PSA - Eufy called out on gaping security holes.

Forums › Gadgets, robotics, home automation, electronics (including wearables) › PSA - Eufy called out on gaping security holes.

1 | 2 | 3

4705 posts

Uber Geek

Trusted

#3012599 20-Dec-2022 23:18

Handle9: Fortunately nothing has been found going to the Chinese cloud, it’s all been going to AWS. It’s extremely questionable whether that’s any better.

When the data reaches AWS, the user will not be able to see anything further anyway for any localized tasks that maybe happening on that AWS server set by the admins.

Do whatever you want to do man.

Backblaze

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).

Jase2985

13417 posts

Uber Geek

ID Verified

Lifetime subscriber

#3012633 21-Dec-2022 07:52

michaelmurfy:

Again, this whole thing is a proper overreaction... I also have several security qualifications so am qualified to tell you how it is.

im sorry but flippant comments like this especially from a moderator are really cringe.

oh look at me i have multiple qualifications you must listen to me.

you have no clue of the full extent of this, where the data actually ends up, then again no one but eufy do.

and while what happens may not be as big as its been made out to be in some outlets, but to just dismiss their business practices as nothing, come on, its a bit deceitful, and had most certainly damaged the brand and consumer trust, and the lack of statement says something.

please remember the position you are in and dont be so bullish.

michaelmurfy

meow
13215 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3012640 21-Dec-2022 08:28

Jase2985:

and while what happens may not be as big as its been made out to be in some outlets, but to just dismiss their business practices as nothing, come on, its a bit deceitful, and had most certainly damaged the brand and consumer trust, and the lack of statement says something.

Comments aimed at me aside I need to reiterate this is not at all new. The problem here is there wasn't sufficient security disclosure that I would expect to see from any security researcher and also people picked this up without knowing how the app works nor how CDN caching or push notifications (especially on Apple devices) works.

If adequate responsible security disclosure was given then Eufy would have made the necessary changes, likely released a statement, may have even paid a bounty and be on their way. I'm not at all supportive of the security researcher in this case as it is irresponsible to state these facts and jump to conclusions like he did without giving Eufy a chance to correct statements on the site or even fix problems. There are multiple teams working here and the marketing team likely doesn't know the technicals.

There was no secret that Cloud was always used - you have to login and things "magically" work. Storing assets in the cloud is also not a problem (again, this is also required for some things they're doing). I personally always knew that images were submitted to AWS and the hub talks to AWS to transmit video data. The app also doesn't work "locally" when the internet is down. Also, you don't own the device.

As I've said I agree that Eufy could have better worded this on their site but I disagree they're scrubbing their site. The problem is responsible disclosure wasn't used and that can cause brand reputational damage coupled with a tech YouTuber not fully understanding the issue and blowing it way out of proportion. Security researchers should always follow responsible disclosure guidelines to prevent reputational damage like this. In one of my previous jobs I've personally had to tell marketing teams that their statements were incorrect and to remove stuff off the website as changes were made to the app I looked after.

you have no clue of the full extent of this, where the data actually ends up, then again no one but eufy do.

"insert tech product or service here" - you have no clue where the data ends up with basically any of your devices that communicate to the internet. This is not at all limited to Eufy.

please remember the position you are in and dont be so bullish.

There is no need to be rude towards any individual on this forum regardless of their position...

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Bung

6395 posts

Uber Geek

Subscriber

#3012646 21-Dec-2022 09:33

Eufy has just a small part on the big stage. Chinese manufactured cameras under question. "Cameras and technology from Chinese companies Hikvision, Huawei, ZTE, and Hytera Communications had been banned from use in UK government buildings and from being imported into the US."

https://www.stuff.co.nz/business/130806446/chinesemade-cameras-pose-potential-security-risk-to-new-zealand

Just a Stuff reader, not an expert.

Handle9

11254 posts

Uber Geek

Trusted

Lifetime subscriber

#3012807 21-Dec-2022 17:24

michaelmurfy:
Comments aimed at me aside I need to reiterate this is not at all new. The problem here is there wasn't sufficient security disclosure that I would expect to see from any security researcher and also people picked this up without knowing how the app works nor how CDN caching or push notifications (especially on Apple devices) works.

Eufys statement admitted and fixed at least one security flaw so I think it’s reasonable to say that Moore had some reasonable points.

https://www.theverge.com/2022/12/19/23517250/anker-eufy-security-camera-answer

michaelmurfy

meow
13215 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3013069 22-Dec-2022 10:50

Handle9: Eufys statement admitted and fixed at least one security flaw so I think it’s reasonable to say that Moore had some reasonable points.

They didn't go into details but it is incredibly unprofessional how he did this (as per the above) with not following responsible disclosure and reporting it privately to them to begin with - https://us.eufy.com/pages/vulnerability-form

The way he did it means Eufy couldn't verify, patch, release a statement etc before the public knew about it potentially turning this into a zero-day instead of a vulnerability making this way more dangerous to consumers if a vulnerability existed.

Official release here: https://community.security.eufy.com/t/to-our-eufy-security-customers-and-partners/3568215 - they're being light on details of the potential vulnerability currently but it appears they've done a temporary workaround until it can be patched and one actually existed.

Handle9

11254 posts

Uber Geek

Trusted

Lifetime subscriber

#3013074 22-Dec-2022 11:12

michaelmurfy:
Handle9: Eufys statement admitted and fixed at least one security flaw so I think it’s reasonable to say that Moore had some reasonable points.

They didn't go into details but it is incredibly unprofessional how he did this (as per the above) with not following responsible disclosure and reporting it privately to them to begin with - https://us.eufy.com/pages/vulnerability-form

The way he did it means Eufy couldn't verify, patch, release a statement etc before the public knew about it potentially turning this into a zero-day instead of a vulnerability making this way more dangerous to consumers if a vulnerability existed.

Official release here: https://community.security.eufy.com/t/to-our-eufy-security-customers-and-partners/3568215 - they're being light on details of the potential vulnerability currently but it appears they've done a temporary workaround until it can be patched and one actually existed.

It’s been widely reported he was in contact with them prior to the release of the video and they had already have patched some vulnerabilities.

billgates

4705 posts

Uber Geek

Trusted

#3030825 2-Feb-2023 10:55

Anker admits to lying about Eufy security camera encryption; describes future plans

It reports that Anker has finally admitted to two things it has previously denied. First, its cameras can transmit unencrypted video footage. Second, there is one circumstance in which they do.

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.

We now also have an explanation about the difference between the theory (and the company’s original claims) and the reality.

Video sent to the companion iPhone and Android app did indeed use end-to-end encryption (E2E), as claimed. Anyone who intercepted that stream would not be able to view the video.

The same thing was true of recorded footage sent to the web; that too used E2E encryption.

However, live video streams sent to the web were not encrypted, nor even authenticated, meaning that the streaming footage could be viewed by anyone who gained access to the link.

Do whatever you want to do man.

MarkM536

307 posts

Ultimate Geek

#3030889 2-Feb-2023 12:37

Handsomedan:

If anyone had access to that feed, it would not only be the most boring channel on the internet, it'd give away absolutely nothing.

I don't understand why there's so much drama, based on my use-case.

I'd understand if there was a few cameras in my house and I had the base station hooked up and it was all online, but for my use, this all seems like a non-issue.

Any issue with a camera outside is someone finding when you leave/arrive home and when parcels arrive.

The connection comes from your home's internet, and some tracking down with a WiFi mapping tool can pin-point down to a street.

michaelmurfy:

What is your "smart device" doing on your network. This is not at all restricted to Eufy and I can think of -way more- dodgy devices that you are likely even running. Think about those devices that attempt to port forward to themselves then get pwned because of a gaping security hole. Think about your older Smart TV that has not gotten a firmware update in years but is still on your network even if you potentially don't use the smart features.

So again relax. This is not at all any more dodgy than other smart devices likely on your networks...

The biggest take-away I have from the information is that the data from a Eufy base device to their cloud services was not encrypted.

Hook-up says that it is no big deal because the unique identifier URL changes.

But it's still not encrypted if someone is looking for it.

IoT attack happen all the time.

It just takes one other company to get their consumer devices compromised, then your smart thermostat is also a network scanner. Along with many more thousands of thermostats also running scans.

All the other conversation about sending data to a server I understand..... It needs something to allow that phone app notification.

Quote Handle9:
Fortunately nothing has been found going to the Chinese cloud, it’s all been going to AWS. It’s extremely questionable whether that’s any better.

What's TikTok had said about children who use the platform outside of China? I've heard that Chinese employees of TikTok have been able to access data on servers outside of China still.

That's any cloud app/device's issue! Once that data leaves your house it could be anywhere.

But Eufy is a consumer system.... wouldn't people have guessed it needs cloud services?

As summary:

Eufy didn't encrypt the image/notification - could be found if it's being looked for.
People don't know a consumer grade device sends some data to a cloud server - maybe Eufy could have made it clearer??

Behodar

10418 posts

Uber Geek

Trusted

Lifetime subscriber

#3030893 2-Feb-2023 12:58

MarkM536:

People don't know a consumer grade device sends some data to a cloud server - maybe Eufy could have made it clearer??

Apparently Eufy specifically said it was "local-only". Someone on another forum paraphrased Eufy's statement:

"Now that you've caught us in an out-and-out lie about the security of our products, please continue to use them and we promise this time we'll do better."

michaelmurfy

meow
13215 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3030894 2-Feb-2023 13:00

@MarkM536 Again problem is the "security researcher" didn't follow responsible disclosure and could have done a whole lot more damage due to this. If responsible security disclosure were followed then Eufy could have likely mitigated, patched and then done disclosure after protecting it's users.

Security issues (like this) happen all the time but more often than not they're fixed in the background without user knowledge or the security researcher releases what happened after the fact once it has been patched.

I have zero support for the security researcher in this case - he was a total dick to put it bluntly. It doesn't matter who the company is but what he did has caused damage and loss of trust over something that was in the end a security issue that could have been patched internally.

michaelmurfy

meow
13215 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3030896 2-Feb-2023 13:03

Behodar:

Apparently Eufy specifically said it was "local-only". Someone on another forum paraphrased Eufy's statement:

"Now that you've caught us in an out-and-out lie about the security of our products, please continue to use them and we promise this time we'll do better."

That is hardly the truth here. Marketing and engineers often work separately and I honestly think this was the case of engineers implementing something which makes this statement null and void.

I know I personally have done the same and had to notify marketing they couldn't use a statement. Mistakes happen but this was blown up. I agree they can do better but it doesn't actually mean they outright lied here either.

MarkM536

307 posts

Ultimate Geek

#3030911 2-Feb-2023 13:50

michaelmurfy:

@MarkM536 Again problem is the "security researcher" didn't follow responsible disclosure and could have done a whole lot more damage due to this. If responsible security disclosure were followed then Eufy could have likely mitigated, patched and then done disclosure after protecting it's users.

Security issues (like this) happen all the time but more often than not they're fixed in the background without user knowledge or the security researcher releases what happened after the fact once it has been patched.

I have zero support for the security researcher in this case - he was a total dick to put it bluntly. It doesn't matter who the company is but what he did has caused damage and loss of trust over something that was in the end a security issue that could have been patched internally.

I don't think Eufy would have done anything if it was said quietly.

But publicity like this is a can be a good thing for the end consumer:

It has shown the consumer that nothing is immune to bugs/attacks and that an internet connected camera (device) is a threat.
It has also shown the consumer what Eufy is like at responding and fixing the issue.

I hope large drama's like this make people think twice before adding an internet connected camera to their home.

michaelmurfy

meow
13215 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3030964 2-Feb-2023 14:13

MarkM536:

I don't think Eufy would have done anything if it was said quietly.

Eufy have a bug bounty program with the following statements:

Critical risk vulnerabilities will be fixed within 3 business days.

High and medium risk vulnerabilities will be fixed within 30 business days.

Low risk vulnerabilities will be fixed within 180 business days.

So, yes they will do something.

They could do better with getting a third company company like Hackerone (https://www.hackerone.com/) manage their bug bounty program but there is still no excuse from the security researcher. He did put everyone at risk in the way he disclosed this.

reven

3737 posts

Uber Geek

Trusted

#3030997 2-Feb-2023 15:49

the biggest damage done was from eufy for staying quiet for so long.

should have come out loud and quickly saying exactly what was happening and explained it. im sure reaching out to linus he would have gone over it in the next wan show. but no, they were quiet and the second wan show was just more moaning about eufy.

it did make me rethinkg them, and I wont be installing any more of their products. I have two eufy spotlight cameras, I was going to get the solar power cameras and doorbell/front door locks, but now im looking at reolink for doorbell

1 | 2 | 3