eufy didn't encrypt the API calls, they can generate the URL needed to access the cameras remotely (albeit with some brute force involved).  Your friend now has the potential to see your cameras.

 

One thing also not pointed out on the WAN show, or here.  Something that has been known about for at least a year and is considered a "feature".  If you are breaking into a home and see the eufy cameras the easiest way to get rid of the footage is to hold the reset button.  Holding the reset button on the Eufy camera deletes automatically deletes the footage on the NVR.  Honestly, this is the worst company ever.

 

Lets not forget Eufy also had the server configuration that accidentally let others see other cameras.  At this stage Eufy just needs to burn as a company.  Multiple years and multiple flaws in their products that expose users.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
10 hours ago, BobVonBob said:

At this point Eufy/Anker has shown their hand. This is not a leak, this is an active effort to deceive and spy on their customers. If it was a leak they would have actually shut off the web feeds and data exfiltration instead of throwing a sheet over it and hoping nobody looks too hard. They're committed to keeping their covert access to your cameras and won't be backing down.

Who's going to stop them though? Absolutely no one and no normal person even pays attention to this. That's why I run my own firewall, setup virtual network's and any iot devices that I can't get from a reputable company and requires a a controller I can't host myself are blocked from the web.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, divito said:

Spy on what?

Anything and everything. The data industry's dirty secret is that these companies are nearly as clueless as us about what they're gathering and why. They just keep gathering more because surely if you have enough data there must be something useful in it, right?

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
6 hours ago, BobVonBob said:

Anything and everything. The data industry's dirty secret is that these companies are nearly as clueless as us about what they're gathering and why. They just keep gathering more because surely if you have enough data there must be something useful in it, right?

A good quote which I do believe applies here:

 

"never attribute to malice that which is adequately explained by stupidity"

 

I don't think that Eufy tried spying on people.  I bet they tasked an engineer with a "hey we need this to show a notification and be able to access with a phone, implement".  From there they used the cloud to "temporary" store it (and didn't really clear it), as it's the easiest way to create.

 

Some other engineer comes along, sees data there and is like, hey lets use facial recognition on it and metadata to send to the customer (not thinking that it's marketed as offline).

 

Don't get me wrong, the fact that the reset button can wipe all the camera data and the security incident they had a year or two ago now mixed with this and their response...this company needs to just end (there isn't a way I would ever trust this security system).

 

While @LinusTech mentioned on the WAN show that if they turn around a new leaf, although he seemed skeptical that they would based on their PR response, they would work again...I think the year long PR stunt of claiming holding the reset button deletes the camera footage shows exactly the type of company they are at the heart of things.  When your company is designed for security cameras and they lack some basic concepts of security there isn't anyway to come back from that.

 

If this ever goes to court or if their PR releases more information, I would be surprised if they claims the "local storage" claim still remains promiment.  As it's just like WD's "5400 RPM class" drives.  The devils in the details on how they worded things.  They might imply that things are only stored locally...but what they effectively said though was that the data is stored locally...Like I bet they will try claiming the concept being that only the notification images are sent, and not all the camera feed so it's still accessing the "local storage" and that you are avoiding the pitfalls that is cloud storage...in that it often comes with extra monthly fees.  They will go with the concept that if they had shutdown the next day you still would have access to your system and files [and that is what they were advertising].

 

Or if they were hacked only minimal amounts would be gathered on you and not your entire stored video clips.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, wanderingfool2 said:

A good quote which I do believe applies here:

 

"never attribute to malice that which is adequately explained by stupidity"

 

I don't think that Eufy tried spying on people.  I bet they tasked an engineer with a "hey we need this to show a notification and be able to access with a phone, implement".  From there they used the cloud to "temporary" store it (and didn't really clear it), as it's the easiest way to create.

 

Some other engineer comes along, sees data there and is like, hey lets use facial recognition on it and metadata to send to the customer (not thinking that it's marketed as offline).

 

Don't get me wrong, the fact that the reset button can wipe all the camera data and the security incident they had a year or two ago now mixed with this and their response...this company needs to just end (there isn't a way I would ever trust this security system).

 

While @LinusTech mentioned on the WAN show that if they turn around a new leaf, although he seemed skeptical that they would based on their PR response, they would work again...I think the year long PR stunt of claiming holding the reset button deletes the camera footage shows exactly the type of company they are at the heart of things.  When your company is designed for security cameras and they lack some basic concepts of security there isn't anyway to come back from that.

 

If this ever goes to court or if their PR releases more information, I would be surprised if they claims the "local storage" claim still remains promiment.  As it's just like WD's "5400 RPM class" drives.  The devils in the details on how they worded things.  They might imply that things are only stored locally...but what they effectively said though was that the data is stored locally...Like I bet they will try claiming the concept being that only the notification images are sent, and not all the camera feed so it's still accessing the "local storage" and that you are avoiding the pitfalls that is cloud storage...in that it often comes with extra monthly fees.  They will go with the concept that if they had shutdown the next day you still would have access to your system and files [and that is what they were advertising].

 

Or if they were hacked only minimal amounts would be gathered on you and not your entire stored video clips.

I would have agreed with you if Paul Moore had made the discovery, Eufy fixed their "local only" cameras to actually be local only, then made a statement about the situation. Then we all could have moved on. The problem is that's not what happened. Instead they doubled down and threw out lies. "We don't upload any images" turned into "well we do upload your images, but we need to for notifications". They claimed to delete everything if you delete your account, which was then proven to be false, along with their claims of "end-to-end encryption".

 

Don't attribute to malice that which can be explained by stupidity, but don't extend too much credit either. When their actions are shouting malice (or at least deceit) from the rooftops, you should believe them. Like you said, I have no doubt that all of their marketing material uses just the right combination of vague wording and crafted statements to mislead their customers while weaseling out of any legal culpability, which makes this all the more infuriating.

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 12/2/2022 at 8:28 AM, wanderingfool2 said:

There are a few major issues though, specifically this report doesn't mention anything about it requiring a "misconfiguration".  It's exposed with Eufy's servers, so that means the connection is bridged using the Eufy server (or initiated) so your network will gladly accept the connection.

 

Specifically their advertising says: "end-to-end encryption."

They talk about privacy in their support with the following: "All recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage"

 

If hypothetically it is only a local feed, it still creates a major issue.  They claim everything is end-to-end encrypted, yet it's not.  There is a major issue when a company is advertising features that are not true.

Local traffic end to end encryption between different mfg devices is not trivial to have any nas connect to the Homebase with end to end encryption that has no keys stored by eufy would require user's to maintain their own private certificate infrastructure. If they made it seamless it wouldn't be end to end as they would have the auth and certificate chain. 

 

Their end to end encryption it talking about viewing stored footage from the camera to the user device which the storage in the Homebase is encrypted. The rich notifications are optional and you trade convenience and latency for weakening the security. But it is basically impossible for people to guess the cloudfront links anyways other than owners debugging the WebView at the same time.

 

On 12/2/2022 at 8:28 AM, wanderingfool2 said:

They also made a claim to the media that it wasn't possible to do so.

 

Also, this is accessed OUTSIDE of your network using Eufy's servers to get the connection.  While I doubt people really would be using a non-eufy video player to see the stream, as anyone who would attempt it would already realize it's not encrypted...it still means if you chose to do so you would open yourself up to people spying.

 

The basics of how to access the camera remotely.  You need the serial number (which who knows, might be doable), unix timestamp (can be generated), token (which Eufy doesn't validate), and a 4 byte (represented in hex).  So you could brute force the 4 byte one, the serial is on the original box (if someone goes trash digging).  To figure out the URL though I guess you would need to log into the account, but the way they talk about things I wouldn't be surprised if someone discovers a way to circumvent that.

I have seen zero proof of a remote hack how is anyone supposed to get the serial number if you remove it from the box as mac and sn are protected info that is similar to your IMEI which is also used widely in cell phones for auth and is important info to hide. If you own the device are on the LAN control the router and have all the secret IDs obviously you can connect or make it "hackable".

 

The report provides zero proof and I have not been able to reproduce it with a properly configured firewall and guests cannot access anything on the LAN by default.

 

On 12/2/2022 at 8:28 AM, wanderingfool2 said:

A major note about this as well (as a potential attack vector).  If your wifi has been compromised, or lets say you had a friend over who you gave the wifi password to.  If you accessed Eufy, they could have done snooping on the network.  Since Eufy didn't encrypt the API calls, they can generate the URL needed to access the cameras remotely (albeit with some brute force involved).  Your friend now has the potential to see your cameras.

Local network access is very typically not hardened SMB shares RDP and many countless protocols and routers are not secure if someone is in your house the random passwords are printed on the device and are based on their serial numbers. Zwave devices all have their pairing key printed on them is that a security problem? If you have untrusted friends use a guest wifi and vlans it's best practice to not let untrusted user's into you LAN. If you expose your LAN side directly to the internet you will get hacked.

 

On 12/2/2022 at 8:28 AM, wanderingfool2 said:

One thing also not pointed out on the WAN show, or here.  Something that has been known about for at least a year and is considered a "feature".  If you are breaking into a home and see the eufy cameras the easiest way to get rid of the footage is to hold the reset button.  Holding the reset button on the Eufy camera deletes automatically deletes the footage on the NVR.  Honestly, this is the worst company ever.

This is complete nonsense obviously if you have a local nas video server if an intruder is in front of it your screwed no matter what mfg makes it. Even if you had a professional enterprise video server if you had physical access you just need to yank three drives out and all the footage is poof. If you upload everything to the cloud you'd need to pay fees monthly for storage and bandwidth.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
12 hours ago, BobVonBob said:

I would have agreed with you if Paul Moore had made the discovery, Eufy fixed their "local only" cameras to actually be local only, then made a statement about the situation. Then we all could have moved on. The problem is that's not what happened. Instead they doubled down and threw out lies. "We don't upload any images" turned into "well we do upload your images, but we need to for notifications". They claimed to delete everything if you delete your account, which was then proven to be false, along with their claims of "end-to-end encryption".

Well I mean it's "proven" true to a certain extent, when you cache things on a server sometimes they remain around for a bit as it waits to be cleaned up.  By the sounds of it, it was removed within a 24 hour period.  It also takes time to fix something as big as what Eufy did, and of course they wouldn't admit wrong here...it would open them up to essentially a slam dunk lawsuit.  At this point it's just legal trying to protect them, and managers trying to protect their jobs.

 

9 hours ago, riawoias said:

Local traffic end to end encryption between different mfg devices is not trivial to have any nas connect to the Homebase with end to end encryption that has no keys stored by eufy would require user's to maintain their own private certificate infrastructure. If they made it seamless it wouldn't be end to end as they would have the auth and certificate chain. 

 

Their end to end encryption it talking about viewing stored footage from the camera to the user device which the storage in the Homebase is encrypted. The rich notifications are optional and you trade convenience and latency for weakening the security. But it is basically impossible for people to guess the cloudfront links anyways other than owners debugging the WebView at the same time.

Eufy wouldn't have to require users to maintain their own certificate infrastructure...Literally you could even achieve e2ee with even a shared password if you really wanted to.  e2ee isn't that difficult to implement really.

 

Literally as well, they say footage is encrypted by the camera and sent to your phone, so yea their e2ee implies the feed never is unencrypted.

 

9 hours ago, riawoias said:

This is complete nonsense obviously if you have a local nas video server if an intruder is in front of it your screwed no matter what mfg makes it. Even if you had a professional enterprise video server if you had physical access you just need to yank three drives out and all the footage is poof. If you upload everything to the cloud you'd need to pay fees monthly for storage and bandwidth.

No it's not, you have no sense of security controls.  If I want to smash someones car window, I don't need to access their house...just hold the reset on their camera and poof there goes the evidence.

 

Literally at my old place of work we kept the NVR inside a secondary locked room, and it was in a secondary locked cased that was bolted to the wall.  So yea, it's not nonsense.  Even in my house, the NVR sits in an area that isn't "easily" to access, or easily visible...vs cameras it's a lot easier to reach those.

 

9 hours ago, riawoias said:

Local network access is very typically not hardened SMB shares RDP and many countless protocols and routers are not secure if someone is in your house the random passwords are printed on the device and are based on their serial numbers. Zwave devices all have their pairing key printed on them is that a security problem? If you have untrusted friends use a guest wifi and vlans it's best practice to not let untrusted user's into you LAN. If you expose your LAN side directly to the internet you will get hacked.

What I said is still correct, they could sniff out the traffic for the API calls.  Even with that said, failure to encrypt API calls means if you used an open Wifi to access those people could know the info to access.  Your ISP could know, your phone carrier could know.  There's tons of areas that can be exploited by using non encrypted API calls.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 hours ago, wanderingfool2 said:

Eufy wouldn't have to require users to maintain their own certificate infrastructure...

If eufy has the private keys (which obviously they do) its no longer e2ee...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 12/2/2022 at 8:26 AM, ars3n1k said:

Summary

Twitter user @spiceywasabi discovered that you can brute force an RTMP link out of Eufy cameras. He also posted that Eufy tried to patch the information that can lead to the brute force but noted it’s only trying to mask the information in Web Inspector, not actually do anything about the leak. 

 

Quotes

 

My thoughts
What seemingly was a bad week last week for Eufy seems to have gotten much worse. It makes me glad that I don’t own any of these Security Swiss cheese cameras. Anker themselves, who have usually been trustworthy for their Hardware, seems to have fallen majorly, majorly short with their subsidiary. 

 

Sources

https://arstechnica.com/gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-feed-viewing/

 

 

Who in their right mind puts cameras inside their home??? Aside from that, keep in mind, that we are talking about a Chinese company and companies in China are all controlled by the state. Any and all security products are information gathering tools. It is known practice that China is spying on it's citizens. Don't think other live feed camera companies outside of China won't do the same. It's not a flaw it is by design. Any and all so called smart devices that require outside connections or have the ability to do so are a security risk. I love those new smart control door locks. They have a master key for emergency services to enter. Once you have such a key, you can enter any home as you please. The really sad part is that companies install those devices these days without considering the consequences or making the effort to build a closed loop setup instead.  Even if said security flaw would be treated as such another firmware update might open it back up. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, jagdtigger said:

If eufy has the private keys (which obviously they do) its no longer e2ee...

Well Eufy I don't think has the private keys.  Their device is just communicating with the Eufy servers...as well as with your phone.  My point of replying was that @BobVonBob was trying to imply that e2ee is effectively impossible to do because of the management, which is not the case.  I was generally saying that it's actually really easy to implement e2ee encryption on video feeds and recording (with an example being encrypting with a shared password...like the password hash...or similar).

 

1 hour ago, Applefreak said:

Who in their right mind puts cameras inside their home???

Lots of people do, in some cases you can reduce your insurance costs as well.  It can also allow you to remotely monitor your house (say you are out and you leave your teenaged kid home...you know they won't be having a party).

 

1 hour ago, Applefreak said:

Aside from that, keep in mind, that we are talking about a Chinese company and companies in China are all controlled by the state.

I doubt it has anything to do with being a Chinese company, I think it's just about not having oversight when designing a product and people took the easier route.  If it was intentional, they wouldn't have made it so easy to find (and they wouldn't have advertised in a way that is likely to open them up to lawsuits).

 

Like how Google (An US company) captured TB of wifi signals of unencrypted traffic.  Again, I quote it again:

 

"never attribute to malice that which is adequately explained by stupidity"

 

Coupled that with a mentality of never admitting they were wrong in a design and you have where we are now, them denying while being caught.

 

2 hours ago, Applefreak said:

I love those new smart control door locks. They have a master key for emergency services to enter. Once you have such a key, you can enter any home as you please. The really sad part is that companies install those devices these days without considering the consequences or making the effort to build a closed loop setup instead

They have a backup key, but from my knowledge there isn't any that works with a master key.  (Unless you are thinking for apartment buildings, but that's also a legal requirement which has nothing to do with it being a smart lock).  They do often have terrible designs though (exposed electronics and such)...but then again you have MasterLock which sells some "high security locks" which can be opened with a comb tool.

 

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, wanderingfool2 said:

Well Eufy I don't think has the private keys.  Their device is just communicating with the Eufy servers...as well as with your phone.

Well them having pictures in plain form and talking about encypting the API after it blew up in their faces implies otherwise.....

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, jagdtigger said:

Well them having pictures in plain form and talking about encypting the API after it blew up in their faces implies otherwise.....

That was my general point from my first post which Bob replied to.  That they advertised as E2EE yet you are capable of doing it with a non E2EE stream (but again, Bob was trying to argue E2EE somehow was difficult...which I am stating it isn't difficult).

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 12/2/2022 at 9:02 AM, BobVonBob said:

At this point Eufy/Anker has shown their hand. This is not a leak, this is an active effort to deceive and spy on their customers. If it was a leak they would have actually shut off the web feeds and data exfiltration instead of throwing a sheet over it and hoping nobody looks too hard. They're committed to keeping their covert access to your cameras and won't be backing down.

The thing is, you really need the Cloud for notifications, apple and Android play store require it to be reliable. Only there systems aren't killed and even if the app is in the background it works. That's especially the case for iOS. That's why something sends you a notification like telegram, but if you don't have opened the app, it still loads the message after opening the app. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 hours ago, Tecardo said:

you really need the Cloud for notifications

No, not really, it can be done without it and without port forwarding.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 hours ago, Tecardo said:

The thing is, you really need the Cloud for notifications, apple and Android play store require it to be reliable. Only there systems aren't killed and even if the app is in the background it works. That's especially the case for iOS. That's why something sends you a notification like telegram, but if you don't have opened the app, it still loads the message after opening the app. 

https://stackoverflow.com/questions/39674850/send-a-notification-when-the-app-is-closed

 

You only really need a server to act as a third party to essentially sit there waiting to tell that a notification exists at which point you can just use punch through to have the phone and local camera setup communicate the notification information.  Or you could send the data to the cloud fully encrypted and then having notification service decrypt it.

 

There is no point in having pictures sitting unencrypted on a server.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

This is also a reminder to anyone who might also be trying to defend Eufy.

 

Remember Eufy was also the company that accidentally had a software update that let other users see other cameras.  There are just too many issues with Eufy, in my mind there is no reason for them to ever be redeemed as a company as they have shown time and time again that they do not have any clue when it comes to safety or security.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 hours ago, jagdtigger said:

No, not really, it can be done without it and without port forwarding.

Care to explain how you would make that work without an external server or port forwarding?

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×