Bug Exposes Eufy Camera Private Feeds to Random Users

2021-05-19 13:28

Owners of Eufy home security cameras were warned this week of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds for approximately one day.

The SNAFU, according to experts, is a stark reminder of the security-challenged consumer market for wireless cameras that have caused major headaches for a long list of vendors including Amazon, Google and ADT. China-based Anker quickly patched the vulnerability, which occurred during a planned server upgrade on Monday, that mistakenly connected Eufy users with video streams of other accounts from around the world, according a report on the issue by research firm Recorded Future, published on its The Record news feed.

Users quickly noticed the problem-which persisted throughout the day, permitting many users who were running established server sessions to be spied on-and sounded a privacy alarm that is still echoing across online platforms, including the Eufy user forum, Reddit and Twitter.

The bug permitted access across Eufy camera feeds because Anker is a cloud-based architecture, so whoever controls the primary server controlling and managing the feeds has access to all the cameras that use it, an Eufy user called "Professor" explained on the Anker forum.

People could not only view private Eufy feeds, but also control their cameras to pan and zoom in at will, as well as view account data such as name, home location and other private details that potentially could be used for nefarious purposes.

Even high-profile Eufy users like ABC news producer and reporter Andrea Nierhoff reported being affected by the bug.

News URL

https://threatpost.com/eufy-cam-private-feeds/166288/