Viewing a single comment thread. View all comments

DanTrachrt t1_j8sd3y5 wrote

Reply to comment by GENOCIDUS_REX in Anker recalls 535 Power Bank over fire safety concerns by GeT_Tilted

Out of the loop here, what happened with Eufy? Never even heard of Eufy before.

15

GENOCIDUS_REX t1_j8sdstd wrote

https://arstechnica.com/gadgets/2023/02/ankers-eufy-admits-problems-with-unencrypted-video-access-pledges-overhaul/

Their “no cloud” security cameras would actually allow third party access to unencrypted streams.

It took 3 months for them to come clean about the issue. An absolute disaster from a security perspective - multiple, multiple failings were required for those products to hit market.

67

ahecht t1_j8sqhbn wrote

That article is really misleading.

> The encryption scheme on the URLs also seemed to lack sophistication; as the same researcher told Ars, it took only 65,535 combinations to brute-force,

It only takes 65,535 guesses if you already know the serial number, which is a 16-digit non-sequential alphanumeric string that would take longer than the age of the universe to guess.

23

GENOCIDUS_REX t1_j8syrdy wrote

I provided a source. You can do the same.

4

ahecht t1_j8t0nhx wrote

https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage

If you read in between the fearmongering:

> the way we initially obtained the address required logging in with a username and password before Eufy’s website will cough up the encryption-free stream.

> that address largely consists of your camera’s serial number encoded in Base64

> On the plus side, Eufy’s serial numbers are long at 16 characters and aren’t just an increasing number. “You’re not going to be able to just guess at IDs and begin hitting them,” says Mandiant Red Team consultant Dillon Franke, calling it a possible “saving grace” of this disclosure. “It doesn’t sound quite as bad as if it’s UserID 1000, then you try 1001, 1002, 1003.”

16

GENOCIDUS_REX t1_j8t5dx3 wrote

Ah, not as bad as it first looked, but:

> he points out that companies don’t tend to keep their serial numbers secret. Some stick them right on the box they sell at Best Buy — yes, including Eufy.

I’m good with condemning this massive lapse/lie about “no cloud” devices.

Their original statements, from that link: With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone. False. Facial ID images were uploaded to the Eufy cloud. All recorded footage is encrypted on-device False. Footage was not encrypted. At all. Only the url was encrypted, not the footage. This is also known as a lie

21

Mindestiny t1_j8wj1yw wrote

Whether or not they lied is a separate issue to whether or not your camera data was feasibly vulnerable to attack.

2

[deleted] t1_j8t1h5j wrote

[deleted]

−4

ahecht t1_j8t228b wrote

There are two different parts of the URL, one is a 4-digit hexadecimal number that has 65,535 possibilities, the other is the 16-digit serial number that has 43-thousand-million-million-million possibilities. The "researcher" was only able to brute force it in 65,535 tries because they had physical access to the camera and were able to read the serial number off the label.

2