Users of video cameras from home gadget maker Eufy are reporting that their video feeds seem to have been getting mixed up.
Apparently, it’s not so much that anyone could sneakily login as user X and snoop on X’s video feed remotely…
…more a case that sometimes, when existing user X logged in, they ended up looking at Y’s account instead.
From what we’ve seen, user X couldn’t force this mixup to happen, and if it did, then X couldn’t predict who Y was going to be.
In other words, the glitch, if indeed there was one, doesn’t seem to have been reliably exploitable for any sort of targeted attack.
Indeed, one user in Australia noted that he and his wife, each supposedly hooked up to the same account under their own email addresses, ended up redirected to two completely different accounts and each had access to unrelated but incorrect feeds.
This isn’t the first time we’ve heard of a SNAFU like this, where virtual wires got crossed inside a video surveillance company’s own back end, causing customers not only to lose track of their own video cameras but also to gain access to someone else’s.
In one case, three years ago, a user of a cloud video service offered by a UK company called Swann received a video notification that showed surveillance footage from the kitchen…
…just not the kitchen in the user’s own house.
Amusingly, if that is the right word, the victim in this incident just happened to be a BBC staffer, relaxing at the weekend, who was gifted an ideal story to write up in the upcoming week.
In that incident, the camera vendor blamed human error, with two cameras accidentally set up with a “unique identifier” that wasn’t unique at all, leaving the system unable to decide which camera belonged to which account.
Alhough the vendor dismissed it as a “one off”, the BBC tracked down an even more amusing (though no less worrying) occurrence of the same problem in which a user received a surveillance video of a property that looked like a pub.
With a few days of search engine wrangling, that user managed to identify the pub online, only to find out that it was, by fluke, just 5 miles away.
So he went there and took a picture of himself in the beer garden, via the pub landlord’s webcam, but using his own online account:
Great to meet the manager @newtownlinford and share our concerns that @swannsecurity remote access CCTV system is giving us images from his cameras in place of our own. Bizarre to be able to take a selfie using someone else's CCTV camera pic.twitter.com/fTgmAVoPle
— The Obscure Brewer (@Battwave) June 3, 2018
We haven’t seen any reports from Eufy users who have actually managed to recognise anyone (or any locations) in the video feeds that they claim to have seen by mistake.
Nevertheless, we don’t doubt that many videos feeds will, at least some of the time, give away personal details or precise location information that really ought to be kept private.
What to do?
The problem here is that even if this turns out to be a transient server-side problem that has now been sorted out, rather than an exploitable vulnerability in the camera firmware or the company’s app, the question remains, “What if it happens again?”
Indeed, you can argue that cybersecurity problems that end up getting tracked down to vulnerabilities in an app that you can then update, and where you can verify for yourself that you’ve updated, can more comfortably be considered “closed bugs” than security glitches that appear for a while and then apparently vanish without explanation.
Our advice is therefore:
- Watch for an official update from Eufy that comments on what happened. We assume that any such statement will not only be able to describe what went wrong, if anything, but what has been done to reduce the chance of it happening again.
- Identify any cameras that could reveal sensitive information if someone else saw the feed, even by chance. Consider turning them off until this alleged problem is explained away. For example, a general “who’s there” view of a warehouse frontage that can be seen from the street anyway is probably worth leaving on, while a camera inside your living area probably isn’t.
- If you end up connected to someone else’s video feed by mistake, do the right thing and get out early. It’s tempting to “take a peek” on the grounds that it’s not your fault that the feeds got mixed up, but if you know that the data is supposed to be private, do the right thing and keep it that way until the issue is fixed.
Oh, and if you hear any more from Eufy (we can’t find a statement on their website yet [2021-05-17T14:45Z]), please let us know by emailing tips@sophos.com or by commenting below…
Chris
To slightly misquote an old axiom: Fast, Cheap, Secure; which two of these three do you want? Unfortunately it’s all too often the first two. I can’t decide if it’s a problem particularly endemic to IoT products, or whether they’re just the ones that people actually care about and get the headlines.
Not sure what the solution is – better regulation/enforcement with properly hefty fines might be a start? As far as I can find the Swann incident was investigated by the ICO but no action was taken, which seems ludicrous. This was mis-handling of private data of the highest order, where they actively sent user’s private data to other people. If you don’t hit them in the wallet, what motivation is there to do better next time?
Paul Ducklin
Sadly, I don’t think your axiom works. It implies that if a product is not cheap then it must ipso facto be both fast and secure (being the “other two” of the three), but sometimes security doesn’t get a look-in anyway…
Chris
Very true! I guess the underlying point is more that when products are rushed to market and profit is the only goal then security will almost always suffer.
I suppose I was just trying to be optimistic that there might be some scenarios whereby we could actually get a secure product, but perhaps a revised misquote of “you can chose to have up to two of these three – which one(s) do you want?” would be closer to reality, if a little less snappy? :-)
Bob
Saw feed from what I think South America location based on the camera identifier language. Thought my nephew was tinkering with my dad phone yesterday!
Slow Joe Crow
This random connection issue reminds me of the rollover problem with with Windows 95 Netware clients. Microsoft only used an 8 bit value for connection id so if your connection ID was 300 you got connection id 44’s banner page on your print job. Obviously this is both an ancient and simple bug but it’s possible that Eufy’s developers were that lazy or lacking in foresight that they specified too small a value or failed to put in a check
Paul Ducklin
So far they are saying no more than that they experienced a software bug and then fixed it. What the bug was, who provided the flawed software, how the bug came about, how they figured out where it was, what they did to fix it and why they think they really did find and fix the core problem in a reliable way…
…who can say? If Eufy can’t then I am not sure who else can.
Paul Ducklin
Oh, and +1 +1 +1 for the retro references :-) Windows 95. Netware. 8 bits of integer precision. If you could have somehow snuck, say, Nokia and Digital in there as well it would be a perfect 5/5.