A few days ago I read an article https://arstechnica.com/gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-feed-viewing/ on Arstechnica about how Eufy security cameras can be accessed via VLC (a media player application) with little effort.
As an owner of a Eufy indoor camera I wrote a concerned e-mail, this was the response:
Dear Jason XXXXXXXX,
Thanks for contacting eufy.
We appreciate the questions and suggestions you have raised with us. We feel sorry about the recent events causing you concerns and assure you that our commitment to our clients remains strong.
Our safety investigation team has finished an in-depth investigation and testing regarding the matters communicated. We adamantly disagree with the accusations levied against us concerning the security of our products. To help our clients get their own insights, we have published 2 statements in our community:
https://community.security.eufy.com/t/eufy-security-statement-to-our-community/3541186
https://community.security.eufy.com/t/eufy-security-statement-2-to-our-community/3544870If you have any questions or suggestions, don't hesitate to contact us at any time!
Do you believe the security researchers, or Eufy? Class action lawsuit? I am looking forward to all comments and/or more information.
(Score: 3, Interesting) by DannyB on Tuesday December 06, @06:46PM (5 children)
I tend to believe the security researchers. Especially if their results are (or were) reproducible by others.
It is bad enough that thumbnails were stored in the cloud.
It is total fail that VLC can obtain unencrypted video streams from cameras.
There seems to be some disconnect between their public claims about security and privacy and how the developers implemented the technical features of this product.
Couldn't the video camera at least use TLS for the video stream? And require some form of authentication before allowing a video stream?
How often should I have my memory checked? I used to know but...
(Score: 5, Interesting) by Rosco P. Coltrane on Tuesday December 06, @08:22PM (2 children)
I never believe a company that writes back "Our commitment to our clients remains strong" or any variation of that bromide to an important specific technical question. It means the reply was either:
1/ Automatically typed out by one of those awful support AIs
2/ Automatically typed out by a level-1 support technie who don't give a fuck about you and just wants to close your ticket as fast as possible to make their number
3/ Typed by a marketing or PR guy who barely knows how to fire up Word or Excel and won't admit they're not technically capable of answering you, but will serve you some BS because that's what they're paid for, and doesn't give a fuck about you either
and is a very strong indicator that the company is more interested in pacifying you than solving your problem.
(Score: 3, Funny) by driverless on Wednesday December 07, @11:30AM (1 child)
Well it can't be that serious because they didn't say "We take security seriously", the thoughts and prayers of security incident response. "Commitment to clients" is about Defcon 3 on the we-don't-care scale that ends at "We take security seriously".
(Score: 2) by DannyB on Wednesday December 07, @09:37PM
If they took security seriously, they would wear the t-shirts inside-out so that nobody can see the hardcoded passwords baked in to the firmware.
How often should I have my memory checked? I used to know but...
(Score: 5, Touché) by Freeman on Tuesday December 06, @09:30PM (1 child)
While all of that is bad. This is possibly the more "obviously wrong and bad" part:
https://www.eufy.com/security?ref=sceneBanner2 [eufy.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Touché) by Freeman on Tuesday December 06, @09:32PM
Talking about not living up to the marketing spiel.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Insightful) by fliptop on Tuesday December 06, @07:08PM (8 children)
...if you value your privacy. All I install are cameras made by Levelone [level1.com], which are expensive, along w/ a dedicated DVR that's on-site. Nothing gets uploaded to the cloud. When a client says, "but these cameras on Amazon / at Sam's Club are only $50!" I respond, "go ahead and get them, but I won't install them."
Now you know one of the reasons why. The security researchers are correct. Any surveillance camera that's both cheap and uses the cloud had to cut corners somewhere. Sometimes it's in the components, sometimes it's the firmware, sometimes it's how they secure their cloud server. Many times it's all 3.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity
(Score: 3, Informative) by RamiK on Tuesday December 06, @09:07PM (7 children)
While you're probably right that the products on the market are all insecure crap, it's still technically possible to put together an esp32 based ip camera for around $10 [hackster.io] and have it run on end-to-end encrypted feed through a tunneled vpn that has the client and camera negotiate through something like husarnet/tailscale/netmaker/zerotier/wesher/innernet as this Husarnet how-to shows: https://husarnet.com/docs/begin-esp32-platformio [husarnet.com]
compiling...
(Score: 2) by fliptop on Tuesday December 06, @09:47PM (4 children)
That may be true, but for the average consumer it's way beyond their scope. As for me, if I had time to do that for every client that wants surveillance cameras installed...yeah, no. I'm busy enough, and on a first-name basis w/ the tech support guy at Levelone. They treat me well and their equipment is top notch.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity
(Score: 4, Insightful) by RamiK on Tuesday December 06, @11:14PM (3 children)
By "technically possible" I meant to say that there's cheap and readily available MCUs and free open source software stacks for manufacturers to put together consumer and industrial grade products at a similar (identical?) BoM and profit margins to these existing IoT cameras. Not that contractors such as yourself should be rolling their own.
Fundamentally, wireless cameras shouldn't even be considered for security in the first place since one can simply go on aliexpress and order a $20 wifi jammer to disable them. So, if you're running cables anyhow, you might as well get good quality cameras, capture and streaming hardware with local storage and remote access for streaming / off-site (cloud) backups as you see fit. Though there IS a foss project covering the latter: https://www.ispyconnect.com/ [ispyconnect.com]
compiling...
(Score: 3, Interesting) by fliptop on Wednesday December 07, @01:26AM (2 children)
Agreed. I had a client ask me if I'd install wireless cameras in and around his house. I said you're better off using POE b/c "wireless" cameras aren't really wireless, you still have to provide power to the unit somehow.
Of course, if the camera is out of reach you can use wasp spray to cloud the lens from up to 25 feet away. Or you can wear a hat that has a bunch of IR LED's to drown out the image of your face. Where there's a will, there's a way.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity
(Score: 2) by RamiK on Wednesday December 07, @02:47PM (1 child)
One of the MCU camera projects (I've seen while googing stuff to link earlier) had a motion detector, sd card slot and a battery that could keep the camera off for days so it should be doable for the espionage type things I guess? The real appeal of the tech is for anti-theft and dash cams in cars where a motion detector could be used to keep the energy consumption low so you won't wake up to an empty car battery in the morning before heading off to work. I've also seen MCUs with low-power NPUs so those could be used for facial recognition in doorways in cases where the power goes out and you're limited to a battery.
Regrettably, it's clear manufacturers are hell bent on using the wrong tools for the job.
Back during covid I was asked to remove my mask and hat at the airport. The hat was obvious but when I was handed a cheap surgical mask they told me the respirator ones with a hardwire running down the middle obscure the nose and make facial recognition problematic.
A career criminal would use a $100 paintball gun for that 100 feet range.
Anyhow, I always assumed the obvious cameras are just fake plastic packages and the real cameras are hidden to prevent those sorts of things...
compiling...
(Score: 2) by hendrikboom on Thursday December 08, @11:24PM
I've wondered this, too.
And also how many installations have only fake plastic packages and no real cameras at all.
(Score: 2) by Rich on Wednesday December 07, @11:38AM (1 child)
Had a look on the level1 site and checked for prices. Their cheapest analog camera is sold at around 30 bucks, which I think is the opposite of "expensive". Going to vandalproof, varifocal and IP bumps that up to 500, which still strikes me as somewhat reasonable. A tact switch goes for a few cents, but a vandalproof push button is hard to get below a tenner, anywhere. From my impression of the products (incoherent product design), I'd say they're just a reseller of cheap Chinese stuff, their markup is for making sure the cheap Chinese stuff works.
A long time ago, I saw an advertisement for a RAM reseller in a trade mag. Could've been Kingston. The ad showed two identical RAM sticks, with one having their brand sticker attached. Question above: "How much is that sticker worth to you?". I think that really brought home the point.
(Score: 2) by fliptop on Wednesday December 07, @01:21PM
Their hardware is made in Taiwan.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity
(Score: 2) by RamiK on Saturday December 17, @10:28PM
Seems the researchers were right: https://www.theverge.com/2022/12/16/23512952/anker-eufy-delete-promises-camera-privacy-encryption-authentication [theverge.com]
compiling...