More Eufy Flaws Found (including remote unencrypted feed viewing)

[LAwLz]

11 hours ago, wanderingfool2 said:

If you have IP address 1.1.1.1 and send an UDP packet to 2.2.2.2 the firewall will only accept UDP packets back from 2.2.2.2.  If IP 3.3.3.3 decides to start sending packets on the same port your firewall will reject it.  If your firewall doesn't do that then you need a new firewall.

The problem is with the establishing phase, not once the connection is established.

But even once the connection is established UDP hole punching leaves you vulnerable because anyone sniffing the traffic could see the source and destination IP, and UDP has no way of preventing spoof attacks (unlike TCP).

 

 

Anyway, I'll do what Paul did and leave the conversation for now until we get more information.

[wanderingfool2]

8 hours ago, LAwLz said:

The problem is with the establishing phase, not once the connection is established.

But even once the connection is established UDP hole punching leaves you vulnerable because anyone sniffing the traffic could see the source and destination IP, and UDP has no way of preventing spoof attacks (unlike TCP).

You blame Linus for talking about stuff and being clueless yet you are the one who literally has made up stuff in regards to this topic with the whole "holepunching opens up the port to all sources".  Do you still try claiming that is true?  Despite the fact that holepunching only open up the port to the IP address that it was hole punched for.  It really invalidates all your "knowledge" that you are trying to apply to insinuate that Linus is clueless.

 

If you claim the establishing phase is a problem, then say how it's a problem.  Both clients already are in an active connection with Eufy's system.  It's literally the Eufy servers transmitting the client's IP address and port to communicate.

 

The whole "UDP has no way of preventing spoof attacks" is stupid.  While it's not inherently built in like TCP you can easily implement methods to prevent spoof attacks.  At which stage it's pretty trivial to implement.  Specifically since all data is supposed to be E2EE you can easily use the key which both should have to encrypt all the data in the UDP.  At which point anyone trying to spoof would have a terrible time trying to properly spoof it.

 

You were the one talking about port scanning, which with UDP hole punching isn't realistic.  The best you could muster is a MITM attack, but even that that's easily defeated.  Even assuming you were sniffing the packets, which means the victims network is already compromised, you would still need to find an active exploit on the client involving the processing of UDP packets data...as again if all data encrypted receiving a packet you can't decrypt you just toss it.

 

So again, the attack scenario for UDP hole punching is not what you made it out to be and it's reclass to try branding UDP hole punching as opening up your port to all sources.  The port is not open to all sources, it's strictly open to an IP address.  At which point, yes spoofing/sniffing is a "risk" but only if they can find an active exploit.  Here's the kicker as well Eufy in some products already utilizes UDP hole punching.

 

[LAwLz]

11 minutes ago, wanderingfool2 said:

-snip-

Not sure why you are trying to hard to defend Linus.

 

Here is what he said when directly addressing port forwarding being a security risk:

Quote

You are exposing an open port on your network to the open web, through which a malicious actor could potentially do something, but uhm, I think it's unlikely they would be able to, you know, it's in the movies where they can use that open port to "hack into the mainframe and get root access to the system".

 

You can do all the mental gymnastics you want but this is what was said and it is completely and utterly wrong.

 

 

It is very hard to have a debate with you because you twist every single word around. Whenever someone says something wrong you jump in and go "well they actually meant X and therefore they are right, even though they showed no indication of referring to that and they used different words that do not mean that".

Linus 100% for sure meant to talk about port forwarding. That is what he addressed and that is why specifically said that an open port is not an issue (which is dumb). Nobody in the conversation Linus was having even hinted at UDP hole punching. In fact, the ONLY thing that was being discussed was port forwarding.

 

 

The reason why UDP hole punching was brought up was because someone claimed they could setup a P2P connection without port forwarding or using "the cloud", and as it turns out that is only true if you use a very strange and non-standard definition of "the cloud", which I also object to. But you jump into that discussion and defended that as well.

 

And the rest of the conversation feels like it has mostly been you redefining words or jumping to conclusions and going "well they probably do that", while making the absolute worst possible interpretation of events.

 

 

And now I am out, for real this time.

[wanderingfool2]

32 minutes ago, LAwLz said:

The reason why UDP hole punching was brought up was because someone claimed they could setup a P2P connection without port forwarding or using "the cloud", and as it turns out that is only true if you use a very strange and non-standard definition of "the cloud", which I also object to. But you jump into that discussion and defended that as well.

Because you act all high and mighty pretending as though Jad was wrong; when it was clear from before he answered that he doesn't include a 3rd party server hole punching to be part of the "cloud" in this discussion.  Again, under your asinine version of what you call the cloud there is no way anything can operate without the cloud; as the cloud effectively is the internet.

 

I literally said hole punching was the answer to your question before he answer...and guess what, he said the same thing.

 

36 minutes ago, LAwLz said:

Not sure why you are trying to hard to defend Linus.

Because you are calling him out and then making statements that are literally false about hole punching.  You also tried calling me out on hole punching.

 

To be clear, you are chastising Linus for essentially being dumb for a single comment...when you have made equally stupid arguments in regards to hole punching here, which shows you complete lack of understanding

 

You claim people are going overboard in terms of their reaction to this, yet you clearly don't know the situation.

[TJBoots]

Can anyone recommend a brand of video cameras and doorbells that I should consider for replacing all of my Eufy hardware?

@LinusTech do you guys have any recommendations?