Cameras sold in Norway are a security disaster

• The-Verge
• lie
• security
• camera
• encryption
• permalink

 Facebook |  X/Twitter |  LinkedIn |  Reddit |  Email |  Link

"Server error" allowed Eufy owners to see into each other's homes,"

Such poor security that it is hard to fathom
At the time, customers of Anker's "security cameras" explained that they "could see every single camera, front door, back door, bedroom, living room, garage, kitchen, their recording started by motion, everything."

Furthermore, we reported that "Eufy has stated to Android Police that the error lasted for an hour and that it did not affect their baby-call products. On Reddit, a message is shared that should have been sent from Eufy to their customers.”

There should also be problems with content that should not be shared with the cloud being shared with the cloud regardless of whether the function is not activated - the security key should also be out of the way (Paul Moore has sued Anker):

Videos from Eufy cameras are not even encrypted
Now it is the winter of 2022 and the problem is not fixed but is so much worse than anyone could have imagined. According to The Verge, even the company has lied to them and said that what is happening now is not technically possible.

So what is happening now? Yes, it is possible via a hack to connect to any Anker Eufy camera via video apps such as VLC - that's right; there is no encryption of the video stream, despite Anker's advertising:

Supposedly lied to The Verge
The problems continue for Anker, for The Verge asked the company, which is mainly known for chargers if it is actually true that you can video stream other people's security cameras with VLC because nothing is encrypted. The advantage is that sleeping cameras will not be woken if you try.

“I can confirm that it is not possible to start a stream and watch live video with a third-party player like VLC,” Brett White explained to The Verge.

The newspaper can now confirm that this is not true:

This week we repeatedly watched live footage from two of our own Eufy cameras using the same VLC media player from across the US. It proves that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.

“But it gets worse”
According to The Verge, it has not been proven that malicious actors have tried the trick before, which includes logging in with a username and password "before Eufy's website hosts the encryption-free stream."

Okay, that's good. It's also good that the cameras have to be active to peek, but there is an even bigger problem that follows this:

“Eufy's best practices appear to be so poor that malicious actors may be able to figure out the address of a camera stream. This is because the address largely consists of the camera's serial number coded in Base64, which you can easily reverse with a simple online calculator."

Comments: