Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGadgets, robotics, home automation, electronics (including wearables)PSA - Eufy called out on gaping security holes.
tehgerbil

1110 posts

Uber Geek
+1 received by user: 884

ID Verified
Subscriber

#302779 20-Dec-2022 09:15
Send private message

In recent weeks, Anker-owned smart home brand Eufy has been embroiled in scandal after security consultant Paul Moore discovered a number of potentially serious vulnerabilities that could compromise user privacy, including one particularly gnarly issue that apparently made video feeds from Eufy cameras accessible over the internet

 

As The Verge reports, since December 8, a total of 11 phrases and statements have been removed from Eufy's website, including assurances like "There is no online link available to any video" and "No one else can access or read this data." A longer statement about Eufy's policies surrounding providing footage to law enforcement agencies upon request has also been removed.

The Verge reporting

 

Android Police reporting

 

Very dodgy, would 100% not touch their hardware with a 15ft bargepole. 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
Chippo
129 posts

Master Geek
+1 received by user: 52

Trusted

  #3012189 20-Dec-2022 09:43
Send private message

I also think there's been a big gap in understanding from most of the people reporting on this - and a significant lack of others replicating the initial findings. If Eufy required port forwarding for their notifications to work, that'd either be a huge security issue or just entirely impossible for anyone behind CG-NAT.

 

The Hookup did a reaction to the media at large (But mostly Linus) The Internet is WRONG about Eufy. (Mostly) - YouTube

 

I like the image preview as part of the notification - I understand that means a still is being sent to the internet. I'm glad Eufy updated the notification settings in their app to include this clarification that sending a picture to your phone requires sending a copy of that picture to the cloud.

 

Eufy are a mile ahead of any of their direct competition in terms of privacy. Do not let perfection be the enemy of progress.




I work for a global Data Protection Software company - But my opinions are my own.



rp1790
751 posts

Ultimate Geek
+1 received by user: 177

Lifetime subscriber

  #3012190 20-Dec-2022 09:46
Send private message

Was just going to post a link to the Hookup video, typical Internet overreaction and disappointing from Linus.  Don't think many people actually understand and just read the "sensational" headlines.

Handsomedan
7769 posts

Uber Geek
+1 received by user: 7402

ID Verified
Trusted
Subscriber

  #3012203 20-Dec-2022 10:07
Send private message

OK - so I have a driveway spotlight/camera combo, which does not have a base station. 

 

I use it really to see whether our mailbox is being tampered with or our cars are being bothered. 

 

If anyone had access to that feed, it would not only be the most boring channel on the internet, it'd give away absolutely nothing. 

 

I don't understand why there's so much drama, based on my use-case. 

 

I'd understand if there was a few cameras in my house and I had the base station hooked up and it was all online, but for my use, this all seems like a non-issue. 




Handsome Dan Has Spoken.
Handsome Dan needs to stop adding three dots to every sentence...

 

Handsome Dan does not currently have a side hustle as the mascot for Yale 

 

 

 

*Gladly accepting donations...



michaelmurfy
meow
13580 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3012217 20-Dec-2022 10:23
Send private message

To be honest this is a complete overreaction and not fully true.

 

I personally use Ring cameras and know for a fact that Amazon have access to these cameras and so do potential law enforcement agencys. To be honest, I don't care and I've got 11 of these cameras around the house too.

 

Eufy are way ahead and their local hub is also really good. Do they have access to your recordings? Maybe... but expect that from any solution you don't build yourself. I work in IT Security myself and yet I am not stressing to my parents to rip out their Eufy cameras at all.

 

So, relax folk. I'm still going to recommend Eufy cameras. Also:

 

Moore says Eufy is moving quickly on the issues he's raised and that the methods he'd previously used to access his data in unorthodox ways no longer work.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

zespri
424 posts

Ultimate Geek
+1 received by user: 94

Lifetime subscriber

  #3012244 20-Dec-2022 11:25
Send private message

The problem here is not the privacy, the problem is the lies and misrepresentations. And whether one cares or not about being lied to is of course an entirely personal choice.

mentalinc
3384 posts

Uber Geek
+1 received by user: 1023

Trusted

  #3012321 20-Dec-2022 12:24
Send private message

As zespri said, the issue is they said nothing was being collected but it was. And then followed it up by removing policy statements instead of stopping it or making it more clearly opt in...

 

Ring is different, you 100% knew from the outset that the video was leaving your network and going somewhere.

 

 

 

The concern is also, they have a network device on your network (99.9% of people are not going to have it on a vlan), so what else could they do or be doing with the network they have access to?

 

 




CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
zespri
424 posts

Ultimate Geek
+1 received by user: 94

Lifetime subscriber

  #3012342 20-Dec-2022 13:21
Send private message

mentalinc:

 

The concern is also, they have a network device on your network (99.9% of people are not going to have it on a vlan), so what else could they do or be doing with the network they have access to?

 

 

The usual advise is never to put CCTV on the same network as the rest of your home network, but unless you are an IT professional or gained required expertise otherwise you are not going to set that up.

Handle9
11925 posts

Uber Geek
+1 received by user: 9675

Trusted
Lifetime subscriber

  #3012346 20-Dec-2022 13:28
Send private message

Chippo:

I also think there's been a big gap in understanding from most of the people reporting on this - and a significant lack of others replicating the initial findings. If Eufy required port forwarding for their notifications to work, that'd either be a huge security issue or just entirely impossible for anyone behind CG-NAT.


The Hookup did a reaction to the media at large (But mostly Linus) The Internet is WRONG about Eufy. (Mostly) - YouTube


I like the image preview as part of the notification - I understand that means a still is being sent to the internet. I'm glad Eufy updated the notification settings in their app to include this clarification that sending a picture to your phone requires sending a copy of that picture to the cloud.


Eufy are a mile ahead of any of their direct competition in terms of privacy. Do not let perfection be the enemy of progress.



The hookup video had some pretty big holes as well which Linus responded to.

IMO the issue was the way Eufy advertised their gear. Every internet connected camera has or will have some form of security issue or data breach. Eufy claimed there was no cloud required which was the bigger issue.

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #3012399 20-Dec-2022 16:25
Send private message

zespri:

The usual advise is never to put CCTV on the same network as the rest of your home network, but unless you are an IT professional or gained required expertise otherwise you are not going to set that up.

 

 

Yup. VLAN setup on most devices I've used is ridiculously complex, at about the level of a GUI for iptables, all hand-wiring and plumbing and writing down config settings from one tab so you can set the appropriate other stuff five tabs further on. If SOHO routers came preconfigured with a set of VLANs, say Internet, Phone, Entertainment, and Gadgets, and you could just drag and drop each device into one of them it'd hugely improve the current nothing-in-here-but-us-chickens cluster---k. If you really wanted to get fancy you could even auto-identify the most common devices, e.g. VoIP devices, media streaming boxes, and so on, and put them in the appropriate VLAN.

michaelmurfy
meow
13580 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3012412 20-Dec-2022 16:55
Send private message

mentalinc:

 

The concern is also, they have a network device on your network (99.9% of people are not going to have it on a vlan), so what else could they do or be doing with the network they have access to?

 

Think about this statement for a second. What is your "smart device" doing on your network. This is not at all restricted to Eufy and I can think of -way more- dodgy devices that you are likely even running. Think about those devices that attempt to port forward to themselves then get pwned because of a gaping security hole. Think about your older Smart TV that has not gotten a firmware update in years but is still on your network even if you potentially don't use the smart features.

 

This is why I am saying this response is a complete overreaction. I knew from the beginning that the hub used the cloud for some things (my parents have a Eufy camera setup), I knew that thumbnails were being stored in the cloud and I knew the hub was never 100% local well before this all came out. You need this sort of thing for push notifications (again. I've had personal dealings with this in a past job) and for streaming video. Heck, there is a Eufy login before you can start using the cameras and app so the cloud was always involved in one way or another.

 

I work in security also... I have a zero-trust IoT WiFi network at home for all my smart devices but my parents don't have that luxury but I am still 100% fine with the hub sitting on their main network and I know it isn't doing anything dodgy.

 

I know not all of you will have a security background to do risk analysis but know I'll be jumping up and down telling people to not use a product if it was deemed insecure (like I now do with some Ubiquiti products I once really liked like the EdgeOS line).

 

The video posted above was pretty spot on with my views on this whole debacle:

 

 

So again relax. This is not at all any more dodgy than other smart devices likely on your networks...




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

tehgerbil

1110 posts

Uber Geek
+1 received by user: 884

ID Verified
Subscriber

  #3012571 20-Dec-2022 20:01
Send private message

michaelmurfy:

 

To be honest this is a complete overreaction and not fully true.

 

I personally use Ring cameras and know for a fact that Amazon have access to these cameras and so do potential law enforcement agencys. To be honest, I don't care and I've got 11 of these cameras around the house too.

 

Eufy are way ahead and their local hub is also really good. Do they have access to your recordings? Maybe... but expect that from any solution you don't build yourself. I work in IT Security myself and yet I am not stressing to my parents to rip out their Eufy cameras at all.

 

So, relax folk. I'm still going to recommend Eufy cameras. Also:

 

Moore says Eufy is moving quickly on the issues he's raised and that the methods he'd previously used to access his data in unorthodox ways no longer work.

 

 

 

 

Wow. Respectfully you've missed the point. Eufy's brand is/was that they were more security/privacy conscious than others and this was a point of difference in the crowded security cam market.

Their reaction to being called out over security flaws by immediately cleansing the website of most privacy claims and refusing to issue a statement speaks volumes about their morals and as such consumers should be aware of what kind of company they're choosing with their private info, such as camera footage from inside their house.

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
michaelmurfy
meow
13580 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3012576 20-Dec-2022 20:37
Send private message

tehgerbil:

 

Wow. Respectfully you've missed the point. Eufy's brand is/was that they were more security/privacy conscious than others and this was a point of difference in the crowded security cam market.

 

I'm not at all missing the point and fully understand this. I, and also many others know what Eufy have been doing all this time and this is not at all any surprise. This is quite simply an overreaction this round.

 

Their reaction to being called out over security flaws by immediately cleansing the website of most privacy claims and refusing to issue a statement speaks volumes about their morals and as such consumers should be aware of what kind of company they're choosing with their private info, such as camera footage from inside their house.

 

There isn't really any statement to be issued. They've already mentioned the cloud is required for several components of their app and this also wasn't a breach nor do I believe this is a security flaw. There will be lawyers working behind the scenes likely saying "oh, you can't say this because you use the cloud here" and that is likely what is happening. As a whole, I still believe the Eufy ecosystem is still rather secure and I personally trust it over Ring who have been known for data collection and handing over footage to law enforcement - I also use Ring...

 

If you don't design a product yourself then you don't own said product nor can vouch for the security of this product. There have been a number of "security concerns" over many security products over the years but often these come with responsible disclosure and not a zero day and I'm always happy to see companies patching these issues as they crop up. Eufy did just this also.

 

Again, this whole thing is a proper overreaction... I also have several security qualifications so am qualified to tell you how it is.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

billgates
4706 posts

Uber Geek
+1 received by user: 672

Trusted

  #3012592 20-Dec-2022 22:55
Send private message

Trusting any brand coming out china reporting back to Chinese cloud specially when it relates to security, finance and social media should be a big no no. CCP has a lot of back doors. The entire Chinese tech we have seen explode in the last 10 or 15 years is mostly result of stolen IP from overseas. 

 

Eufy’s handling of this fiasco whether they knew about the vulnerability or not is simply terrible. 




Do whatever you want to do man.

  

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #3012595 20-Dec-2022 23:01
Send private message

billgates:

Trusting any brand coming out china reporting back to Chinese cloud specially when it relates to security, finance and social media should be a big no no. CCP has a lot of back doors. The entire Chinese tech we have seen explode in the last 10 or 15 years is mostly result of stolen IP from overseas. 

 

 

The Fox is strong in this one.

Handle9
11925 posts

Uber Geek
+1 received by user: 9675

Trusted
Lifetime subscriber

  #3012597 20-Dec-2022 23:07
Send private message

billgates:

Trusting any brand coming out china reporting back to Chinese cloud specially when it relates to security, finance and social media should be a big no no. CCP has a lot of back doors. The entire Chinese tech we have seen explode in the last 10 or 15 years is mostly result of stolen IP from overseas. 


Eufy’s handling of this fiasco whether they knew about the vulnerability or not is simply terrible. 



Fortunately nothing has been found going to the Chinese cloud, it’s all been going to AWS. It’s extremely questionable whether that’s any better.

 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright