[German]Anker Eufy Door Bell security cameras are also sold in Germany. A security researcher has now found several security vulnerabilities in the firmware of the Eufy cameras. These transfer user images and facial recognition data to the cloud without the user's consent. The security researcher also claims to have accessed live camera images without any authentication. Eufy support has probably confirmed some of the issues. Furthermore, the Eufy Homebase 2 smart hub is vulnerable via three vulnerabilities and hackers could take over the device.
Advertising
Eufy security camera streams to the cloud
British security researcher Paul Moore recently purchased an Eufy Doorbell Dual security camera, assuming that this device stores data locally and that the recordings are secure. Moore is an advocate of "storing everything locally and not in the cloud, and relied on the manufacturer's claims that this was so. When he put the device into operation and examined the whole thing more closely, he couldn't help but be amazed.
The security camera, contrary to the manufacturer's claims, streams the recorded video images to the AWS cloud, as he states in the above tweet and this YouTube video.On November 21, 2022, he asks in this tweet why the camera stores all the recorded Secured without encryption on the company's servers. He himself did not set up cloud storage and does not have an AWS cloud account. In addition, he asked why he could access the live images from the surveillance camera without authentication.
The colleagues from Android Central then elaborated the story in this article. According to Moore, the Eufy Door Bell security cameras transmit both user images and facial recognition data to the cloud. This, he said, was done without the user's consent (then Moore had not set up a cloud account and trusted that the data remained local). In addition, Moore was able to access the data stored in the cloud without authentication if he could provide the URL in question. Specifically, he only needed to enter the correct URL. The videos were encrypted with AES 128, but the key used was "protected" in his case with the ZXSecurity17Cam@ key.
Advertising
Eufy support then got in touch with the above statement and explained the technical facts. The response states that data is sent to a backend server in the Amazon Cloud (AWS) and that the server then generates thumbnails that the user can view in their app. The camera's recordings would be stored locally. According to Eufy support, the "issues" Moore named should not occur if the user does not enable thumbnails for camera messages. Those thumbnails are sent to the cloud for push notifications.
Moore confirmed to Android Central that some of the issues have since been fixed via update. However, he cannot confirm that the data in the AWS cloud is being deleted correctly. While Moore lives in the UK, he told Android Central that he has taken legal action against Eufy for a possible breach of the General Data Protection Regulation (GDPR). Eufy support states that they will now highlight more clearly via app update what data is being transferred to the AWS cloud. The article from Android Central contains some more details.
Eufy Homebase 2 with vulnearabilities
While researching for my article, I came across another article about Eufy products. From Eufy (an Anker brand) there is the Eufy Homebase 2 for home automation. The Homebase 2 provides storage and management capabilities for other Eufy smart home devices such as doorbells, alarms and cameras. In the following tweet, someone points out that the Eufy Homebase 2 also has three vulnerabilities.
The article here reports that security researchers from Cisco Talos have found the following three dangerous vulnerabilities in Eufy Homebase 2.
- CVE-2022-21806 is a critical vulnerability that attackers can exploit to send packets and execute remote code.
- CVE-2022-26073 can be exploited in the same way as the above vulnerability, but this time attackers can reboot the target device.
- CVE-2022-25989 is a vulnerability that allows attackers to force Homebase 2 to send traffic to an external server, such as footage from connected camera devices.
This means that hackers can send commands via the Internet to the Smart Hub (Homebase 2) and then take it over. Remote access would be possible, whereby the hub could be rebooted or camera images could be sent to any recipient. So the full program "give us the daily security nightmare today" out of the box.
