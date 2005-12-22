A few days ago I read an article https://arstechnica.com/gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-feed-viewing/ on Arstechnica about how Eufy security cameras can be accessed via VLC (a media player application) with little effort.
As an owner of a Eufy indoor camera I wrote a concerned e-mail, this was the response:
Dear Jason XXXXXXXX,
Thanks for contacting eufy.
We appreciate the questions and suggestions you have raised with us. We feel sorry about the recent events causing you concerns and assure you that our commitment to our clients remains strong.
Our safety investigation team has finished an in-depth investigation and testing regarding the matters communicated. We adamantly disagree with the accusations levied against us concerning the security of our products. To help our clients get their own insights, we have published 2 statements in our community:
https://community.security.eufy.com/t/eufy-security-statement-to-our-community/3541186
https://community.security.eufy.com/t/eufy-security-statement-2-to-our-community/3544870
If you have any questions or suggestions, don't hesitate to contact us at any time!
Do you believe the security researchers, or Eufy? Class action lawsuit? I am looking forward to all comments and/or more information.
(Score: 2) by DannyB on Tuesday December 06, @06:46PM (3 children)
I tend to believe the security researchers. Especially if their results are (or were) reproducible by others.
It is bad enough that thumbnails were stored in the cloud.
It is total fail that VLC can obtain unencrypted video streams from cameras.
There seems to be some disconnect between their public claims about security and privacy and how the developers implemented the technical features of this product.
Couldn't the video camera at least use TLS for the video stream? And require some form of authentication before allowing a video stream?
I get constant rejection even though the compiler is supposed to accept constants.
(Score: 2) by Rosco P. Coltrane on Tuesday December 06, @08:22PM
I never believe a company that writes back "Our commitment to our clients remains strong" or any variation of that bromide to an important specific technical question. It means the reply was either:
1/ Automatically typed out by one of those awful support AIs
2/ Automatically typed out by a level-1 support technie who don't give a fuck about you and just wants to close your ticket as fast as possible to make their number
3/ Typed by a marketing or PR guy who barely knows how to fire up Word or Excel and won't admit they're not technically capable of answering you, but will serve you some BS because that's what they're paid for, and doesn't give a fuck about you either
and is a very strong indicator that the company is more interested in pacifying you than solving your problem.
(Score: 2) by Freeman on Tuesday December 06, @09:30PM (1 child)
While all of that is bad. This is possibly the more "obviously wrong and bad" part:
https://www.eufy.com/security?ref=sceneBanner2 [eufy.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Freeman on Tuesday December 06, @09:32PM
Talking about not living up to the marketing spiel.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 4, Insightful) by fliptop on Tuesday December 06, @07:08PM (2 children)
...if you value your privacy. All I install are cameras made by Levelone [level1.com], which are expensive, along w/ a dedicated DVR that's on-site. Nothing gets uploaded to the cloud. When a client says, "but these cameras on Amazon / at Sam's Club are only $50!" I respond, "go ahead and get them, but I won't install them."
Now you know one of the reasons why. The security researchers are correct. Any surveillance camera that's both cheap and uses the cloud had to cut corners somewhere. Sometimes it's in the components, sometimes it's the firmware, sometimes it's how they secure their cloud server. Many times it's all 3.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity
(Score: 2) by RamiK on Tuesday December 06, @09:07PM (1 child)
While you're probably right that the products on the market are all insecure crap, it's still technically possible to put together an esp32 based ip camera for around $10 [hackster.io] and have it run on end-to-end encrypted feed through a tunneled vpn that has the client and camera negotiate through something like husarnet/tailscale/netmaker/zerotier/wesher/innernet as this Husarnet how-to shows: https://husarnet.com/docs/begin-esp32-platformio [husarnet.com]
compiling...
(Score: 2) by fliptop on Tuesday December 06, @09:47PM
That may be true, but for the average consumer it's way beyond their scope. As for me, if I had time to do that for every client that wants surveillance cameras installed...yeah, no. I'm busy enough, and on a first-name basis w/ the tech support guy at Levelone. They treat me well and their equipment is top notch.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity