Notebookcheck Logo

Anker eufy security camera footage can allegedly be viewed in a media player without encryption

A frame allegedly grabbed from streamed eufy camera footage. (Source: Wasabi Burns via Twitter)
A frame allegedly grabbed from streamed eufy camera footage. (Source: Wasabi Burns via Twitter)
Anker's home security brand eufy has built its name on assertions that footage recorded using its cameras is stored securely and only arrives on a user's device via “end-to-end military-grade encryption". However, The Verge now claims to be able to prove that some of these claims are technically false, citing some findings posted to Twitter by researchers.

A security engineer who identifies as Wasabi Burns on Twitter or as spicywasabi at infosec.exchange openly owns eufy home security cameras - however, they have announced an intention to "rip them all out" following the detection of vulnerabilities that allow access to their footage using a commonly-available video playback app.

Anker's increasingly popular sub-brand asserts that the method involved shouldn't be possible, as the cameras' audio-visual data is stored locally and with robust encryption. However, Wasabi Burns has backed up another researcher, Paul Moore, in claims that this is not the case.

Both Twitter accounts now assert that VLC Media Player - which is free to download - can be used to start a stream "encryption-free" from an active eufy camera, just by connecting to a supposedly "unique" cloud server address.

Writing for The Verge, Sean Hollister claims to have replicated this technique in a way that enabled such a connection with a camera on the opposite side of the United States.

Access to the address in question did require a password-protected log-in and that the camera in question was woken up by a third party on site; nevertheless, Hollister argues that these are not reassuring caveats. 

As it "largely consists of your serial number encoded in Base64" as well as an easily-fabricated Unix time-stamp, the necessary address for many other cameras could effectively be reverse-engineered at the local Best Buy.

Furthermore, The Verge also now asserts that an Anker representative basically denied outright that it was possible to start such streams in VLC when contacted for comment.

Then again, Hollister has since posted an update noting that it is now less easy to enact the method, which may indicate that eufy is now addressing the vulnerability in question.

Nevertheless, Moore for one persists in insisting that this is just the tip of eufy's security incident iceberg, claiming for example to have figured its encryption key out, as it is far too basic.

While eufy has issued a response to these claims, Moore finds that it "completely & utterly missed the point" and has reportedly expressed an intention to pursue legal action against Anker.

Luckily, there are other options when considering a home security system, PoE included.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2022 12 > Anker eufy security camera footage can allegedly be viewed in a media player without encryption
Deirdre O'Donnell, 2022-12- 3 (Update: 2022-12- 3)