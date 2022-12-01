



Anker has built a remarkable reputation for quality over the past decade, growing its phone charger business into an empire spanning all manner of portable electronics, including the Eufy home security cameras we’ve recommended over years. Eufys’ commitment to privacy is remarkable: it promises that your data will be stored locally, that it will never leave the security of your home, that its images will only be transmitted with state-of-the-art military-grade encryption. at the end and that they will send only that. pictures straight to your phone.

So you can imagine our surprise to learn that you can stream video from a Eufy camera on the other side of the country without any encryption.

Part of Ankers Eufy Privacy Pledge. Screenshot by Sean Hollister/The Verge

Worse still, it’s not yet clear how widespread it could be because instead of addressing it head-on, the company falsely claimed to The Verge that it wasn’t even possible.

On Thanksgiving Day, infosec consultant Paul Moore and a hacker posing as Wasabi both alleged that Ankers Eufy cameras can stream unencrypted through the cloud simply by connecting to a single address on Eufys cloud servers with the free VLC media player.

When we asked Anker to confirm or deny this, the company flatly denied it. I can confirm that it’s not possible to start a stream and watch live footage using a third-party player such as VLC, Brett White, Senior PR Manager at Anker, told me. by email.

But The Verge can now confirm that’s not true. This week we repeatedly watched live footage from two of our own Eufy cameras using that same VLC media player, from all over the US, proving that Anker has a way to bypass encryption and access these supposedly cloud-secured cameras.

There’s good news: there’s no evidence yet that this was exploited in the wild, and the way we originally got the address required logging in with a username and password. passes before the Eufys website spits out the stream without encryption. (We don’t share the exact technique here.)

Also, it seems to only work on cameras that are awake. We had to wait for our floodlight camera to detect a passing car or its owner pressing a button before the VLC stream came to life.

Your camera’s 16-digit serial number likely visible on the box is the largest part of the key

But it also gets worse: Eufys best practices seem to be so poor that bad actors might be able to figure out the address of a camera stream, because that address largely consists of the serial number of your cameras. Base64 encoded, something you can easily reverse with a simple online calculator.

The address also includes a Unix timestamp that you can easily create, a token that the Eufys servers don’t seem to actually validate (we changed our token to an arbitrary potato and it still worked), and a random four hex numbers including 65,536 combinations could easily be brute forced.

That’s definitely not how it should be designed, Jacob Thompson, vulnerability engineer at Mandiant, tells The Verge. For one thing, the serial numbers don’t change, so a bad actor could give or sell or donate a camera to Goodwill and quietly continue watching the streams. But also, he points out that companies don’t tend to keep their serial numbers secret. Some stick them directly on the box they sell at Best Buy yes, including Eufy.

On the plus side, Eufys serial numbers are 16 characters long and not just an increasing number. You won’t be able to just guess IDs and start punching them, says Mandiant Red Team consultant Dillon Franke, calling it a possible saving grace of this disclosure. It doesn’t sound as bad as if its UserID 1000, then you try 1001, 1002, 1003.

It could be worse. When Georgia Tech security researcher and Ph.D. candidate Omar Alrawi was studying smart home bad practices in 2018, he saw some devices override their own MAC address for security even though a MAC address is only twelve. characters, and you can usually figure out the first six characters just by knowing which company makes a gadget, he explains.

The serial number now becomes critical to keep secret.

But we also don’t know how those serial numbers could leak, or if Eufy might even unwittingly provide them to anyone asking. Sometimes there are APIs that will return some of those unique credentials, Franke says. The serial number now becomes essential to secrecy, and I don’t think they would treat it that way.

Thompson also wonders if there are other potential attack vectors now that we know Eufys cameras aren’t fully encrypted: if the architecture is such that it can command the camera to start streaming at any moment, anyone with administrator access has the ability to access the IT infrastructure. and watch your camera, he warns. That’s a far cry from Ankers’ claim that images are sent straight to your phone and only you have the key.

By the way, there are other worrying signs that Ankers’ security practices could be much, much worse than they let on. This whole saga began when infosec consultant Moore began tweeting accusations that Eufy had violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and failing to delete private data stored. Anker reportedly admitted the former, but called it a misunderstanding.

More disturbingly if true, he also claims that the Eufys encryption key for his footage is literally just the plaintext string [email protected] This phrase also appears in a GitHub repository from 2019 as well.

Anker did not answer The Verges’ simple yes or no question about whether [email protected] is the encryption key.

We were also unable to get more details from Moore; he told The Verge he could no longer comment now that he had taken legal action against Anker.

Now that Anker has been caught up in some big lies, it will be hard to trust anything the company says next, but for some it may be important to know which cameras behave and don’t behave that way. , if anything will be changed, and when. When Wyze had a vaguely similar vulnerability, he swept it under the rug for three years; hopefully Anker will do much, much better.

Some may no longer be willing to wait or trust. If I came across this news and had this camera inside my house, I would immediately turn it off and not use it, because I don’t know who can see it and who can’t, Alrawi told me.

Wasabi, the security engineer who showed us how to get a Eufy camera network address, says he ripped it all off. I bought these because I was trying to be safety conscious! he exclaims.

With some specific Eufy cameras, you may be able to try changing them to use Apples HomeKit Secure Video instead.

With reports and tests by Jen Tuohy and Nathan Edwards

Sources 1/ https://Google.com/ 2/ https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos