Yet another security camera nightmare allowed users to see cameras that weren’t theirs

Earlier today, some owners of Eufy security cameras were able to access both live camera feeds and recordings for other Eufy customers — the nightmare scenario for many smart security camera owners. The Anker-owned company blames the security failure on a “software bug” that happened during a server upgrade. In a follow-up email, Eufy tells us only 0.001% of customers were affected. The company claims the issue was fixed by 6:30 AM EST, and customers should reboot their hardware and log out and back in on Eufy apps.

Affected customers were able to access full control for the cameras attached to other customer accounts, and that included the ability to view prior recordings and live feeds for cameras, as well as setting off alarms and talking over speakers. Some customers claim the latter even happened to them, with unknown third parties setting off alarms in the early hours and strangers speaking over their cameras.

A few hours after the issue started (at 4:50AM EST, according to Eufy), the company issued a statement claiming that the issue was fixed around 6:30AM and advising that All Eufy customers unplug and reconnect their devices and to log out and log back in on the Eufy app.

Those of us with Eufy hardware here at Android Police didn’t observe any issues ourselves checking after the reported fix had been deployed, but a writer at 9to5Mac claims they were able to see “all details, recordings, live” as if they were logged in under someone else’s account. The early hour of the issue may have reduced the impact of the issue, and though there are reports at both the Anker forum and productassociated subreddits, the volume of reports is small.

Eufy’s privacy claims on its website don’t jibe with today’s events. 

The technical reason behind how this issue occurred hasn’t been disclosed outside a nebulous “bug” during a server upgrade. Eufy says its camera feeds are end-to-end encrypted and “only you have the key to decrypt and watch the footage,” a claim that clearly wasn’t correct earlier today.

If this story sounds familiar, that’s because this sort of thing happens a bit too often. Last year Xiaomi had a similar problem displaying strangers’ camera feeds on Google Assistant-integrated smart displays, leading Google to temporarily yank the company’s platform privileges. In 2019, some Alexa-connected Wyze cameras had a similar issue. Ring cameras were also found to be revealing precise customer locations for those using the Neighbors app (meant to share data with law enforcement) in 2019, and a hacker also gained access to a Ring cam in an eight-year-old child’s room.

We reached out to Anker and were told that the issue affected a limited number (0.001%) of users in the United States, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina. Customers in Europe were unaffected, and we’re told that Eufy Baby Monitors, Eufy Smart Locks, Eufy Alarm System devices, and Eufy PetCare products were also unaffected. Customer service representatives will be contacting those who were impacted. The company also provided us with the following apology to customers:

We realize that as a security company we didn’t do good enough. We are sorry we fell short and are working on new security protocols and measures to make sure that this never happens again.

Customers with further questions are invited to reach out to Eufy’s support team.

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here