One of the best-performing brands last Black Friday was Anker, the mobile accessories maker that became a tech giant thanks to its sales on Amazon.
[Batería infinita y placas solares: así son las nuevas cámaras de seguridad de Anker]
In fact, Anker is already so big that its repertoire goes far beyond chargers or cables; for example, it has other brands like Eufy, dedicated to home security with smart cameras and sensors.
Stranger access to home cameras
Just days after the biggest sales of the year, all those new customers may find themselves with a serious privacy issue in their own home. Cybersecurity expert Paul Moore confirmed a few days ago a vulnerability that allowed access video from cameras from internetwithout the need to enter our password or any type of control.
The problem was with the Eufy servers, to which the cameras connect, which accepted connection via a media player such as VLC, which allows content to be streamed. Finding a camera to mirror wasn’t difficult either, as the access address was based on the serial code of the camera. Therefore, an attacker could access what any eufy camera is recordingreal time.
So trying to gain exposure, as a Eufy product owner, is incredibly disappointing, but apparently you can play camera streams via VLC pic.twitter.com/cCYF7KgKvi
— Wasabi Burns [email protected] (@spiceywasabi) November 25, 2022
This is already bad in itself, but it is all the more worrying because precisely one of eufy’s promises is that it does not store our data private, and that all of its technology is based on local storage and not on external servers, in theory thanks to its “super intelligent Artificial Intelligence” integrated into all its devices. To close the loop, Eufy promises that the videos are end-to-end encrypted, so that only our mobile can display them; and yet the researcher was able to connect to the cameras without any type of password.
In addition to the video they record, it turns out that the cameras also send information to the servers, including the facial recognition of people that the camera detects in the images. This would not only contradict what it announces, but it could also violate European data protection regulations.
Eufy’s response
Perhaps more concerning than these security issues was Eufy’s reaction to his post. For starters, researcher Paul Moore was unable to comment further on the matter after “a lengthy discussion with the legal team” at Eufy; and when the trade media covered the news, the company’s first response was deny the greatestcriticizing the researcher’s methodology in response to android CenterIand directly stating that “it is not possible to view live video from a camera using VLC”.
Instead, the company admitted that the cameras send data to servers, but explains that this is due to a feature that displays camera images in mobile app notifications. To achieve this, the camera must send information to the server for it to transmit to our mobile, which was perhaps not entirely clear with the promises of local storage; That’s why Eufy claims he’s going to change the options language, but that’s the only change he’s officially promised.
Meanwhile, media like The edge there Ars-Technica they managed to access the cameras using VLC, with their own separate investigations, which tells us that Eufy didn’t initially take Investigator Moore’s revelation seriously.
A few days later, everything indicates that Eufy has finally changed his mind, and access to cameras is blocked by the server, although this may be a temporary measure before more profound changes to the operation of the server.
Finally, the company released a second statement today, in which it once again shows its “strong disagreement” with what it calls “accusations” about the safety of its products; but at least he accepts that “recent events may have worried some users”.
You may be interested
Follow the topics that interest you
Table of Contents
