Was going with Eufy - now?

[LoveToMix]

Hey Friends.

My parents want cameras - as they have a synology NAS - i setup two on that. Simple, no ongoing cost and very easy.

But they want more cameras and wireless because it’s easy to put them up move them and sort them out as required.

I initially said Eufy - a friend has them and loves them - no subscription - and the advertised at home storage / no cloud involvement.
BUT - now what do i do?

We live in Australia - they are in Brisbane - so our options are limited. I’m visiting them for 4 days over christmas (not a lot of time).

I’m am currently leaning towards Eufy and setting up a separate wifi network just for that. BUT still really don’t want to support Eufy.

However I needs a good solution - no ongoing cost - that can be setup quickly and is actually available in Brisbane now.

Thoughts?

 

EDIT - addition and closeout below (Jan 2023).

Purchased the EUFY system for the parentals - really does achieve their desire of video coverage where they want it and easy to use.  Thanks everyone for chiming in - whilst I cannot say the company has done a great job with this it's still (IMO) the best value for money.

[Bombastinator]

57 minutes ago, LoveToMix said:

Hey Friends.

My parents want cameras - as they have a synology NAS - i setup two on that. Simple, no ongoing cost and very easy.

But they want more cameras and wireless because it’s easy to put them up move them and sort them out as required.

I initially said Eufy - a friend has them and loves them - no subscription - and the advertised at home storage / no cloud involvement.
BUT - now what do i do?

We live in Australia - they are in Brisbane - so our options are limited. I’m visiting them for 4 days over christmas (not a lot of time).

I’m am currently leaning towards Eufy and setting up a separate wifi network just for that. BUT still really don’t want to support Eufy.

However I needs a good solution - no ongoing cost - that can be setup quickly and is actually available in Brisbane now.

Thoughts?

Eufy is in the news lately for not being truthful about how they processed data.  I don’t know the details, but apparently they have changed their stance about claimed behavior of some previous products.  

[LoveToMix]

7 hours ago, Bombastinator said:

Eufy is in the news lately for not being truthful about how they processed data.  I don’t know the details, but apparently they have changed their stance about claimed behavior of some previous products.  

Yes - they have huge security issues. expose users online with very little security and have been sending images to their servers.  I would like to find another product but have not been able to

[Bombastinator]

2 hours ago, LoveToMix said:

Yes - they have huge security issues. expose users online with very little security and have been sending images to their servers.  I would like to find another product but have not been able to

When I was hearing it talked about the impression I got was that feature was the one that they attempted to differentiate themselves with, implying that there weren’t any similar products that even pretended to do that.  It seems a bit bizarre that they would cheat on that one which leads me to suspect that actually doing it was much harder than expected.

[Imbadatnames]

4 hours ago, LoveToMix said:

Yes - they have huge security issues. expose users online with very little security and have been sending images to their servers.  I would like to find another product but have not been able to

It’s been massively blown out of proportion. The “uploads” to the cloud where thumbnails for previews and the security issue was beating apple to watch a stream from the camera through VLC but you needed to have the actual address which you could only find from the users account. Overall not a big deal but y’know how people like to overreact. People seem to care less about Google scrubbing all of your emails for advertising 

[WkdPaul]

28 minutes ago, Imbadatnames said:

It’s been massively blown out of proportion. The “uploads” to the cloud where thumbnails for previews and the security issue was beating apple to watch a stream from the camera through VLC but you needed to have the actual address which you could only find from the users account. Overall not a big deal but y’know how people like to overreact. People seem to care less about Google scrubbing all of your emails for advertising 

Lots of nuances here, while the thumbnails ARE for notifications, by default the notifications are set to text only and the user has to actually go and change that setting (opt-in), thing is, the thumbnails are uploaded even if you don't opt-in. Also, those thumbnails aren't deleted from Eufy's servers, even after the user has closed the account, for the EU market that's a big problem because it's in violation of the GDPR.

 

For the stream in VLC, you need to know the camera serial number, but otherwise, you don't need anything from the account where the camera is registered to (though, to get to the stream the camera has to be "activated", as-in, it has to be recording after detecting motion).

 

It's not blown out of proportion when they actively market their cameras as 100% no-cloud.

 

EDIT ; somehow forgot to mention : most of this HAS been corrected, the URLs to the cameras are now encrypted and randomized and not the serial number anymore, and the thumbnails are deleted after a while

Edited December 22, 2022 by WkdPaul

[Imbadatnames]

26 minutes ago, WkdPaul said:

Lots of nuances here, while the thumbnails ARE for notifications, by default the notifications are set to text only and the user has to actually go and change that setting (opt-in), thing is, the thumbnails are uploaded even if you don't opt-in. Also, those thumbnails aren't deleted from Eufy's servers, even after the user has closed the account, for the EU market that's a big problem because it's in violation of the GDPR.

They actually are deleted but after the time they’re legally allowed to have them for. 

26 minutes ago, WkdPaul said:

 

For the stream in VLC, you need to know the camera serial number, but otherwise, you don't need anything from the account where the camera is registered to (though, to get to the stream the camera has to be "activated", as-in, it has to be recording after detecting motion).

Which is the point because it’s pretty much impossible to actually use this. It was stated as if people can remotely hack into it with no effort 

26 minutes ago, WkdPaul said:

 

It's not blown out of proportion when they actively market their cameras as 100% no-cloud.

How did they market it as no cloud when the cameras have advertised cloud functionality?

26 minutes ago, WkdPaul said:

 

EDIT ; somehow forgot to mention : most of this HAS been corrected, the URLs to the cameras are now encrypted and randomized and not the serial number anymore, and the thumbnails are deleted after a while

But the point is as far as vulnerabilities go they’re not exactly useable. One requires physical access and as we all know physical access is access and the other is just thumbnails being uploaded for functionality in the app.  

[WkdPaul]

Just now, Imbadatnames said:

They actually are deleted but after the time they’re legally allowed to have them for. 

Nope, as per GDPR, if the account is deleted, the uploads have to be deleted, that's not a problem elsewhere, but the original researcher was under GDPR and proved the media on Eufy were kept longer than allowed.

 

 

Just now, Imbadatnames said:

Which is the point because it’s pretty much impossible to actually use this. It was stated as if people can remotely hack into it with no effort 

Getting the serial of a specific camera is almost impossible, yes, but getting the serial number of a camera in general isn't impossible. 

 

Just now, Imbadatnames said:

How did they market it as no cloud when the cameras have advertised cloud functionality?

Exactly, their marketing is the main issue here.

 

Just now, Imbadatnames said:

But the point is as far as vulnerabilities go they’re not exactly useable. One requires physical access and as we all know physical access is access and the other is just thumbnails being uploaded for functionality in the app.  

None required physical access, not sure why you're saying that. The thumbnail isn't much of an issue IMO, the problem is that it was uploaded even if you had SMS only notifications and were not following GDPR ... having a reason for the thumbnails doesn't mean they can ignore laws and regulations.

 

 

Again, this has been fixed since, but it was 100% an issue at the time.

[LAwLz]

56 minutes ago, WkdPaul said:

Also, those thumbnails aren't deleted from Eufy's servers, even after the user has closed the account, for the EU market that's a big problem because it's in violation of the GDPR.

Source?
From what I heard, the images are deleted after a maximum of 48 hours, regardless of whether or not you delete your account.

The news that "the images aren't deleted even if you delete your account!" is, as far as I know, misleading at best. Yes, the images aren't deleted instantly when you delete your account, but they are deleted shortly after. You deleting your account doesn't have any impact on the images being deleted though, they were always scheduled to be deleted.

I am also not sure if this actually breaks the GDPR since typically, companies has some time to comply. It would be kind of insane to demand everything to be wiped the second you close an account, because with things like caching that would be near impossible.

 

As far as I know, this was not a recent change either. It was always this way as far as I have heard.

 

56 minutes ago, WkdPaul said:

For the stream in VLC, you need to know the camera serial number, but otherwise, you don't need anything from the account where the camera is registered to (though, to get to the stream the camera has to be "activated", as-in, it has to be recording after detecting motion).

Correct me if I am wrong, but I am fairly certain you need the serial number as well as some additional information.

The URL seems to consist of the serial number encoded in Base64 and their serial numbers aren't just incremental numbers, they are random.

So first you'd have to obtain the 16 character long serial number. This might be trivial if you have physical access and the number is written on the device, but chances are an attacker won't be able to find it.

Then there is some authentication token that's part of the URL, but I have seen some conflicting reports whether or not that actually does anything.

Then there is a random ID written as 4 hex characters. Not that secure, but it's still 65,536 different combinations just for the last part.

 

In practice, the likelihood of someone remotely being able to obtain your RTMP feed is next to zero. At worst they would have to guess the 16 digit long serial number and then guess the 4 hex character ID. If someone were to make a random guess, it would be 1/655,349,999,999,999,934,465 (one in 655 quintillions) that they would guess right, and that seems to only be true if they knew which datacenter your camera was connected to.

And it also only seems to work on specific Eufy devices (not HomeBase 3), and only if the camera is currently recording at the time. 

 

Again, this does not seem to be a recent change either. It was always like this.

 

 

Don't get me wrong, Eufy clearly fucked up in terms of their security implementation in some big ways, but everything i have seen (outside of headlines in media that make money from getting clicks) seems to indicate that this isn't actually a big deal. It's bad practice but the actual threat to users was always small.

Also, the person who first broke the story is kind of crazy in my opinion (accusing people trying to bring in some nuance for paid shills for example) but even if you think he seems reasonable and trustworthy, he recently said that pretty much all doorbells are bad. Or rather, he recommended you get an Internet connected doorbell because "at least they are honest", and they may use better implemented crypto.

 

Again, from what I can tell. The issue with these types of stories is that you often have to know quite a lot of details and specifics regarding implementations to actually reach some decent conclusion, but news media aren't really interested in providing that. The writers aren't experienced enough to understand the issues, and the readers aren't experienced enough either, so we just end up with a bunch of outrage articles to generate clicks and buzz.

[WkdPaul]

11 minutes ago, LAwLz said:

*snip*

I'm going off memory, I would have to go back through all the articles I read about it, but didn't the researcher went back later to find his thumbnail still present on Eufy's server ? I can't remember the timeline but many researchers and experts mentioned the way Eufy dealt with the thumbnails was against GDPR guidelines.

 

As for the access to the stream, like I said, getting a specific serial (like for spying on a "target") would be impossible, but getting a serial number isn't ; if I remember right, the serial is written on the retail box, and getting a used camera means someone might know the serial. As for the token, it can be brute forced, I don't have the source, but after Eufy came out saying it wasn't possible, someone tried and proved them wrong (again, this has been weeks and I would have to go through a ton of articles to find the source, and I might be wrong on some details since I'm gooing off memory).

 

With that said, Eufy at least fixed all that including the API calls in clear text with the AES key also in clear text ...

[LAwLz]

2 minutes ago, WkdPaul said:

I'm going off memory, I would have to go back through all the articles I read about it, but didn't the researcher went back later to find his thumbnail still present on Eufy's server ? I can't remember the timeline but many researchers and experts mentioned the way Eufy dealt with the thumbnails was against GDPR guidelines.

I am looking through articles right now but from what I can tell, no expert or researcher actually said it went against GDPR because they didn't delete images.

It seems to be a lot of commentors and non-experts saying that though, but chances are they are just parroting what they heard someone else say. 

 

If some expert has commented on potential violation of the GDPR then my guess is that they were talking about IF Eufy kept the images for longer they might violate the GDPR (but this assumes that they did keep the images, which I can find no evidence to support) or that it might have been against GDPR to upload it to begin with without proper consent. 

 

 

By the way, I can't find a source for this either:

1 hour ago, WkdPaul said:

by default the notifications are set to text only and the user has to actually go and change that setting (opt-in), thing is, the thumbnails are uploaded even if you don't opt-in.

In fact, the only mentions I can find specifically states that the images are uploaded if you select "thumbnail", which implies that they aren't uploaded if you select text only.

 

 

11 minutes ago, WkdPaul said:

As for the access to the stream, like I said, getting a specific serial (like for spying on a "target") would be impossible, but getting a serial number isn't ; if I remember right, the serial is written on the retail box, and getting a used camera means someone might know the serial. As for the token, it can be brute forced, I don't have the source, but after Eufy came out saying it wasn't possible, someone tried and proved them wrong (again, this has been weeks and I would have to go through a ton of articles to find the source, and I might be wrong on some details since I'm gooing off memory).

Did Eufy actually say it wasn't possible? Again, I have seen a lot of people misunderstand this situation and since we are talking about "they lied" claims I want to actually be sure what they said. I don't trust what others say on this because so many people have gotten very important details completely wrong. I hope you don't feel insulted by me asking for sources and questioning what you are saying. I just think it is very important to get things 100% correct when discussing this because there are so much misinformation floating around.

 

Yes like I said there are "only" 65,536 combinations. You could brute force that fairly easily. But that assumes you got the serial to begin with, and it assumes you know the datacenter they are connected to, and it assumes the camera is recording while you do your attempts, and that you have an older version of the HomeBase. There are quite a few stars that has to align even if you know the serial number. Again, it's not good, but I think it has been blown out of proportions.

 

You're absolutely right that a second hand device is more at risk though since then someone could potentially have the serial to begin with (which is the largest part of the URL). But I also think the amount of people who are knowledgeable enough to carry out this attack is fairly small. The likelihood that the person who sold you the second hand camera (or handled it in some warehouse) also knows how to execute this type of attack is pretty small. Not insignificant, and it is no excuse for Eufy to have this poor implementation, but not anywhere near as big as I think a lot of people think.

 

 

 

25 minutes ago, WkdPaul said:

With that said, Eufy at least fixed all that including the API calls in clear text with the AES key also in clear text ...

And I think that's a good response that I think they deserve credit for (assuming they fixed things, I haven't really followed that story).

They messed up and then allegedly fixed their mistakes. Considering how poor pretty much all other video doorbells seem to be, it seems to me like they are still among the best. If we are going to boycott companies as soon as they have a security incident then we'd end up living like hermits within a year. 

[Imbadatnames]

1 hour ago, WkdPaul said:

Nope, as per GDPR, if the account is deleted, the uploads have to be deleted, that's not a problem elsewhere, but the original researcher was under GDPR and proved the media on Eufy were kept longer than allowed.

I’m the EU you can store data for up to 2 years 

1 hour ago, WkdPaul said:

 

 

Getting the serial of a specific camera is almost impossible, yes, but getting the serial number of a camera in general isn't impossible. 

Again physical access is access. 

1 hour ago, WkdPaul said:

Exactly, their marketing is the main issue here.

 

None required physical access, not sure why you're saying that. The thumbnail isn't much of an issue IMO, the problem is that it was uploaded even if you had SMS only notifications and were not following GDPR ... having a reason for the thumbnails doesn't mean they can ignore laws and regulations.

You can’t get the serial number of a camera without either the account log on or physical access to the camera.

1 hour ago, WkdPaul said:

Again, this has been fixed since, but it was 100% an issue at the time.

It really wasn’t, it was massively overblown 

[wanderingfool2]

2 hours ago, Imbadatnames said:

Which is the point because it’s pretty much impossible to actually use this. It was stated as if people can remotely hack into it with no effort 

I wouldn't say impossible if it's based on the serial number.

 

1 hour ago, LAwLz said:

Yes like I said there are "only" 65,536 combinations. You could brute force that fairly easily. But that assumes you got the serial to begin with, and it assumes you know the datacenter they are connected to, and it assumes the camera is recording while you do your attempts, and that you have an older version of the HomeBase. There are quite a few stars that has to align even if you know the serial number. Again, it's not good, but I think it has been blown out of proportions.

Go to a few shops selling Eufy cameras, make note of all the serial numbers and now you have a giant swath of security camera SN's that you could have spied on.  It would be more of a local problem, but it's still a problem.

 

Not hard really to brute force which connection it is either
rtmp://p2p-vir-#.eufylife.com replace the # with 0-9.  It also seems like it might be based on location as well, so cameras in specific areas will utilize the same servers (could be wrong on this, just speculating from what I have gleamed from seeing posts about the servers)

 

That pretty much solves a bunch of issues.  Or if you sell the camera, and wish to snoop on the people you sold it to.  The less likely scenario, your tech savvy neighbour sees you have the cameras installed and looks at the box.

 

Even if it was older homebase, which btw do you have a source I can't be bothered searching around to see if that is true or not, it begs the question what other security issues have the left open (for what I assume to be the sake of convince or sheer incompetence).

 

If they only ever had one issue on occasion it might be acceptable, but to have massive oversights multiple times (and their responses to it) makes it bad.  Had they just fessed up to it, it wouldn't have blown up as it did.

 

2 hours ago, LAwLz said:

Then there is some authentication token that's part of the URL, but I have seen some conflicting reports whether or not that actually does anything.

Yea, some of the reports have mentioned that the token doesn't actually get verified...although given the bad press they might have changed that now.

 

2 hours ago, LAwLz said:

Don't get me wrong, Eufy clearly fucked up in terms of their security implementation in some big ways, but everything i have seen (outside of headlines in media that make money from getting clicks) seems to indicate that this isn't actually a big deal

For myself it's a big deal when a security camera company that makes promises is proven to have broken those promises and worse yet doesn't even bother following basic security principles.

 

2 hours ago, WkdPaul said:

Lots of nuances here, while the thumbnails ARE for notifications, by default the notifications are set to text only and the user has to actually go and change that setting (opt-in), thing is, the thumbnails are uploaded even if you don't opt-in. Also, those thumbnails aren't deleted from Eufy's servers, even after the user has closed the account, for the EU market that's a big problem because it's in violation of the GDPR.

iirc, it still was deleted within the correct amount of time to be GDPR compliant.  The big issue with the GDPR being not opting into it.

 

16 hours ago, LoveToMix said:

We live in Australia - they are in Brisbane - so our options are limited. I’m visiting them for 4 days over christmas (not a lot of time).

I’m am currently leaning towards Eufy and setting up a separate wifi network just for that. BUT still really don’t want to support Eufy.

However I needs a good solution - no ongoing cost - that can be setup quickly and is actually available in Brisbane now.

Thoughts?

A system where your data remains more local (or rather one I would trust more), I would say UniFi.  It's overpriced, but at least at the current time they haven't really been caught in any scandals.  I would actively trust UniFi more than Eufy.

 

With that said it all really depends on what system you are setting up.  If it's internal cameras, then I would never trust Eufy, they simply have had too many security lapses.  If it's external cameras protecting regular residential property, the chances of someone local targeting the cameras are quite small (not zero, but effectively small enough no one would bother thinking much).  If it's protecting more expensive equipment though, I would not trust it at all [If you have access to the camera you can effectively wipe the footage by holding the reset button and then stealing the camera.  It doesn't wipe it initially from the NVR, but you can't access it either if that happens].

 

Everything is always a trade off, UniFi is in my opinion priced at a level that doesn't always justify installing them.  Then again, you could always go with one of those systems they sell at Costo, where it just stores stuff locally.

 

Here are the list of security concerns with Eufy though:

- They allowed the remote streaming unencrypted (Like if advertising E2EE actually encrypt the stream, or make it so the user has to enable unencrypted streams)

- Despite saying private data is private and stays local, still stored it non-locally with pitiful protections

- In 2020 had a server update which let others see each other's cameras (To me this is why I can never trust their system, the system should be encrypting the data based on my local password.  That would prevent any of this from even being possible)

- Holding the reset button, and then proceeding to smash/steal the camera eliminates the access to the previously recorded video (their response essentially being it's a feature not a bug)

- Getting at least one of the AES keys used (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21955)

 

In general there are just too many issues for my liking to consider Eufy a safe system that won't be spied on in the future or some other massive exploit being found.  But to the advise I would give you, if you are using it in an area like outdoors to protect your property, do you necessarily care if someone does manage to access your cameras?  The system is still storing data locally, and is cheaper than some of the alternatives.

[Imbadatnames]

38 minutes ago, wanderingfool2 said:

-snip-

Serial numbers aren’t on the box they’re on the actual device 

[wanderingfool2]

55 minutes ago, Imbadatnames said:

Serial numbers aren’t on the box they’re on the actual device 

There were some people reporting that you can find the serial number on some of the boxes, iirc

 

*edit* I decided to do a quick google search for Eufy camera boxes

As an example,

https://www.ebay.ca/itm/165208353517

I could be wrong, but the image from the bottom of the box really seems like a serial number.  It also seems the serial number is based on model numbers as well.  So with others mentioning online mentioning you can find it on the box, and the bottom number matching the length of a serial number I'd lean towards it being the serial number.

 

 

[Imbadatnames]

4 hours ago, wanderingfool2 said:

There were some people reporting that you can find the serial number on some of the boxes, iirc

 

*edit* I decided to do a quick google search for Eufy camera boxes

As an example,

https://www.ebay.ca/itm/165208353517

I could be wrong, but the image from the bottom of the box really seems like a serial number.  It also seems the serial number is based on model numbers as well.  So with others mentioning online mentioning you can find it on the box, and the bottom number matching the length of a serial number I'd lean towards it being the serial number.

 

 

Doesn’t really look like one to me, they’re generally labelled and the bottom one is made up of two separate codes 

[wanderingfool2]

8 minutes ago, Imbadatnames said:

Doesn’t really look like one to me, they’re generally labelled and the bottom one is made up of two separate codes 

It's the 16 character long barcode (not the two barcodes together).

 

It's actually quite common for companies to do that, I suspect it's due to being able do things such as recall an item (instead of getting all items back from a retailer or in their inventory being able to quickly check which ones are recalled).  Other reasons could be to prevent fraud, where someone buys a new camera and returns the old as being "broken".  Either way, it really appears as though it is a SN and it matches with what others have said online how to find the serial number; so my assumption is that it's the serial number.

[IkeaGnome]

5 hours ago, wanderingfool2 said:

There were some people reporting that you can find the serial number on some of the boxes, iirc

 

*edit* I decided to do a quick google search for Eufy camera boxes

As an example,

https://www.ebay.ca/itm/165208353517

I could be wrong, but the image from the bottom of the box really seems like a serial number.  It also seems the serial number is based on model numbers as well.  So with others mentioning online mentioning you can find it on the box, and the bottom number matching the length of a serial number I'd lean towards it being the serial number.

 

 

You don't need the box or extended access to the flood lights to get the serial number...

https://ankertechnologycompanyltd.my.site.com/s/article/How-to-find-the-serial-number-SN-of-your-eufy-products#:~:text=The SN is located in,or on the battery cover.

Most of them are surprisingly easy to see with just a smart phone with a camera on it.

 

Edit: Just realized the image that actually showed what I wanted shown is broken.

Seems that is the serial number printed right on the outside and bottom of that box. 

Good thing it can't be used to reset passwords or anything like that.

/s

[wanderingfool2]

13 minutes ago, IkeaGnome said:

Most of them are surprisingly easy to see with just a smart phone with a camera on it.

 

Edit: Just realized the image that actually showed what I wanted shown is broken.

The general point is that one could go to a store and quickly grab a ton of serial numbers from Eufy boxes (and periodically check if they are active).  There you have it, a nice creepy spying device...especially creepy if you target the ones that are intended for inside the house.  Otherwise, the other scenario is that someone would have to recognize you have a Eufy camera, take down the camera, grab the serial number and put it back.  Which isn't really practical or less likely, unless you really wanted to spy on someone and you knew they had Eufy cameras.

 

Anyways, I digress, to @LoveToMix, honestly it all depends on how comfortable you are with knowing that a company has the ability to access your cameras if they chose to for the trade off that you can also access those cameras.  If you are okay with that, then by all means get the camera.  It's cheaper than some of the alternatives.  If you are planning to place it where there might be sensitive things shown, then I would not trust it.

[LAwLz]

14 hours ago, wanderingfool2 said:

Go to a few shops selling Eufy cameras, make note of all the serial numbers and now you have a giant swath of security camera SN's that you could have spied on.  It would be more of a local problem, but it's still a problem.

 

Not hard really to brute force which connection it is either
rtmp://p2p-vir-#.eufylife.com replace the # with 0-9.  It also seems like it might be based on location as well, so cameras in specific areas will utilize the same servers (could be wrong on this, just speculating from what I have gleamed from seeing posts about the servers)

 

That pretty much solves a bunch of issues.  Or if you sell the camera, and wish to snoop on the people you sold it to.  The less likely scenario, your tech savvy neighbour sees you have the cameras installed and looks at the box.

There are still quite a few roadblocks that needs to be passed though.

Again, Eufy screwed up but I think people are overestimating how difficult carrying this out would be. And according to some people (which I don't fully trust considering the massive amount of misinformation regarding these news), it seems like some of these things might be fixed already, which seems like a good and proper response to me.

 

 

14 hours ago, wanderingfool2 said:

Even if it was older homebase, which btw do you have a source I can't be bothered searching around to see if that is true or not, it begs the question what other security issues have the left open (for what I assume to be the sake of convince or sheer incompetence).

The source is the person who found the issue.

"It seems like Eufy changed something on the HB3 but the HB2 still provides stable RTMP urls". In other words, it works on the HomeBase 2, but he couldn't get it working on the HomeBase 3.

 

 

14 hours ago, wanderingfool2 said:

If they only ever had one issue on occasion it might be acceptable, but to have massive oversights multiple times (and their responses to it) makes it bad.  Had they just fessed up to it, it wouldn't have blown up as it did.

Maybe they did some response I missed, but to me it seemed like an appropriate response.

They apologized and (supposedly) fixed the issues. Not sure what else you want. Also, I am sure it would have blown up regardless of how they responded. It's too juicy of a story to not create a bunch of articles and videos about.

 

 

14 hours ago, wanderingfool2 said:

I would say UniFi.  It's overpriced, but at least at the current time they haven't really been caught in any scandals.

You got to be kidding. UniFi have had several big fuckups in terms of security in the last couple of years. 

It was barely a year ago they were caught trying to cover up a big databreach where someone got a hold of root logins to Ubiquiti's servers and they tried to weasel themselves out by first not telling anyone about it, but when a whistleblower made the story public Ubiquiti said that they had no evidence of customers being compromised. That sounds good, but the reason why they didn't have any evidence of it was that they had no system in place to actually monitor if customers had been compromised. The breach could potentially have caused the people with those login credentials to for example view your security cameras remotely.

The Ubiquiti fuckup is, in my opinion, at least 10 times worse than the Eufy fuckups.

 

 

8 hours ago, Imbadatnames said:

Doesn’t really look like one to me, they’re generally labelled and the bottom one is made up of two separate codes 

It looks like a serial number to me.

Although, it is important to stress that the serial number alone is not enough to view the feed, even before the supposed updates that have been made (that I have not found info about but some people in this thread claims).

[wanderingfool2]

9 hours ago, LAwLz said:

You got to be kidding. UniFi have had several big fuckups in terms of security in the last couple of years. 

It was barely a year ago they were caught trying to cover up a big databreach where someone got a hold of root logins to Ubiquiti's servers and they tried to weasel themselves out by first not telling anyone about it, but when a whistleblower made the story public Ubiquiti said that they had no evidence of customers being compromised. That sounds good, but the reason why they didn't have any evidence of it was that they had no system in place to actually monitor if customers had been compromised. The breach could potentially have caused the people with those login credentials to for example view your security cameras remotely.

The Ubiquiti fuckup is, in my opinion, at least 10 times worse than the Eufy fuckups.

Fun fact, the "whistle blower", Sharp, in that case was the hacker who also was an employee for UniFi who worked as a cloud lead software engineer for the cloud storage.

 

1) He didn't get the access from a LastPass that was left unsecured, he had the password because it was required for him to do his job.

2) The only reason there weren't really logs on the AWS access as well was because he set the system to delete the logs when he performed the hack.

3) Sharp was also one of the employees tasked with trying to figure out what occurred in the incident (and doings fixes and such, which he used to hide what he did as well)

4) The "Whistle blower" article occurred shortly after the FBI executed a search on his house...so yea he went full scorched earth.

 

He got caught because he had a power outage which switched his IP from a VPN back to his home address IP address.  So they knew it must have been him

 

The tl;dr.  If you get a high level employee that decides to go rogue, it's going to be hard to stop a security incident especially when the employee is trusted to be on the team investigating the incident.

 

https://www.justice.gov/usao-sdny/press-release/file/1452706/download

 

So no, that incident isn't 10x worse, as it's clear that Eufy can still access people's cameras if they wanted to (as their server update allowed others to and you can't fundamentally change that without changing the hardware), and realistically the same thing with a rogue employee could happen to anyone...which is the whole concept of supporting local storage, which Eufy clearly violated.

 

Also, you are assuming it would have granted them access.  UniFi allows you do do self-hosting if you wanted to (at which point no they wouldn't).  Actually, from what I've read on UniFi it's current assumption is that the NVR's do the encryption...so it's quite possible that they are encrypting it using the current password (at which point that's a shared secret that UniFi doesn't have).  Like I said as well, it also has the option to self host if you wanted.  If you have examples of UniFi's systems actually being at risk, by all means site your source.

 

9 hours ago, LAwLz said:

"It seems like Eufy changed something on the HB3 but the HB2 still provides stable RTMP urls". In other words, it works on the HomeBase 2, but he couldn't get it working on the HomeBase 3.

If he just said provides RTMP urls I would agree, but the use of the word stable implies that he still got RTMP urls...just ones that weren't stable.  It does reduce the risk, but it wouldn't necessarily mean it's eliminated.

 

9 hours ago, LAwLz said:

There are still quite a few roadblocks that needs to be passed though.

Not really, the roadblocks.  Guess a 4 byte number (easily brute forced), a 0 - 9 number [that might be based on location], and get the serial numbers (again it would have been possible to go to a store and grab a pile of serial numbers).  That's not really much of a roadblock.  Remember this is a company that advertised as using E2EE.  It's a fundamentally flawed concept to have it enabled by default where video is allowed to be streamed without encryption when you advertise it being E2EE.

 

It literally would not be difficult to carry out if you wanted to spy on the cameras.

[LoveToMix]

Thanks everyone for chiming in (Australian slang maybe? - for giving thoughts and ideas).

 

Really good feedback - confirmed my thoughts that Eufy is not the worst idea if you don't mind a small possibility of the stream being seen.  So very use dependent

 

I'll look at the UniFi systems as well.

 

Merry Christmas everyone -   Remember those around you and check in, this time of year can be hard on some.  Some groups of people also find this time harder so if you have friends who may not find it easy - just a quick message to let them know you care :)

[wanderingfool2]

39 minutes ago, LoveToMix said:

Thanks everyone for chiming in (Australian slang maybe? - for giving thoughts and ideas).

It's a North American saying as well   Or at least in the part of Canada I live we use it

 

39 minutes ago, LoveToMix said:

So very use dependent

 

I'll look at the UniFi systems as well.

Yea, it will all depend on the use case and how comfortable you are with the chance of a breach.  I mean if it's just pointing outside, it's not too big of an issue if someone happens to  see the camera setup.

 

If you don't mind stringing cables, I heard LOREX technology can work quite well.  I think they have an offline option as well, although I haven't really looked into them ever before but I do know a few people who used it and were really happy with the results for the price.  [Not sure on longevity and such...but I know you can get them pretty cheap if bought in a bundle].  Again not sure how they are as a company or the security of them when they are connected to the internet because I've never had to deal with them

[LAwLz]

5 hours ago, wanderingfool2 said:

Fun fact, the "whistle blower", Sharp, in that case was the hacker who also was an employee for UniFi who worked as a cloud lead software engineer for the cloud storage.

Thanks for the info. I didn't see the follow-up articles and that changes things quite a bit.

 

 

5 hours ago, wanderingfool2 said:

Also, you are assuming it would have granted them access.  UniFi allows you do do self-hosting if you wanted to (at which point no they wouldn't).  Actually, from what I've read on UniFi it's current assumption is that the NVR's do the encryption...so it's quite possible that they are encrypting it using the current password (at which point that's a shared secret that UniFi doesn't have).  Like I said as well, it also has the option to self host if you wanted.  If you have examples of UniFi's systems actually being at risk, by all means site your source.

It's worth noting that this was not the case up until February this year. Ubiquiti used to require an Internet connection for things like their network video recorder. But since they fixed that you are right. You can do completely offline hosting of your UniFi cameras today. That seems like a good solution if you absolutely don't want anything uploaded to the cloud, although I think that's not really a good principal to have since it can be very beneficial.

 

I am not aware of any current risks with UniFi systems. They have certainly had their fare share of them in the past, but so have all vendors. For example they were affected by log4j which allowed anyone to gain root access to UniFi systems, but that was fixed fairly quickly. And I don't think we should boycott companies just because of some security vulnerabilities.

 

Although, Paul Moore who broke the Eufy story said in november that he would look into UniFi next. I can't find any comment from him on UniFi specifically afterwards, but ~2 weeks later he posted "it's safer to use a doorbell which tells you it's stored in the cloud - as that ones honest enough to tell you generally use solid crypto". I assume that he includes UniFi in that statement as well. 

 

If you trust Paul Moore and is very concerned about potential video streams from your cameras ending up online, I would probably stay away from UniFi as well. At least until Paul says they seem fine.

But that is assuming 1) that Paul's word is infallible 2) that some data ending up online is bad.

 

5 hours ago, wanderingfool2 said:

If he just said provides RTMP urls I would agree, but the use of the word stable implies that he still got RTMP urls...just ones that weren't stable.  It does reduce the risk, but it wouldn't necessarily mean it's eliminated.

Maybe. It's a big vague.

 

Anyway, Wasabi confirmed that they validate the tokens now, and they have increased the ID to 12 characters (I assume he meant 12 characters rather than 12 bits, because 4 hex characters is already 16 bits). So it seems like the RTMP issues are solved. It used to be hard to do, but now it's damn near impossible since you need a valid token as well as all the other things I mentioned earlier. They should have done this to begin with, but at least they fixed the issue quickly. Seems like it took them about a week to fix from it being disclosed. I think they deserve credit for that.

 

 

 

6 hours ago, wanderingfool2 said:

Not really, the roadblocks.  Guess a 4 byte number (easily brute forced), a 0 - 9 number [that might be based on location], and get the serial numbers (again it would have been possible to go to a store and grab a pile of serial numbers).  That's not really much of a roadblock.  

And it has to be done while the camera is active, and it has to be done on a device using the HB1 or HB2 (not HB3). Those are pretty big roadblocks. In fact, Wasabi even said that the biggest issue was being able to execute it while the device was on.

The device simply didn't respond when it was off, so it would be very easy to miss it even if you, like Wasabi, had all the information necessary to carry the attack out.

 

 

6 hours ago, wanderingfool2 said:

Remember this is a company that advertised as using E2EE.  It's a fundamentally flawed concept to have it enabled by default where video is allowed to be streamed without encryption when you advertise it being E2EE.

Yep, that was bad of them to advertise it as being E2EE.

[divito]

On 12/22/2022 at 11:14 AM, WkdPaul said:

I'm going off memory, I would have to go back through all the articles I read about it, but didn't the researcher went back later to find his thumbnail still present on Eufy's server ? I can't remember the timeline but many researchers and experts mentioned the way Eufy dealt with the thumbnails was against GDPR guidelines

The researcher checked a few hours later. Eufy addressed it as after 48 hours, it'll be gone. Complying with GDPR is 30 days. 

So the researcher was being a knob.