Despite claims of only using local storage with its security cameras, Eufy has been caught uploading identifiable footage to the cloud. And it’s even possible to view the camera streams using VLC.
Worse, it’s not yet clear how widespread this might be — because instead of addressing it head-on, the company falsely claimed to The Verge that it wasn’t even possible.
On Thanksgiving Day, infosec consultant Paul Moore and a hacker who goes by Wasabi both alleged that Anker’s Eufy cameras can stream encryption-free through the cloud — just by connecting to a unique address at Eufy’s cloud servers with the free VLC Media Player.
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
But The Verge can now confirm that’s not true. This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.
There is some good news: there’s no proof yet that this has been exploited in the wild, and the way we initially obtained the address required logging in with a username and password before Eufy’s website will cough up the encryption-free stream. (We’re not sharing the exact technique here.)
Also, it seems like it only works on cameras that are awake. We had to wait until our camera’s owner pressed a button before the VLC stream came to life.
But it also gets worse: Eufy’s best practices appear to be so shoddy that bad actors might be able to figure out the address of a camera’s feed — because that address largely consists of your camera’s serial number encoded in Base64, something you can easily reverse with a simple online calculator.
The address also includes a Unix timestamp you can easily create, plus a token that Eufy’s servers don’t actually seem to be validating (we changed our token to “arbitrarypotato” and it still worked), and a four-digit random hex whose 65,536 combinations could easily be brute forced.
“This is definitely not how it should be designed,” Mandiant vulnerability engineer Jacob Thompson tells The Verge. For one thing, serial numbers don’t change, so a bad actor could give or sell or donate a camera to Goodwill and quietly keep watching the feeds. But also, he points out that companies don’t tend to keep their serial numbers secret. Some stick them right on the box they sell at Best Buy — yes, including Eufy.
On the plus side, Eufy’s serial numbers are long at 16 characters and aren’t just an increasing number. “You’re not going to be able to just guess at IDs and begin hitting them,” says Mandiant Red Team consultant Dillon Franke, calling it a possible “saving grace” of this disclosure. “It doesn’t sound quite as bad as if it’s UserID 1000, then you try 1001, 1002, 1003.”
It could be worse. When Georgia Tech security researcher and Ph.D. candidate Omar Alrawi was studying poor, smart home practices in 2018, he saw some devices substituting their own MAC address for security — even though a MAC address is only twelve characters long, and you can generally figure out the first six characters just by knowing which company made a gadget, he explains.
But we also don’t know how else these serial numbers might leak, or if Eufy might even unwittingly provide them to anyone who asks. “Sometimes there are APIs that will return some of that unique ID information,” says Franke. “The serial number now becomes critical to keep secret, and I don’t think they’d treat it that way.”
Thompson also wonders whether there are other potential attack vectors now that we know Eufy’s cameras aren’t wholly encrypted: “If the architecture is such that they can order the camera to start streaming at any time, anyone with admin access has the ability to access the IT infrastructure and watch your camera,” he warns. That’s a far cry from Anker’s claim that footage is “sent straight to your phone—and only you have the key.”
By the way, there are other worrying signs that Anker’s security practices may be much, much poorer than it has let on. This whole saga started when infosec consultant Moore started tweeting accusations that Eufy had violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and failing to delete stored private data. Anker reportedly admitted to the former, but called it a misunderstanding.
Most worrying if true, he also claims that Eufy’s encryption key for its video footage is literally just the plaintext string “[email protected]”. That phrase also appears in a GitHub repo from 2019, too.
Anker didn’t answer The Verge’s straightforward yes-or-no question about whether “[email protected]” is the encryption key.
We couldn’t get more details from Moore, either; he told The Verge he can’t comment further now that he’s started legal proceedings against Anker.
Now that Anker has been caught in some big lies, it’s going to be hard to trust whatever the company says next — but for some, it may be important to know which cameras do and do not behave this way, whether anything will be changed, and when. When Wyze had a vaguely similar vulnerability, it swept it under the rug for three years; hopefully, Anker will do far, far better.
Some may not be willing to wait or trust anymore. “If I came across this news and had this camera inside my home, I’d immediately turn it off and not use it, because I don’t know who can view it and who cannot,” Alrawi tells me.
Wasabi, the security engineer who showed us how to get a Eufy camera’s network address, says he’s ripping all of his out. “I bought these because I was trying to be security conscious!” he exclaims.
With some specific Eufy cams, you could perhaps try switching them to use Apple’s HomeKit Secure Video instead.
With reporting and testing by Jen Tuohy and Nathan Edwards
Update December 1st, 3:33PM ET: After further testing, we’re not seeing the VLC streams begin based solely on the camera detecting motion. We’re not sure if that’s a change since yesterday or something I got wrong in our initial report. It does appear that Eufy is making changes — it appears to have removed access to the method we were using to get the address of our streams, although an address we already obtained is still working.