[HN Gopher] Anker's Eufy lied to us about the security of its se... ___________________________________________________________________ Anker's Eufy lied to us about the security of its security cameras Author : nathan_phoenix Score : 69 points Date : 2022-12-03 20:50 UTC (2 hours ago) (HTM) web link (www.theverge.com) (TXT) w3m dump (www.theverge.com) | underwater wrote: | This article seems confused about the claims it's making. | | The embedded Tweet shows that the thumbnails for push | notifications are stored on AWS as a secret URL. Thats not great, | but also expected for the convenience of having push | notifications include media. | | The part about VLC seems to be a completely different issue. It | sound like the device streams to the device without encrypting | the video, but that doesn't necessarily mean that that content is | being stored in the cloud. | nathan_phoenix wrote: | In-short: "Anker has built a remarkable reputation for quality | over the past decade [...], including the Eufy home security | cameras [...]. Eufy's commitment to privacy is remarkable: it | promises your data will be stored locally, [...], that its | footage only gets transmitted with "end-to-end" military-grade | encryption, and that it will only send that footage "straight to | your phone." | | So you can imagine our surprise to learn you can stream video | from a Eufy camera, from the other side of the country, with no | encryption at all." | | And a tweet showcasing how to get the unencrypted video/images | from the security researcher who discovered the issue: | https://twitter.com/paul_reviews/status/1595421705996042240 | silisili wrote: | As I understand it, the Homebase is responsible for the | encryption and storage. | | That said, I realized I could watch live my doorbell via the | app when away. I assumed this would be encrypted somehow, too, | but I suppose their findings are that they're not. Bummer. | haswell wrote: | The supposed lack of encryption has not been confirmed. | | There's been quite a bit of FUD spreading since this story | hit, and I'm convinced that the security researcher involved | has some misconceptions about what it means for content to be | encrypted. He seems to believe that because he can see the | network requests in browser developer tools, communication is | not encrypted. | | Up to this point, the most solid claim is the fact that | thumbnails are transmitted to Eufy to facilitate push | notifications. Eufy confirmed this, and pledged to improve | the messaging on the options that enable the feature. | | The concerns related to the streaming of video is as-of-yet | _not_ confirmed, and would indicate a breathtaking lapse on | Eufy 's part if true. It's been disheartening to watch all of | this unfold with too many folks taking pretty huge claims at | face value. | chaostheory wrote: | The streaming of video has been confirmed by multiple | sources including the Verge and Linus Tech Tips | silisili wrote: | Yeah. As a Eufy owner I'm not really concerned about the | thumbnails, especially since they can be turned off. | | The video streaming is of more concern, but the reporting | has been really weird and bad about it. Why do they keep | mentioning VLC like it's some secret hacker tool? If | unencrypted, why do they mention a shared AES key? | | Really wish a reliable source would give more details. | aritmo wrote: | The media transfers are encrypted. But he uses the Developer | Tools of the browser, so he sees the content of the encrypted | packets. | | It is obvious that any cloud-based security camera has to send | the media to the cloud! There is no other way. | | The marketing people at Eufy made a long series of mistakes. It | is a marketing problem. | nathan_phoenix wrote: | Eufy markets their cameras as privacy focused, using local | storage and local processing without using cloud storage so | I'm not sure how you concluded against their marketing that | it's cloud based. | | Also he opens the link in a new private session which doesn't | have the auth cookies. Furthermore, he later explains that | there is no auth happening. Lastly The Verge confirmed it by | watching the camera stream using plain VLC. | kodah wrote: | Eufy isn't cloud-based. | haswell wrote: | The fact that they are indeed cloud-based is why this story | has been blowing up and making quite a few people upset. | | The reality is, even if the cameras are not configured to | save video to Eufy's cloud service, thumbnails are still | transmitted to Eufy for the purpose of facilitating push | notifications (confirmed by Eufy), and the researcher who | discovered this claims to have found a way to access camera | feeds without authentication as well (this is _not_ | confirmed, and one of the most questionable claims). | | I own several of these cameras but have them configured as | HomeKit devices, and while I'm not terribly concerned about | the transmission of thumbnails since this is the name of | the game if you want a preview in a push notification, I've | always felt a little weird about the fact that these | cameras require a Eufy account to configure, and you can | access the live streams by logging into that account, even | after the cameras have been configured as HomeKit cameras. | mfkp wrote: | Debunked, this is just clickbait: https://youtu.be/a_rAXF_btvE | landr0id wrote: | This looks more like negligence than malice. In order to send the | push notification you have to send the content to a server that | then gets pushed down through say Apple's Push Notification | Service. The doorbell cannot talk directly to your device. The | notification contains the image and whatever other text and | metadata shown. | | I'd imagine that what they mean by "planning to encrypt" this | content is to E2EE the content and register a notification | extension (something like: | https://developer.apple.com/documentation/usernotifications/...) | that transforms the content once received by the client. | | As most people probably know, E2EE isn't a simple problem to do | in a user-friendly way. Perhaps when setting up the app/doorbell | the doorbell could have some certificate that the app is aware of | that's used for encrypting the data before it leaves the | doorbell, and decrypted using the app's private key but this | obviously isn't something provided out of the box. | | Obviously a warrant could be served to Apple/Google/Eufy for | notification content, but I don't take this as being particularly | nefarious. | | It genuinely wouldn't surprise me if other offline doorbells like | Ubiquiti's UniFi line were also affected. | | *I should probably mention I wrote this comment after reading a | different article/video but didn't catch that their marketing | mentioned that everything is E2EE. So yeah, seems like a pretty | glaring lie in that regard. | iancarroll wrote: | It might be difficult, but it's possible to send encrypted push | notifications as you mention, and you don't get to make the | E2EE claims until you actually do it. I don't think UniFi or | most other cameras claim anything like Eufy did. | landr0id wrote: | Fair point that their marketing explicitly says this stuff is | end-to-end encrypted. Seems like an obvious gap in | validation/coverage of their network comms. | jasonhansel wrote: | The issue is that Anker _said_ the footage was e2e encrypted. | If they needed to be able to decrypt it to send notifications, | they shouldn 't have advertised it as providing end-to-end | encryption. | kodah wrote: | If you want a truly local camera system with all the fancy | features, check out Home Assistant (homeassistant.io) and Frigate | (https://github.com/blakeblackshear/frigate). | imiric wrote: | My biggest concern about setting up a camera system is not | about the fancy features, but about the camera hardware itself | and its firmware. Frigate recommends[1] only Chinese devices, | which is a deal breaker for me. Yes, I could restrict them from | accessing the internet, put them behind a VLAN or VPN etc., but | it's a hassle. I would ideally like to trust the device that | handles such sensitive data, and not have to fight it. | | Do you have a recommendation of a reputable camera | manufacturer? Or failing that, a device that can be flashed | with trusted open source firmware? | | At this point I'm ready to just use an old Android phone | instead. It's ridiculous how seemingly nobody in this industry | is capable of producing trustworthy products. | | [1]: https://docs.frigate.video/hardware | phpisthebest wrote: | Zero Trust is a better way, for me that means my IoT and | Camera's are on a completely seperate vLAN and Wifi network | with zero internet access. HA is the bridge between the 2 | networks, HA is the only device on both networks. | | So even if the the Camera's want to phone home, they have | zero path to do so | jasonhansel wrote: | > there's no proof yet that this has been exploited in the wild | | Give it a few days. ___________________________________________________________________ (page generated 2022-12-03 23:00 UTC)