Vulnerabilities Identified in Eufy 2K Indoor Camera

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT device manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Eufy 2K Indoor Camera and is based on our research of the 2.0.9.3 firmware version.
Vulnerabilities at a glance
- Pre-authentication buffer overflow in the RTSP server on the local network (CVE-2021-3555). The vulnerable method of authentication needs to be enabled, as it is disabled by default.
- Man-in-the-middle attack that allows a third party to perform a malicious firmware upgrade and gain complete control over the device.
- Partial access to the AWS bucket. An AWS bucket is used to store media and crash log data. Although access keys cannot be obtained directly, there is an endpoint that will sign a request for an arbitrary path in the bucket. Uploaded files contain a random string in their name so they cannot be downloaded directly, as their path cannot be inferred. However, an attacker can still obtain a directory listing of the first 1,000 entries by signing and requesting the root path (“/”). These entries seem to contain crash data logs that might include serial numbers, user IDs, and other sensitive information that might help an attacker gain further access to these devices.
Mitigation
Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.
Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.
To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.
tags
Author
Right now
Top posts
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021