Owners of Eufy home security cameras were warned this week of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds for approximately one day. Inversely, customers were also suddenly given access to do the same to other users.
The SNAFU, according to experts, is a stark reminder of the security-challenged consumer market for wireless cameras that have caused major headaches for a long list of vendors including Amazon, Google and ADT.
China-based Anker quickly patched the vulnerability, which occurred during a planned server upgrade on Monday, that mistakenly connected Eufy users with video streams of other accounts from around the world, according a report on the issue by research firm Recorded Future, published on its The Record news feed.
However, users quickly noticed the problem—which persisted throughout the day, permitting many users who were running established server sessions to be spied on—and sounded a privacy alarm that is still echoing across online platforms, including the Eufy user forum, Reddit and Twitter.
“Guys and gals, if you have any Eufy cams indoors or out please check your accounts and or shut the cameras down for the time being,” according to a post by Tank on the Eufy user forum on Anker’s website Monday. “There are numerous reports of a security breach where other users are gaining control over others’ cameras and can see them as well as talk and control them. Please shut it down.”
The post also called for the company to “please get the word out to whoever is in charge to shut the systems down.”
One Reddit user reported a massive surprise when opening the Eufy Security app to do an early-morning check of house cameras.
“I have no idea what happened but out of nowhere I was given a completely different feed of someone else’s doorbell and security cameras,” reported the user, u/cosmik_gg. While the user couldn’t view the camera’s live feed, all recently recorded events on the other person’s video feed were available to view.
“I realized oh crap this is someone else’s account, it showed a woman walking through her garage,” the user wrote. “I immediately freaked out, took screenshots of the app so I could prove what was happening and then deleted it, and disconnected all Eufy products across my house.”
Server-Side Issue
The bug permitted access across Eufy camera feeds because Anker is a cloud-based architecture, so whoever controls the primary server controlling and managing the feeds has access to all the cameras that use it, an Eufy user called “professor” explained on the Anker forum.
Moreover, people could not only view private Eufy feeds, but also control their cameras to pan and zoom in at will, as well as view account data such as name, home location and other private details that potentially could be used for nefarious purposes.
Eventually, Anker acknowledged that the situation occurred due to a glitch during a server update and was discovered 40 minutes after it first occurred and fixed about an hour later.
The company tweeted an easy fix to the problem at 4:51 p.m. EST Monday, instructing users to “Please unplug and then reconnect the device” and then “Log out of the eufy security app and log in again.” Anker also told users they could email the support team at support[@]eufylife.com for any further questions or concerns.
Reputation Threatened
However, by then the damage to the company’s reputation for privacy had been done, as users complained that Anker didn’t act fast enough to let people know about the problem, allowing for privacy violations across its home security system.
“I specifically purchased Eufy cameras because of your positive privacy practices,” software developers and founder of Quantum Fire Labs Daniel Lemky, tweeted back to Anker’s official statement on how to fix the problem. “But we need transparency right now. Don’t wait until you’ve solved the problem. If there is a security breach, we need to know as soon as you know.”
Even high-profile Eufy users like ABC news producer and reporter Andrea Nierhoff reported being affected by the bug. “Can confirm I too have been able to access live- and prerecorded-streams of someone else’s cameras for the past few hours, though this has since corrected itself,” she tweeted. “Scary!”
Security issues with cloud-based home-security cameras are not uncommon. Google Nest and Amazon Ring also have experienced problems due to vulnerabilities that have threatened user privacy.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!