The Eufy home security cameras we recommend over the years have been recommended by Anker, which has built a reputation for quality over the past 10 years. Eufy's commitment to privacy is remarkable: it promises your data will be stored locally, that it "never leaves the safety of your home," that its footage only gets transmitted with "end-to-end" military grade encryption, and that it will only send that footage "Straight
You can stream video from a Eufy camera from the other side of the country with no security at all.
It isn't clear how widespread this might be because the company lied about it.
On Thanksgiving Day, Paul Moore and a hacker who goes by the name of "Wasp" both claimed that the Eufy cameras could be streamed through the cloud by connecting to a unique address at Eufy's cloud server.
The company denied it when we asked. It is not possible to start a stream and watch live footage with a third-party player, according to a senior PR manager at the company.
That isn't true, according to The Verge. This week, we watched live footage from two of our own Eufy cameras using the same VLC media player from across the U.S., proving that Anker has a way to access the cameras through the cloud.
There is some good news that there is no proof that this has been exploited in the wild, and the way we obtained the address required logging in with a usernames and password before Eufy's website will cough up the stream. The exact technique is not being shared.
It doesn't work on cameras that are awake. We had to wait until the camera detected a passing car or the owner pressed a button to start the stream.
The biggest part of the key is the camera's serial number.
Eufy's best practices appear to be so shoddy that bad actors might be able to figure out the address of a camera's feed.
The address has a Unix timestamp, a token that Eufy's server doesn't seem to be valid, and a four-digit random number.
Mandiant vulnerability engineer Jacob Thompson says it's not how it should be designed. The serial numbers don't change so a bad actor can give or sell a camera to Goodwill and still watch the feeds. He says that companies don't usually keep their serial numbers secret. Eufy is one of the items that are put on the box at Best Buy.
Eufy's serial numbers are long at 16 characters and don't just increase in number. "You're not going to be able to just guess at IDs and start hitting them," says Mandiant Red Team consultant. If it is UserID 1000, then you try 1001, 1002, 1003.
It might be worse. Even though a MAC address is only twelve characters long, and you can usually figure out the first six characters just by, some smart home devices were substituting their own address for security.
The serial number needs to be kept secret.
We don't know how the serial numbers will be leaked or if Eufy will give them to anyone. Franke says that some of the unique ID information can be returned with the help of an application programming interface. I don't think they would treat the serial number like a secret anymore.
Thompson wonders if anyone with admin access can access the IT infrastructure if the architecture is such that they can order the camera to start streaming at any time. That is not the same as the claim that footage is sent straight to your phone.
There are other signs that the security practices of the company may be worse than they have been let on. Moore accused Eufy of violating other security promises, including uploading thumbnail images (including faces) to the cloud without permission and failing to destroy private data. He admitted to the former but said it was a misunderstanding.
He claims that Eufy's key for its video footage is just a string called "ZX Security17CAM@" There is a phrase in a repo from 2019.
The Verge asked if the ZX Security17CAM@ is the encryption key.
We were unable to get more information from Moore, who told The Verge that he was starting legal proceedings against Anker.
It may be important to know which cameras do and do not behave this way, whether or not anything will be changed, and when, now that Anker has been caught in some big lies. When Wyze had a similar vulnerability, it took three years for it to be fixed.
Some people may no longer be willing to wait. I asked Alrawi if he would turn off the camera in his home if he heard about it.
The security engineer who showed us how to get a Eufy camera's network address said he was ripping all of his stuff. He says that he bought them because he was trying to be secure.
If you have specific Eufy cams, you could try to switch them to HomeKit secure video.
Testing and reporting were done by Jen Tuohy.