[SOLVED] Eufy camera/doorbell data at rest and streaming security principles?

EDIT: eufy answered my questions, not all specifically but for now good enough, see below.

[ORIGINAL POST]
I’m trying to figure out what security controls/methods/protocols are in place to safeguard access to the “eufyCam 2 Pro” and “Video Doorbell 2K (Battery-Powered)” and the “base-unit”

The website states:

2022×625 411 KB

Though these are great marketing statements, as an IT Security professional Im more interested in the actual implemented security protocols and used principles.

My main question:
Does anyone have any more information on this?

Im primarily interested in:

1. Can I or Eufy SSH into the device? When so is this username/password or SSH key based?
2. How are firmware updates pushed/pulled to the device? TLS 1.2/1.3 fetch over HTTPS to an update server? Are firmware updates validated using a verifiable hash?
3. Can I enforce Multi Factor Authentication to access the eufy App and admin interface?
4. Can I encrypt data at rest using my own AES256 key? (to prevent anyone with access to the SD card for example from accessing the data in a readable format)
5. What streaming protocols are used?
6. When SSL certificates are used, are these self generated by the eufy devices, or can I upload my own CA trust-chain and SSL certificate?
7. My Wifi is secured using 802.1x EAP/TLS. Ie a (user) device needs to authenticate using a device certificate. Do the eufy products support 802.1x EAP/TLS?
8. More and more security product vendors have their products pentested by ethical hackers. While its not common practice to publish the first pentest reports, as these often contain unwanted conclusions, after several fixes, pentest reports are provided as a mark of accomplishment (instead of security by obscurity) Are any recent pentests available of the eufy products I mentioned?
9. Can I assign IPv6 addresses to the devices?

[ANSWER BY EUFY]
Dear ,
Thanks for contacting eufy customer service and sorry for my late response.

We are so glad to hear that you are interested in our products. It’s my pleasure to assist you, for your questions, please see:

1). According to your website, video is supposedly streamed using 256 bit encryption. Im assuming this encryption is inherent to the used streaming protocol and not based an actively configurable encryption-key. What video streaming protocol is being used? What determines the 2456 bit encryption?

So sorry to say that the camera system needs to work with the internet. So it needs to ask for the permission of your local network. And rest assured that in Eufy Security, users’ privacy is something that we value as much as they do.

⁃ Local Storage. User videos are encrypted and then saved on local eMMC. The existence of the videos are encrypted data files, which cannot be read by any video players. The encryption key is needed by the user account. So it’s unique and the only user with correct account info can decrypt and access it.

⁃ Local AI. We tailored the AI specifically for home scenarios and integrated into the device. So the video analysis is processed on the device and the result is sent directly to the user. Video upload is definitely not required on our approach.
⁃ Secure Data and Transmission. User data like the video and Livestream are encrypted before transmitting. The AES 256-bit encryption key is needed by user account and generated when the user is pairing the device. The encrypted data is transmitted via an end-to-end connection directly from the device to the user’s App. They don’t go through eufy servers.

For more details about the privacy policy and data policy, you can go to App–>Side menu–>About–>Privacy policy and Data policy for more detailed information.

2). What encryption is used to store video and still images (media) on the camera’s local SD card?
It used the private encryption format to store the video to the local SD card.

3). Can the stored media be accessed when someone removed the SD card, or is some form of decryption key or password required?
No, it doesn’t read on the computer when someone removed the SD card. The video is in private encryption format and can only be viewed by phone app or mac app.

4). Should AES256 be used to encrypted store media, who defines the AES256 key? Can I configure it myself?
No, it has been determined of the products themselves.

5). Are SSL certificates used for TLS connection purposes? When so, can I control what Certificate Authority Trust Chain is trusted on the local Eufy devices (ie my own PKI/CA) and can I
control/generate/install my end-point SSL certificate
Sorry, you are not able to control/generate/install your own end-point SSL certificate.

6). To access the admin configuration section, is Multi-Factor authentication supported?
Yes, it supports two-factor authentication.

7). For Wireless access, I prefer to use 802.1x EAP/TLS. Do the Eufy Pro products support client certificate-based authentication?
I am so sorry it doesn’t support the client certificate-based authentication.

Feel free to contact us in case of any further concerns.

Take care and have a wonderful day:)

I think you need to send an email to support to get your questions answered. I would be interested in the answers to most of those questions as well.

Would be nice to have an independent audit done on Eufy security products by a 3rd party to confirm they are using best practices and don’t have any gaping security issues.

please post answers when it is available

I’ve sent my questions to eufy support.
Should they provide answers I will post them here (if forum rules allow)

I doubt we can SSH locally or at all. We can’t even connect to the doorbells without an internet connection or when their servers are down.

I can answer a couple of your questions.

3. You can set up two-factor on the app by logging into the app with the master account. Click on the Username/email address and you can get to the setup. Also, others with Admin or Guest acccess can set it up for their accounts as well. They only offer text verification to your device. With all the simjacking going on, it would be nice if they would support hardware keys or authenticator apps.

4. The SD cards are formatted Ext4, but the only files that are readable are log files. All video/audio is encrypted using whatever key system Eufy has implemented.

thank you, appreciate it

eufy Support wrote back to me:

Dear
Thanks for contacting eufy customer service and sorry for my late response.

We are so glad to hear that you are interested in our products. It’s my pleasure to assist you, for your questions, please see:

1). According to your website, video is supposedly streamed using 256 bit encryption. Im assuming this encryption is inherent to the used streaming protocol and not based an actively configurable encryption-key. What video streaming protocol is being used? What determines the 2456 bit encryption?

So sorry to say that the camera system needs to work with the internet. So it needs to ask for the permission of your local network. And rest assured that in Eufy Security, users’ privacy is something that we value as much as they do.

⁃ Local Storage. User videos are encrypted and then saved on local eMMC. The existence of the videos are encrypted data files, which cannot be read by any video players. The encryption key is needed by the user account. So it’s unique and the only user with correct account info can decrypt and access it.

⁃ Local AI. We tailored the AI specifically for home scenarios and integrated into the device. So the video analysis is processed on the device and the result is sent directly to the user. Video upload is definitely not required on our approach.
⁃ Secure Data and Transmission. User data like the video and Livestream are encrypted before transmitting. The AES 256-bit encryption key is needed by user account and generated when the user is pairing the device. The encrypted data is transmitted via an end-to-end connection directly from the device to the user’s App. They don’t go through eufy servers.

For more details about the privacy policy and data policy, you can go to App–>Side menu–>About–>Privacy policy and Data policy for more detailed information.

2). What encryption is used to store video and still images (media) on the camera’s local SD card?
It used the private encryption format to store the video to the local SD card.

3). Can the stored media be accessed when someone removed the SD card, or is some form of decryption key or password required?
No, it doesn’t read on the computer when someone removed the SD card. The video is in private encryption format and can only be viewed by phone app or mac app.

4). Should AES256 be used to encrypted store media, who defines the AES256 key? Can I configure it myself?
No, it has been determined of the products themselves.

5). Are SSL certificates used for TLS connection purposes? When so, can I control what Certificate Authority Trust Chain is trusted on the local Eufy devices (ie my own PKI/CA) and can I
control/generate/install my end-point SSL certificate
Sorry, you are not able to control/generate/install your own end-point SSL certificate.

6). To access the admin configuration section, is Multi-Factor authentication supported?
Yes, it supports two-factor authentication.

7). For Wireless access, I prefer to use 802.1x EAP/TLS. Do the Eufy Pro products support client certificate-based authentication?
I am so sorry it doesn’t support the client certificate-based authentication.

Feel free to contact us in case of any further concerns.

Take care and have a wonderful day:)