The security cameras Euphya brand of Ankerwould have an important vulnerability: according to some experts would transmit unencrypted images and videos, therefore potentially accessible. So much so that some newspapers report having seen on VLC of camera feedback located miles away.
Eufy Security Cameras: Video unencrypted and viewable with VLC
Anker is now a highly respected brand internationally, especially for its products such as chargers and adapters, but also earphones and more: all with a great value for money. And its Eufy brand has carved out an important niche in the world of smart homes, even with its robot vacuum cleaners. Bad Eufy security cameras not only must they have an excellent relationship between construction quality and cost, they must be secure.
For this Eufy explains that the images and videos remain only stored locally at your home. You can see them remotely from your smartphone, but on the telematic journey they remain protected by a military-grade end-to-end encryption. In other words, you can only see them on your smartphone. And none of Eufy or Anker can look at them.
However, on Thanksgiving Day, be the infosec security expert Paul Moore that the hacker Wasabi they said the opposite. “You can start a remote stream and watch Eufy cameras using VLC. No authentication, no encryption,” writes Paul Moore.
Anker denies it, but there are other tests
Anker absolutely denied that this is possible. The Verge reports that Breet White of Anker’s PR team said: “I can confirm that it is not possible to start a stream and watch live content using a third-party player like VLC”.
However, The Verge reportedly retried the experiment with staff-owned Eufy security cameras placed in several locations across the United States. It would seem that to log in, you need le cameras are turned on: the owner must start the stream from their smartphone. But having the address of the camera, it would be possible to see on VLC the same feedback from the owners.
The good news is that it does not appear that any hackers have used this system, especially because you need the address of the camera to watch the feed. The bad news is that the variable part of the address would be the webcam serial number, written on the packaging and relatively easy to find. The serial number is encrypted with Base64easily obtainable with an online calculator.
Anker has not yet responded to these new evidence from The Verge, so there could be several causes for this unencrypted transmission. But if it were indeed common practice, this would represent a security risk.
Paul Moore started some legal proceedings against Anker to resolve the issue. Also because he also found that vEufy ideointercom would have uploaded thumbnail images without encrypting them first. Soon there may be news, we will keep you updated.
Leave a Reply
View Comments