Anker's Eufy Breaks Its Silence on Security Cam Security

An anonymous reader shares a report: On the last episode of "Will Anker ever tell us what's actually going on with its security cameras rather than lying and covering its tracks," we told you how Eufy's customer support team is now quietly providing some of the answers to the questions that the company had publicly ignored about its smart home camera security. Now, Anker is finally taking a stab at a public explanation, in a new blog post titled "To our eufy Security Customers and Partners." Unfortunately, it contains no apology, and doesn't begin to address why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera.

Ey

[ickleberry]

Ey-uh-uh-uh-uh-uhhhfy

It's there

[TwistedGreen]

If you read between the lines, they seem to admit that they were relying on a unique token in the URL to authenticate the viewer, and if you copy-pasted this to someone else you could watch the stream without authenticating. Your data doesn't have to be "in the cloud" to relay the stream from your device. At least now they're also checking the session cookie to ensure you're actually logged in first, but provided the token is unpredictable this isn't much of a security risk unless you shared that token. Am I reading that right?

It would be so much better if they just open-sourced their code, though. After all it's going to be open-sourced anyways when someone hacks their Github.

Re:

[OverlordQ]

Yes, that's exactly what was happening. It's exactly like AWS S3 Presigned URLs. If you give it out, other people can watch it.

Re:

[sjames]

But apparently it is also possible to get the camera to send an unencrypted stream out. There's more to this story.

Re:

[Kiddo 9000]

It's really unfortunate that they can't own up to their mistakes and try to do better. I've promised myself to not buy any anker products, unless they deal with this situation correctly. It's a shame, since anker makes really high quality stuff, but clearly they cannot be trusted with my data.

Re: It's there

[sectokia]

Seems to me this whole thing is the user not understanding security. There is nothing insecure about a token of a certain entropy passed via https url. For all practical purposes this locks the camera to the user login where the token is obtained from, something no one seems to acknowledge. And this is how it is across entire industry such as almost everything on AWS. Many oriole seem to want extra security theatre without saying how it would even increase security, mostly because it *feels * more secure

Re:

[Kiddo 9000]

How is the user supposed to understand the security of their device properly when the marketing literally states front and centre that everything is "stored locally" and that they don't use the cloud? That's the whole reason this blew up in the first place. I wouldn't really care that much if they didn't specifically market their doorbells like that.

Re:

[J-1000]

I don't know much about networking, but doesn't every URL request get logged at your ISP? So at the very least they have access to all your cams too.

Re:

[LehiNephi]

If your browser is using HTTPS (which is the default nowadays), your ISP can see that you've connected to a particular server, and may also know what domain you're visiting. However, the rest of the request, including everything after the https://domain/ [domain], is encrypted.

Re:

[thegarbz]

but doesn't every URL request get logged at your ISP?

Only if it is insecure. A URL is encapsulated in a GET request. This is done after connection to a server, and if that connection is encrypted via SSL or TLS then the GET request itself is also encrypted. The ISP knows which domain you connect to, and nothing more.

Re:

[OnlyInAZ]

The URL is not encrypted. If it were encrypted, then there would be way for your ISP to know where which domain to forward the GET request.

Re: It's there

[nsbfikwjuunkifjqhm]

The domain and the path to the resource (the "URL") are separate parts of the HTTP request, the former is visible to the ISP, the latter is encrypted under HTTPS. Perhaps if you don't know how basic HTTP works you should avoid involving yourself in such technical discussions.

Re:

[thegarbz]

A URL is not sent to your ISP. It's typed into your browser. The browser then does a few things with it, starting with making a request to your ISP for an IP lookup of *just* the domain portion of the URL (formally called the "authority"). It then looks for the presence of a port override (denoted by a colon) to see which port it needs to connect to, and looks for the type of protocol it will use to communicate with the authority (formally called the "scheme") and then makes an appropriate connection to tha

Re:

[omnichad]

I doubt they'd be doing a relay. What they're more likely doing is NAT hole punching for external access, which doesn't require ports to be forwarded at the router. But then not having the camera validate which IP is trying to access the stream.

Re:

[sims 2]

I'd assume it'd have to be a relay, latency seems way too high otherwise, plus quality is inconsistent even when on the same wifi network.

Re:

[omnichad]

On the same wifi network, it should be smart enough to skip NAT punching entirely and just go IP to IP. Why is there not a single local-only solution that isn't just a mess from top-to-bottom?

Re:

[AmiMoJo]

It's actually best practice and a well tested method. For example, if you share something on Google it generates a random URL for you to give out. Guessing it is impractical. The only issue is that you can't control who other people give the URL to, although you can revoke it.

Why does everything try to connect to China?

[n.sider]

I had my AC units replaced last year (Traine), and the "smart" thermostats that I didn't want but the units apparently need, aggressively try to make connections to servers in China. Obviously I disallow that. All this needless junk like LED light bulbs and dishwashers with Wi-Fi (why?) all try to connect to somewhere in China.

Re:Why does everything try to connect to China?

[ffkom]

Because you bought stuff that was made in China.

Similarly, when you buy stuff from the US, you can watch all those aggressive connection attempts going to servers in the US.

The solution is quite simply to not buy stuff that is unnecessarily connected to the Internet, at all.

Re:

[thegarbz]

all try to connect to somewhere in China.

Of course. They are made in China. If they were made in the west they would all needlessly connect to a server somewhere in the USA. 99% of the time this is down to stupidity of the coder.
Q: How do we know we have an internet connection?
A: Ping www.baidu.cn obviously.

Heck 100% of Windows devices do something similar. Microsoft even registered a domain name specifically for an icon in the taskbar. I kid you not, that "Network Connectivity Status Indicator" in your taskbar that shows whether you have internet

Re:

[couchslug]

Because the mainland is an enemy society, not a society with an enemy government. The CCP fully represents modern China no matter how desperate gullibles wish it were otherwise.

Internet of Toys exists to build vulns into customer infrastructure at customer expense, well deserved as customers are naive, childish and stupid for the most part. (Techies are always a minority.)

At least WyzeCam supports RTSP for your LAN

[SpzToid]

Wyze Cam RTSP [wyze.com]. I'm happy with the quality of my $35 outdoor camera(!), which is pointed outside, towards a very public street, is not available to the public and certainly with nothing personal on it.

Re: At least WyzeCam supports RTSP for your LAN

[imcdona]

Unfortunately they lack IPv6 connectivity making remote monitoring a port forwarding nightmare. Imagine having a several cams at a remote site that you wish to monitor. You're forced forward ports for each cam on separate external ports. Juggling which cam is on which port isn't fun.
If they supported IPv6 you could easily access the cams remotely by hostname. I can dream I suppose. I don't see IPv6 taking hold so long as everyone is content with using relay servers on the net.

Re:

[echo123]

...or you could implement a VPN using IPv4 and non-routing subnets [geeksforgeeks.org]. Check out WireGuard. Or NeoRouter Free version for up to 255 devices.

Re:

[Joe Klein]

Companies that don't support IPv6, don't deserve you time or money.

Re:

[whoever57]

What you propose is essentially, the IoT nightmare: IoT devices that are exposed to the Internet without any firewall protection.

Sounds great, until some vulnerability shows up in the software on the IoT device and that vulnerability never gets patched, because that's the reality of IoT devices.

Re:

[DontBeAMoran]

I'm still on IPv1, you insensitive clod!

To send a reply, use address 182.

Re:

[nevermindme]

I am not unsure you are not using exactly the same chipset as on the Anker product line. The cloud side certainly might have diffrent code, but in the IOT device world, the chipsets are whatever is cheapest that has a published base config that is 95% of the way to a product to bring to market. Fact is the high volume chipset makers write the vast majority code for most of the assemblers of home IOT. A chinese programmer gains no benfit to making a product secure, his goal is time to market and cheapes

Re:

[echo123]

While you managed a triple-negative phrasing [wordnik.com] to open your argument, I hear you. Well said. Aside from being able to add certificates in multiples to Everything, I did understand the technical aspects to escalate at home. Thanks for the clue!

Re:

[DontBeAMoran]

And their ability to see in the dark beats anything else on the market at even five times that price.

The Plastic Parts get more QA time

[nevermindme]

The software and documentation shows all the signs of poor QA and security review across the industry. Network wise I continue to say the same words as 2013, if you dont control the code, and both endpoints you have just created a tunnel to sensor for someone else. Hack these things, someone gave you a chipset and a plastic molding part cheaper than you can make 10-20 of them at home. If you dont know how to nerf these things with your home network setup, fix that first.

Re:

[BeepBoopBeep]

They are $30 cameras in a sea of $30 cameras .... you think they spending alot on development to make slim margins? You ever work in physical China?

PFSense for everyone

[OnlyInAZ]

This is why I run several VLANs in my home. My network is set up such that any device that I don't control the software is segregated away from my NAS and computers. Further, I block internet access from any IOT device unless I I understand what they are doing with the internet connection.

Yes, it can be a pain in the A$$, and I sometimes live without that Connected App that nobody needed 5 years ago. Turns out that in most cases I still don't need that connected app.