[ad_1]
It’s not about vulnerabilities, it’s about what companies did next.
When it comes to affordable Wi-Fi cameras or cloudless Wi-Fi cameras, Review Geek has long recommended two companies: Wyze and eufy. We’ve reviewed products from both companies highly and have included them on our “best of” lists multiple times. But as of today, we can no longer recommend any.
Wi-Fi cameras are, at heart, a device that requires a lot of trust. You are installing a device in your home that can view some of the most personal and private areas of your life and potentially broadcast it to the world. Even if you keep them in the more “public” areas of your home, like the living room or kitchen, it’s still a much more personal aspect than most people have in their lives.
So before you buy a camera, it’s good to know that the company practices good security procedures and proper disclosures. The latter is especially important because even with the best security procedures, no company is perfect, and all of them are likely to experience some form of vulnerability sooner or later.
And it’s a bad reveal that we at Review Geek are removing the Wyze and eufy cameras from our recommendations. Each had a vulnerability, and both failed to responsibly disclose those issues to the public, albeit in different ways.
Wyze hid his little problem
We’ve reported extensively on the issue with Wyze, but here’s a summary in a nutshell. Wyze’s vulnerability is actually quite small that it probably didn’t hit most people. The problem boils down to two key points in particular, one of which is rarer than the other. Wyze cameras have a remote viewing capability that allows you to view video even when you’re not home. For most people, that feature only works if they enable it.
But in some rare cases, a home router can prevent Wyze from communicating to enable remote viewing. To get around that, it’s possible to enable port forwarding on your home router to create a “tunnel” so Wyze can communicate with you when you’re not home. Wyze offered instructions on how to do it, but admitted that it might lower your internet security.
The vulnerability in question required both of you to enable port forwarding AND have a microSD card inserted in the camera to record video locally. The latter is quite common, but the former not so much. Probably few people had both components. But for those who did, it was possible for someone to break into their camera and view any video on the SD card. Again, this probably doesn’t apply to most Wyze camera owners, but it’s still a bad vulnerability.
In 2019, BitDefender security researchers notified Wyze about the vulnerability, and this is where things get really ugly. Wyze sat on that information for three years. Wyze eventually patched most of its cameras to fix the problem, but apparently, the company couldn’t do that with the original Wyze Cam.
However, instead of telling owners the company decided to stop selling the camera (yes, it sold the camera for most of this period) and announced that it would no longer receive updates. And because of that fact, Wyze recommended anyone who had the original room upgrade and offered a small discount for doing so.
Do you see the problem? Wyze did not tell the people who own the camera that a vulnerability existed that could allow hackers to see the video of him. He simply recommended an upgrade because the room is “no longer supported”. This is not how to handle this situation. Only after security researchers finally blew the whistle did Wyze admit to the problem.
That is a breach of trust. How can we be sure that the next time Wyze finds a vulnerability, it will admit the issue so that consumers can make an informed decision? For that reason alone, we can no longer recommend Wyze cameras. We will continue to recommend other non-camera products from the company, such as robot vacuum cleaners. But we will be watching closely and we might change that if necessary.
We’ve been looking for a good Wyze replacement, something affordable, reliable and preferably with an option to bypass the cloud. And eufy fit the bill. Unfortunately, eufy followed a similar path, perhaps worse.
eufy won’t even admit a big vulnerability
In the past few days, eufy has been through the wringer. Security researchers have made multiple allegations, some minor and some major. The first thing to know about eufy is that it promises that your video will never end up in the cloud. Eufy doesn’t even offer a cloud subscription. The company claims that all of your video is stored locally on your camera, using military-grade encryption, and that video can only be accessed by you using the eufy app or web interface. No other method will work, nor will eufy be able to access your video. That makes it ideal for the security conscious.
The first claim against eufy is pretty minor by comparison. Despite the claim that no video is uploaded to the servers, it appears that some bits ended up on the servers and unencrypted. They are in the form of thumbnails in an optional feature of the eufy app. You can choose to receive image notifications when someone rings the doorbell, for example, to see who is at the door in the notification panel.
To make that happen, eufy uploads the thumbnail to AWS (Amazon) servers to send to your phone and to the web interface. The thumbnails have some identifying information that could potentially be used to identify people, with some difficulty. Eufy acknowledged this report and committed to updating the app’s language to make it more clear that getting thumbnail previews requires a temporary cloud upload. The images are eventually removed (although eufy didn’t specify how soon).
The other discovery, however, is much more worrying, as is eufy’s answer. Multiple security researchers allege that despite eufy’s claims to the contrary, it is entirely possible to access video stored on eufy cameras without the app, web interface, or login. The details are convoluted, but it all boils down to a few things: The bad actor would need the camera’s serial number, a UNIX timestamp (very easy to obtain), and a hexadecimal key (relatively easy to brute-force). Using that information, it is possible to reverse engineer an address that you can use to access the camera from anywhere, using other software such as VLC. In theory cameras also require a token for validation, but that doesn’t seem to work and you can provide whatever you want.
Security researchers do not publish the exact methods for fear of teaching bad guys to access security cameras, but they claim that with the correct information above, they could stream unencrypted videos from eufy cameras via VLC. That shouldn’t be possible with eufy assertions.
the edge He asked eufy outright if the reports were true, and the company denied it:
“I can confirm that it is not possible to start a stream and view live footage using a third-party player like VLC,” Brett White, a senior PR manager at Anker (eufy’s parent company), told The Verge via email.
So trying to gain visibility, as an owner of a Eufy product, this is incredibly disappointing, but apparently you can play camera feeds through VLC. pic.twitter.com/cCYF7KgKvi
—Wasabi Burns [email protected] (@spiceywasabi) November 25, 2022
But the Edge managed to play the claim and streamed the video from the eufy cameras via VLC. Despite eufy’s statement that it wasn’t possible. It should be noted that, at this point, it would be difficult to replicate this in the wild, since you need a camera’s serial number. But that’s not exactly protected information, you’ll find it on the product boxes. And it’s potentially possible for serial numbers to be collected and leaked, just like email addresses.
now that the edge having replicated the claim, hopefully eufy will change its tune. But that doesn’t seem to be the case. In a statement given to AndroidCentral, eufy continues to deny or ignore the issue entirely even after the edgereport:
eufy Security does not agree with the allegations made against the company regarding the security of our products. However, we understand that recent events may have caused some users concern. We frequently review and test our security features and encourage feedback from the security industry at large to ensure that we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary steps to fix it. In addition, we comply with all applicable regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with any questions.
And that leaves us in a similar boat to the Wyze. Security cameras, especially the ones you put in your home, require trust. And eufy has broken that trust. In some ways, eufy is currently worse than Wyze, as the latter at least admitted to the issue when the information became public. It’s still too late, but eufy is waiting even longer. Therefore, we cannot, in good conscience, recommend any company’s security cameras to our readers.
Typically, if we stop recommending a company’s product, such as a security camera, we state why and what it would take to regain our recommendation. That’s what happened with Ring: We stopped recommending Ring cameras, laid out our expectations, and when the company met them, we started recommending Ring again. We also like to offer alternatives that you can buy instead.
But in this case, the situation is much more difficult. How do Wyze and eufy regain trust after refusing to admit the issues right away? the edge He goes as far as to say that eufy lied in his responses, although one could argue that the PR manager may have been wrong but believed his statement. Still, eufy continues to deny the claims, despite evidence presented by multiple security researchers and news outlets. How do you come back from that?
I just don’t know, so I don’t think it’s possible to recommend either company again. We’ll keep an eye on them and go from there. For now, we will remove eufy and Wyze from our camera recommendation articles.
As for the alternatives, that too is a tricky situation. The simple fact is that no other company meets the requirements for affordable cameras with cloudless options that don’t require additional hardware for local storage or useful notifications. Some are close, like Blink or Arlo, but require additional components that drive up the price. Or as parent companies we are not sure we can comfortably recommend.
And frankly, every company is “one bad day” away from the same situation. It all depends on how they handle disclosure. For now, in all transparency, I can only tell you that I have Wyze cameras and they are still plugged in. I know the risks and I am willing to assume them.
But that’s not the same as recommending them to anyone else. No recommendation should start with “this is a good option, but you need to know a few things first.” And that would be a requirement. The only safe bet you can make is not to put security cameras in your home.
[ad_2]
