[HN Gopher] Anker's Eufy lied to us about the security of its se...
___________________________________________________________________
Anker's Eufy lied to us about the security of its security cameras
Author : nathan_phoenix
Score : 69 points
Date : 2022-12-03 20:50 UTC (2 hours ago)
(HTM) web link (www.theverge.com)
(TXT) w3m dump (www.theverge.com)
| underwater wrote:
| This article seems confused about the claims it's making.
|
| The embedded Tweet shows that the thumbnails for push
| notifications are stored on AWS as a secret URL. Thats not great,
| but also expected for the convenience of having push
| notifications include media.
|
| The part about VLC seems to be a completely different issue. It
| sound like the device streams to the device without encrypting
| the video, but that doesn't necessarily mean that that content is
| being stored in the cloud.
| nathan_phoenix wrote:
| In-short: "Anker has built a remarkable reputation for quality
| over the past decade [...], including the Eufy home security
| cameras [...]. Eufy's commitment to privacy is remarkable: it
| promises your data will be stored locally, [...], that its
| footage only gets transmitted with "end-to-end" military-grade
| encryption, and that it will only send that footage "straight to
| your phone."
|
| So you can imagine our surprise to learn you can stream video
| from a Eufy camera, from the other side of the country, with no
| encryption at all."
|
| And a tweet showcasing how to get the unencrypted video/images
| from the security researcher who discovered the issue:
| https://twitter.com/paul_reviews/status/1595421705996042240
| silisili wrote:
| As I understand it, the Homebase is responsible for the
| encryption and storage.
|
| That said, I realized I could watch live my doorbell via the
| app when away. I assumed this would be encrypted somehow, too,
| but I suppose their findings are that they're not. Bummer.
| haswell wrote:
| The supposed lack of encryption has not been confirmed.
|
| There's been quite a bit of FUD spreading since this story
| hit, and I'm convinced that the security researcher involved
| has some misconceptions about what it means for content to be
| encrypted. He seems to believe that because he can see the
| network requests in browser developer tools, communication is
| not encrypted.
|
| Up to this point, the most solid claim is the fact that
| thumbnails are transmitted to Eufy to facilitate push
| notifications. Eufy confirmed this, and pledged to improve
| the messaging on the options that enable the feature.
|
| The concerns related to the streaming of video is as-of-yet
| _not_ confirmed, and would indicate a breathtaking lapse on
| Eufy 's part if true. It's been disheartening to watch all of
| this unfold with too many folks taking pretty huge claims at
| face value.
| chaostheory wrote:
| The streaming of video has been confirmed by multiple
| sources including the Verge and Linus Tech Tips
| silisili wrote:
| Yeah. As a Eufy owner I'm not really concerned about the
| thumbnails, especially since they can be turned off.
|
| The video streaming is of more concern, but the reporting
| has been really weird and bad about it. Why do they keep
| mentioning VLC like it's some secret hacker tool? If
| unencrypted, why do they mention a shared AES key?
|
| Really wish a reliable source would give more details.
| aritmo wrote:
| The media transfers are encrypted. But he uses the Developer
| Tools of the browser, so he sees the content of the encrypted
| packets.
|
| It is obvious that any cloud-based security camera has to send
| the media to the cloud! There is no other way.
|
| The marketing people at Eufy made a long series of mistakes. It
| is a marketing problem.
| nathan_phoenix wrote:
| Eufy markets their cameras as privacy focused, using local
| storage and local processing without using cloud storage so
| I'm not sure how you concluded against their marketing that
| it's cloud based.
|
| Also he opens the link in a new private session which doesn't
| have the auth cookies. Furthermore, he later explains that
| there is no auth happening. Lastly The Verge confirmed it by
| watching the camera stream using plain VLC.
| kodah wrote:
| Eufy isn't cloud-based.
| haswell wrote:
| The fact that they are indeed cloud-based is why this story
| has been blowing up and making quite a few people upset.
|
| The reality is, even if the cameras are not configured to
| save video to Eufy's cloud service, thumbnails are still
| transmitted to Eufy for the purpose of facilitating push
| notifications (confirmed by Eufy), and the researcher who
| discovered this claims to have found a way to access camera
| feeds without authentication as well (this is _not_
| confirmed, and one of the most questionable claims).
|
| I own several of these cameras but have them configured as
| HomeKit devices, and while I'm not terribly concerned about
| the transmission of thumbnails since this is the name of
| the game if you want a preview in a push notification, I've
| always felt a little weird about the fact that these
| cameras require a Eufy account to configure, and you can
| access the live streams by logging into that account, even
| after the cameras have been configured as HomeKit cameras.
| mfkp wrote:
| Debunked, this is just clickbait: https://youtu.be/a_rAXF_btvE
| landr0id wrote:
| This looks more like negligence than malice. In order to send the
| push notification you have to send the content to a server that
| then gets pushed down through say Apple's Push Notification
| Service. The doorbell cannot talk directly to your device. The
| notification contains the image and whatever other text and
| metadata shown.
|
| I'd imagine that what they mean by "planning to encrypt" this
| content is to E2EE the content and register a notification
| extension (something like:
| https://developer.apple.com/documentation/usernotifications/...)
| that transforms the content once received by the client.
|
| As most people probably know, E2EE isn't a simple problem to do
| in a user-friendly way. Perhaps when setting up the app/doorbell
| the doorbell could have some certificate that the app is aware of
| that's used for encrypting the data before it leaves the
| doorbell, and decrypted using the app's private key but this
| obviously isn't something provided out of the box.
|
| Obviously a warrant could be served to Apple/Google/Eufy for
| notification content, but I don't take this as being particularly
| nefarious.
|
| It genuinely wouldn't surprise me if other offline doorbells like
| Ubiquiti's UniFi line were also affected.
|
| *I should probably mention I wrote this comment after reading a
| different article/video but didn't catch that their marketing
| mentioned that everything is E2EE. So yeah, seems like a pretty
| glaring lie in that regard.
| iancarroll wrote:
| It might be difficult, but it's possible to send encrypted push
| notifications as you mention, and you don't get to make the
| E2EE claims until you actually do it. I don't think UniFi or
| most other cameras claim anything like Eufy did.
| landr0id wrote:
| Fair point that their marketing explicitly says this stuff is
| end-to-end encrypted. Seems like an obvious gap in
| validation/coverage of their network comms.
| jasonhansel wrote:
| The issue is that Anker _said_ the footage was e2e encrypted.
| If they needed to be able to decrypt it to send notifications,
| they shouldn 't have advertised it as providing end-to-end
| encryption.
| kodah wrote:
| If you want a truly local camera system with all the fancy
| features, check out Home Assistant (homeassistant.io) and Frigate
| (https://github.com/blakeblackshear/frigate).
| imiric wrote:
| My biggest concern about setting up a camera system is not
| about the fancy features, but about the camera hardware itself
| and its firmware. Frigate recommends[1] only Chinese devices,
| which is a deal breaker for me. Yes, I could restrict them from
| accessing the internet, put them behind a VLAN or VPN etc., but
| it's a hassle. I would ideally like to trust the device that
| handles such sensitive data, and not have to fight it.
|
| Do you have a recommendation of a reputable camera
| manufacturer? Or failing that, a device that can be flashed
| with trusted open source firmware?
|
| At this point I'm ready to just use an old Android phone
| instead. It's ridiculous how seemingly nobody in this industry
| is capable of producing trustworthy products.
|
| [1]: https://docs.frigate.video/hardware
| phpisthebest wrote:
| Zero Trust is a better way, for me that means my IoT and
| Camera's are on a completely seperate vLAN and Wifi network
| with zero internet access. HA is the bridge between the 2
| networks, HA is the only device on both networks.
|
| So even if the the Camera's want to phone home, they have
| zero path to do so
| jasonhansel wrote:
| > there's no proof yet that this has been exploited in the wild
|
| Give it a few days.
___________________________________________________________________
(page generated 2022-12-03 23:00 UTC)