CLICK TO SHARE
When security researchers found that Eufy's supposedly cloud-free cameras were uploading thumbnails with facial data to cloud servers, Eufy's response was that it was a misunderstanding, a failure to disclose an aspect of its mobile notification system to customers.
Eufy didn't respond to other claims from security researcher Paul Moore and others, including that one could stream the feed from a Eufy camera in VLC Media Player, if you had the right URL. Last night, The Verge, working with the security researcher "Wasabi" who first tweeted the problem, confirmed it could access Eufy camera streams, encryption-free, through a Eufy server URL.
This makes Eufy's privacy promises of footage that "never leaves the safety of your home," is end-to-end encrypted, and only sent "straight to your phone" highly misleading, if not outright dubious. It also contradicts an Anker/Eufy senior PR manager who told The Verge that "it is not possible" to watch footage using a third-party tool like VLC.
The Verge notes some caveats, similar to those that applied to the cloud-hosted thumbnail. Chiefly, you would typically need a username and password to reveal and access the encryption-free URL of a stream. "Typically," that is, because the camera-feed URL appears to be a relatively simple scheme involving the camera serial number in Base64, a Unix timestamp, a token that The Verge says is not validated by Eufy's servers, and a four-digit hex value. Eufy's serial numbers are typically 16 digits long, but they are also printed on some boxes and could be obtained in other places.
We've reached out to Eufy and Wasabi and will update this post with any further information. Researcher Paul Moore, who initially raised concerns with Eufy's cloud access, tweeted on November 28 that he had "a lengthy discussion with [Eufy's] legal department" and would not comment further until he could provide an update.
If you don't see any comments yet, congrats! You get first comment. Be nice and have fun.
CLICK TO SHARE