PSA - Eufy called out on gaping security holes.

Forums › Gadgets, robotics, home automation, electronics (including wearables) › PSA - Eufy called out on gaping security holes.

tehgerbil

1110 posts

Uber Geek
+1 received by user: 884

ID Verified

Subscriber

#302779 20-Dec-2022 09:15

In recent weeks, Anker-owned smart home brand Eufy has been embroiled in scandal after security consultant Paul Moore discovered a number of potentially serious vulnerabilities that could compromise user privacy, including one particularly gnarly issue that apparently made video feeds from Eufy cameras accessible over the internet

As The Verge reports, since December 8, a total of 11 phrases and statements have been removed from Eufy's website, including assurances like "There is no online link available to any video" and "No one else can access or read this data." A longer statement about Eufy's policies surrounding providing footage to law enforcement agencies upon request has also been removed.

The Verge reporting

Android Police reporting

Very dodgy, would 100% not touch their hardware with a 15ft bargepole.

This is a filtered page: currently showing replies marked as answers. Click here to see full discussion.

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#3012217 20-Dec-2022 10:23

To be honest this is a complete overreaction and not fully true.

I personally use Ring cameras and know for a fact that Amazon have access to these cameras and so do potential law enforcement agencys. To be honest, I don't care and I've got 11 of these cameras around the house too.

Eufy are way ahead and their local hub is also really good. Do they have access to your recordings? Maybe... but expect that from any solution you don't build yourself. I work in IT Security myself and yet I am not stressing to my parents to rip out their Eufy cameras at all.

So, relax folk. I'm still going to recommend Eufy cameras. Also:

Moore says Eufy is moving quickly on the issues he's raised and that the methods he'd previously used to access his data in unorthodox ways no longer work.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#3012640 21-Dec-2022 08:28

Jase2985:

and while what happens may not be as big as its been made out to be in some outlets, but to just dismiss their business practices as nothing, come on, its a bit deceitful, and had most certainly damaged the brand and consumer trust, and the lack of statement says something.

Comments aimed at me aside I need to reiterate this is not at all new. The problem here is there wasn't sufficient security disclosure that I would expect to see from any security researcher and also people picked this up without knowing how the app works nor how CDN caching or push notifications (especially on Apple devices) works.

If adequate responsible security disclosure was given then Eufy would have made the necessary changes, likely released a statement, may have even paid a bounty and be on their way. I'm not at all supportive of the security researcher in this case as it is irresponsible to state these facts and jump to conclusions like he did without giving Eufy a chance to correct statements on the site or even fix problems. There are multiple teams working here and the marketing team likely doesn't know the technicals.

There was no secret that Cloud was always used - you have to login and things "magically" work. Storing assets in the cloud is also not a problem (again, this is also required for some things they're doing). I personally always knew that images were submitted to AWS and the hub talks to AWS to transmit video data. The app also doesn't work "locally" when the internet is down. Also, you don't own the device.

As I've said I agree that Eufy could have better worded this on their site but I disagree they're scrubbing their site. The problem is responsible disclosure wasn't used and that can cause brand reputational damage coupled with a tech YouTuber not fully understanding the issue and blowing it way out of proportion. Security researchers should always follow responsible disclosure guidelines to prevent reputational damage like this. In one of my previous jobs I've personally had to tell marketing teams that their statements were incorrect and to remove stuff off the website as changes were made to the app I looked after.

you have no clue of the full extent of this, where the data actually ends up, then again no one but eufy do.

"insert tech product or service here" - you have no clue where the data ends up with basically any of your devices that communicate to the internet. This is not at all limited to Eufy.

please remember the position you are in and dont be so bullish.

There is no need to be rude towards any individual on this forum regardless of their position...