Eufy home security thread

[UberTiger]

Yeah, if you have the URL. I'm sure it's easy enough to figure out your own URL, what I'm wondering is how easy it is to discover or create the URLs for other users and then peek into those.

 

[jonneymendoza]

From what I'm reading anyone can access anybody else's via VLC player.

Basically By Knowing There Ip address

 

[rodders]

Urgh, just spent £400 on these and installed, literally as this came out!

 

[Jimbeam3678]

I mean its comical.

@Jimbeam3678 @rodders @dazzlaa @scrivz69

Did you guys know about this? And if not, Are yous till comfortable in using there products?

For me at least, it records outside not inside, if some weirdo wants to watch me get in a car or cut the grass (rarely happens) then I think their need is greater than mine.

None issue for me, privacy has long gone many years ago, if you accept that or is another matter.

 

[UberTiger]

Here's the chaps original video, you can see the amazon based CDN urls to host the thumbnails for the push notifications. No mention of the public video stream though.

Testing the thumbnail life span on the server. Seems the links expire after 24 hours, but the files themselves are not deleted, and no easy way to find out how long they're retained for as they don't get deleted when the clips are deleted.

 

[Goodie]

Damn, this was on my to do list for next year. Sigh.

 

[rodders]

I think I'm more worried about the deleting all files by pressing the reset/sync button on the camera.

 

[UberTiger]

I think they already fixed that, didn't they?

 

[rodders]

I think they already fixed that, didn't they?

Oh, not sure. Watched the first video posted on here.
You'd hope so, I had to hold my cams within 1m of the homebase to pair. Maybe that's the fix, will have to investigate.

 

[UberTiger]

Not 100% sure, but I remember reading about the resetting issue a few weeks(months?) ago and I seem to then remember reading again that they addressed it. Didn't really look into it though.

 

[jaybee]

Not 100% sure, but I remember reading about the resetting issue a few weeks(months?) ago and I seem to then remember reading again that they addressed it. Didn't really look into it though.

I think they already fixed that, didn't they?

No they haven't fixed that.

 

[UberTiger]

Mental, can't believe they haven't sorted that issue yet.

 

[rodders]

Hmmmm, what are my rights of sending back installed equipment?

 

[b0rn2sk8]

It will depend on who you bought it from I guess. Best speak to the retailer.

 

[Mekrel]

Does anyone know if WUUK suffers from the same issues?

 

[Journey]

So is Ooof, now Euoof?

 

[visibleman]

Yeah, if you have the URL. I'm sure it's easy enough to figure out your own URL, what I'm wondering is how easy it is to discover or create the URLs for other users and then peek into those.

This really needs testing next to see whether someones data in Eufy's (AWS) S3 containers could be "randomly" stumbled upon and extracted.
AI face thumbnails need a 40 character user ID along with the thumbnails, seemingly random, filename to build the path; similarly motion/video thumbnails have a random filename too although they appear to be stored under Eufy "stations" serial numbers which might potentially be gleaned from snooping on the targets devices.

I'm not entirely convinced these URL's could easily be built through simple enumeration but, it doesn't look great for Eufy either way and hopefully other researchers and pentesters get onboard and delve into Eufy products to see what exactly needs resolving.

Has anyone got more information on live streams being viewed through VLC though?
RTSP is available on their cameras and doorbells for the local network, you can use VLC to view those streams, but that shouldn't be viewable externally; so it would be interesting to see how live streams are easily "had" externally.

Edit - the whole resetting flaw is completely screwed though, you would assume it would require some intervention elsewhere (prompt within app or portal) for a device to unpair from an account.

 

[jonneymendoza]

This really needs testing next to see whether someones data in Eufy's (AWS) S3 containers could be "randomly" stumbled upon and extracted.
AI face thumbnails need a 40 character user ID along with the thumbnails, seemingly random, filename to build the path; similarly motion/video thumbnails have a random filename too although they appear to be stored under Eufy "stations" serial numbers which might potentially be gleaned from snooping on the targets devices.

I'm not entirely convinced these URL's could easily be built through simple enumeration but, it doesn't look great for Eufy either way and hopefully other researchers and pentesters get onboard and delve into Eufy products to see what exactly needs resolving.

Has anyone got more information on live streams being viewed through VLC though?
RTSP is available on their cameras and doorbells for the local network, you can use VLC to view those streams, but that shouldn't be viewable externally; so it would be interesting to see how live streams are easily "had" externally.

Edit - the whole resetting flaw is completely screwed though, you would assume it would require some intervention elsewhere (prompt within app or portal) for a device to unpair from an account.

its quite shocking how this thread was made by me asking for advice on which eufy doorbell package to get!!

Glad i made this thread as if i diddnt. i would not have know about this

 

[rodders]

its quite shocking how this thread was made by me asking for advice on which eufy doorbell package to get!!

Glad i made this thread as if i diddnt. i would not have know about this

It was made a day late for me, lol!

 

[jaybee]

EUFY have irreparable damage done now. Even if they sort these functional issues out, they've demonstrated severe incompetence and have lied to customers in their marketing of said products. They cannot be trusted. Nobody is buying EUFY going forward if they are aware of the issues with EUFY.