I’ve been digging into the security of the video doorbell after trying to map my network. There’s a device which uses a MAC address which isn’t in any OUI database and it’s running DNS. This turned out be be the Eufy homebase. This lead me down a few alleys…
Pictures taken by the doorbell placed on Eufy servers in an insecure format. They are accessed via the Eufy apps via HTTP and no logon is required to view them.
Eufy Homebase is running a DNS server which NMap reports as DNSmasq 2.4. This version has known vulnerabilties.
DNSmasq can be configured to return “custom” DNS host records in a similar way to using a hosts file. In other words, if compromised the Homebase could be configured by a bad actor to return the IP address of “myhackedservice.com” instead of the IP of the legit Eufy servers.
If DNSmasq is compromised and devices which use the Homebase as a DNS server are redirected to a compromised URL it becomes relatively simple to place a hacked firmware on such devices.
The DNSmasq issue to me is very concerning as it’s a service which, if compromised, can easily redirect anything which uses the Homebase for DNS to anywhere a bad actor wants and I have no insight into that. The only device place a device on my network should be getting DNS is from the specified DNS server (i.e. router, Pihole, whatever) as it’s logged.
Beginning to realise why there’s no API available never mind Homekit.
I did some monitoring of my Eufy devices when I first started using them to see where my data was going. I used Wireshark and lately have Firewalla set up to monitor all my connections on the network. Here’s what I have seen.
All my Eufy devices MAC address are listed as belonging to Smart Innovations on several OUI databases. I think this is Anker subsidiary.
The only communication going to Eufy’s AWS servers is for authentication and updates and uses TLS. It’s not transmitted in the clear.
Video is sent from the homebase to your device encrypted. You cannot view the clip exept through the app or portal. You can use RTSP, which is unencrypted, but that isn’t turned on by default. Hopefully, you wouldn’t turn on the RTSP feed and send it outside your network.
Except for the Eufy portal, which requires your logon credentials, video is kept on the Homebase or the Wifi cams with their own storage and not sent through Eufy’s AWS servers to your devices. If you pull the storage card from an indoor cam or a Homebase E, you will find its formatted as Ext4 and except for a couple of log files, it encrypted and not viewable until you insert it and view it from the app.
I haven’t confirmed that DNSmasq is running on the homebase, but have seen other devices that are based on Linux with a few services running on them that aren’t necessary all the time. It might be needed when making the initial setup and pairing to the network. It also could be used as internal DHCP by the homebase to assign addresses to the cameras and other Eufy devices hooked to the homebase.
It may be possible for someone to hack your homebase and re-configure the DNSmasq service, but they would need access to your local network to accomplish that. If they have that kind of access, there are probably lots easier exploits to attack.
Eufy Wireless Doorbell and Eufy cams are very different beasts. For example, on the video doorbell there is no RTSP (well, there is but it’s hidden behind another layer and can’t be directly accessed by something like VLC).
If you’ve got a Firewalla I’m going to assume you know a bit about things so you’ll appreciate that if you aren’t using the wireless video doorbell and either decrypting the SSL or using an API to view the HTTP requests you’re not going to see what’s actually going on. However you’ll note some complaints about the wireless video doorbell recently in the forums that relate to seeing snapshots from other peoples’ doorbells when using the app. This is because, as above, the snapshot is stored on a server in the cloud and those URLs don’t require authentication.
As for the DNS part, the issue isn’t that DNSmasq would be compromised from inside your network. The issue is that a bad firmware could be uploaded to the Homebase which changes the way DNSmasq issues responses. And if that sounds far fetched, remember the recent problems with Solarwinds. A bad actor modifies their agent, that agent then gets uploaded to literally hundreds of thousands of PCs and servers. Wasn’t discovered for months.
Being behind a firewall and having antivirus doesn’t mean anything anymore. There’s a whole other set of considerations, especially when you’re allowing IoT devices you have no insight to onto your network. You have a device managed by someone else on your home net and you have no idea what it could be doing at any given point.
According to the latest word from Eufy the thumbnails issue is related to third-party apps, in this case TinyCam, which needed Eufy’s account pasword and username to access video data. Eufy have, in the latest version, halted support for TinyCam and other third-party providers that need Eufy account information because of that issue.
So, its not that the thumbnails are stored in the cloud someplace unauthenticated, but that the authenticated data got transposed. Once they found out and isolated the issue, they decided to pull support for TinyCam and possibly other apps. According to a TinyCam developer on Reddit it had to do with a User-Agent call and TinyCam is creating an update to fix the problem.
Whether or not Eufy decides to allow TinyCam back is unknown. It does speak to both TinyCam and Eufy’s privacy commitment that they acted quickly to deal with the issue.
As far as the DNS issue goes, you face the same issues with your OS, network tools, and any apps that receive updates. Bad actors can sneak in and download bad code. Unless you examine every line of code and know what it means, you are at the mercy of others to do things right. Eufy is at least fixing issues when they are found, which is better than the bulk of other IOT companies.
Until someone comes up something better and cost-effective, we will just have to segregate our networks and monitor for anomalies.
Eufy said Tinycam is what caused users seeing live VIDEO of other users cameras. The THUMBNAIL notification issue was related to beta users, most likely poor segregation between test and prod environment.
Eufy’s selling access to their application platform to a 3rd party ? I’m out, this thing’s going back to Amazon. I’ll get something which actually does Homekit or go back to a regular doorbell.
If you want to see exactly why this is a bad idea, do a bit of research on Tuya’s Smart Life platform.
Where did you see that they are selling access to 3rd parties? The only thing I saw was that they were taking steps to block third party apps (like Tinycam) from being able to access the device even when users provide their Eufy credentials to these third party applications.