Submitted by GeT_Tilted t3_113tbm1 in gadgets
GENOCIDUS_REX t1_j8syrdy wrote
Reply to comment by ahecht in Anker recalls 535 Power Bank over fire safety concerns by GeT_Tilted
I provided a source. You can do the same.
ahecht t1_j8t0nhx wrote
If you read in between the fearmongering:
> the way we initially obtained the address required logging in with a username and password before Eufy’s website will cough up the encryption-free stream.
> that address largely consists of your camera’s serial number encoded in Base64
> On the plus side, Eufy’s serial numbers are long at 16 characters and aren’t just an increasing number. “You’re not going to be able to just guess at IDs and begin hitting them,” says Mandiant Red Team consultant Dillon Franke, calling it a possible “saving grace” of this disclosure. “It doesn’t sound quite as bad as if it’s UserID 1000, then you try 1001, 1002, 1003.”
GENOCIDUS_REX t1_j8t5dx3 wrote
Ah, not as bad as it first looked, but:
> he points out that companies don’t tend to keep their serial numbers secret. Some stick them right on the box they sell at Best Buy — yes, including Eufy.
I’m good with condemning this massive lapse/lie about “no cloud” devices.
Their original statements, from that link: With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone. False. Facial ID images were uploaded to the Eufy cloud. All recorded footage is encrypted on-device False. Footage was not encrypted. At all. Only the url was encrypted, not the footage. This is also known as a lie
Mindestiny t1_j8wj1yw wrote
Whether or not they lied is a separate issue to whether or not your camera data was feasibly vulnerable to attack.
Viewing a single comment thread. View all comments