Security hole with Wyze Cams was not disclosed to users?

This is news to me…

This has been discussed awhile back. Wyze took care of the issue which was not a huge issue, IMHO.

Here is one of the posts.

Eufy is another story, they are not admitting anything and it is a reent find.

Their behavior is pretty close - Wyze ignored a minor issue for years, and Eufy is apparently flat out lying - but the exposure for the Eufy cameras is many times worse than anything Wyze cameras ever had.

Wyze cameras couldn’t be compromised over the Internet (as long as one had a home router). By all reports, the Eufys can.

Either way, in the end, it will be patched and both systems will continue to be relatively safe.

The only interesting part is Eufy’s current ill-conceived deny-deny-deny approach.

I would call that the most concerning part.

1. I’m really not too concerned that Eufy had some thumbnails in the cloud (despite promises everything was local…it does kind of make sense that if it is sending an image with the notification then that image had to go through their servers, so I can cut them some slack there, and it is easy enough to disable thumbnails if that is important to someone).
2. And from what I am reading, not just anyone can easily view the stream unless they hav:
   • Serial Number of the camera (not easy to obtain remotely…it would basically have to be someone you know and trust already)
   • UNIX timestamp
   • hex key (they say it can be brute-forced in theory…assuming someone has ALL the other information, though I don’t know how Eufy’s servers would react to repeated suspicious brute force patterns like this…honestly after a few failed attempts it should do something to prevent or stall it. Plus you can’t run brute force in VLC, so it seems like you’d still have to do something to keep testing every individual brute force attempt to see if shows the stream…IDK, I haven’t read of anyone proving how easy the bruteforce hypothesis would be here, but I don’t claim to be an expert)
   • A validation token…though apparently you can just make one up because it’s not limiting things like it should.
   • It must be a little more complicated than sensationalized articles are making out to be because everyone keeps saying the details are tricky and they aren’t releasing the exact methods (to prevent bad actors from doing it), so it’s obviously not as simple as they want people to believe.

I think it’s still pretty unlikely for anyone with eufy to be at risk.

As for the Wyze issue, to me, I am mostly sad Wyze “fixed” it to be honest. We’ve been BEGGING Wyze to make it possible for us to access our Camera SD cards through our own WiFi, It’s one of the most requested wishlist items. We’ve been begging Wyze to allow this ON PURPOSE for YEARS. Nobody outside of your secure WiFi could ever access it, so…to me it was more of losing a feature I wanted but didn’t even know was there. I do get that some people were sad Wyze took so long to make it public, but it really wasn’t much of an issue IMO.

I am laughing at reviewgeek though…their article says they can’t recommend Wyze or Eufy anymore…even though the Wyze issue came out MANY MONTHS ago…so I ran a site search on them with the word Wyze and saw they’ve made several recommendations for Wyze products since then, including the V3Pro and the Mesh Routers and they appear to be using an affiliate/referral link in their articles so they can get paid for the referrals that they recommended to buy those Wyze products.
So…make of all that what you will, but I call total BS on their claim about not recommending new Wyze products. They’ve clearly been doing that for months since Wyze’s issue came out. It doesn’t make sense to suddenly punish Wyze for something Eufy just did, and they didn’t really care when Wyze’s issue actually did come out because they’ve been recommending Wyze products since then. So I’m just saying, something doesn’t smell right with their claim in this article. I think I’m getting a hint of sensationalism for ratings rather than honesty.

I guess I could be wrong though.

I came to the exact same conclusion about “Review Geek” simply by glancing at the inline summary in the original post above, immediately resolving never to pay it any heed in the future (and I’d never heard of it before). When a web site shows you what they are, believe them.

I think you’re probably right that even the Eufy vulnerability is a near-nothingburger.

Yea I saw that headline from reviewgeek as well. Lol.

I’m sure the eufy thing isn’t as bad as they say, but I’m mostly concerned about how they responded to it. If they explained how it’s not as bad as they say, apologized, and then fixed it, that’s fine. But they basically said yea we know about it, but don’t really care. We will eventually hide it a bit more, but it is necessary to store SOME of this stuff, we won’t update our marketing though

Granted, we should say that we still think they should make changes and improve it of course, but I think the risk is slightly exaggerated for fear mongering ratings. But that doesn’t mean Eufy shouldn’t do something about it anyway. They also shouldn’t be stuck in denial mode. I would’ve accepted a simple: “we don’t believe this has realistically been done by anyone besides camera owners themselves since it requires such limited access to information, but we will make improvements so it’s even more secure going forward.” That would’ve been a reasonable and accurate/true PR response to me.

Tech publications are trying to make it sound like any random stranger already has all the information they need to view anyone’s camera stream and that’s ridiculous. Maybe if you have a hacker sibling-in-law who visited on Thanksgiving and suspiciously went around to all your Eufy cams and took pictures of your serial numbers (then put them back in place), somehow figured out the hexcode, etc… Then MAYBE, but more likely only the owners are able to view their own streams.

While I entirely agree with you, there is the fact that serial numbers are a fixed length and likely sequential, and if in fact the other components of the unique URLs are guessible/spoofable/ignored, then opening streams to dozens of random cameras at a time might be doable.

But just as Wyze sitting on their vulnerability for years was the only concerning part of their issue, the Eufy stonewalling is the only concerning part here, as you’ve explained well.

Excellent point!