Vulnerabilities Identified in Eufy 2K Indoor Camera

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT device manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Eufy 2K Indoor Camera and is based on our research of the 2.0.9.3 firmware version.

Vulnerabilities at a glance

• Pre-authentication buffer overflow in the RTSP server on the local network (CVE-2021-3555). The vulnerable method of authentication needs to be enabled, as it is disabled by default.
• Man-in-the-middle attack that allows a third party to perform a malicious firmware upgrade and gain complete control over the device.
• Partial access to the AWS bucket. An AWS bucket is used to store media and crash log data. Although access keys cannot be obtained directly, there is an endpoint that will sign a request for an arbitrary path in the bucket. Uploaded files contain a random string in their name so they cannot be downloaded directly, as their path cannot be inferred. However, an attacker can still obtain a directory listing of the first 1,000 entries by signing and requesting the root path (“/”). These entries seem to contain crash data logs that might include serial numbers, user IDs, and other sensitive information that might help an attacker gain further access to these devices.

Download the research paper

Mitigation

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.