A security engineer named Wasabi Burns On twitter It has eufy brand security cameras. However, he announced his intention to get rid of them all after finding out that your recordings can be accessed using a commonly used video player application.
According to eufy’s advertising, this should not be possible, as the data from the cameras is stored locally and with strong encryption. However, it appears that this is not the case.
Using the free VLC Media Player it is possible to start an “unencrypted” stream from an active eufy camera, simply connecting to a supposedly “unique” cloud server address.
the people of The Verge he claims to have successfully replicated this technique by hooking up to a camera on the opposite side of the United States.
Accessing the replay URL requires you to have previously logged in with the victim’s username and password and the camera to be activated by someone at the location (e.g. detecting motion), so it’s not as serious as it could be .
However, as the URL “mainly consists of the Base64 encoded serial number”as well as an easy-to-manufacture Unix timestamp and a random number 0-65535, the address can be obtained fairly easily by brute-forcing.
A representative from Anker, eufy’s parent company, he basically categorically denied that it was possible to start these streams in VLC when contacted.
On the other hand, the researcher published an update in which he points out that the method is now less easy to implement, which may indicate that eufy is addressing the vulnerability in question.