For HomeFor BusinessFor Partners
IoT Research Whitepapers
2 min read

Vulnerabilities Identified in Eufy 2K Indoor Camera

Bitdefender

May 31, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Vulnerabilities Identified in Eufy 2K Indoor Camera

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT device manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Eufy 2K Indoor Camera and is based on our research of the 2.0.9.3 firmware version.

Vulnerabilities at a glance

  • Pre-authentication buffer overflow in the RTSP server on the local network (CVE-2021-3555). The vulnerable method of authentication needs to be enabled, as it is disabled by default.
  • Man-in-the-middle attack that allows a third party to perform a malicious firmware upgrade and gain complete control over the device.
  • Partial access to the AWS bucket. An AWS bucket is used to store media and crash log data. Although access keys cannot be obtained directly, there is an endpoint that will sign a request for an arbitrary path in the bucket. Uploaded files contain a random string in their name so they cannot be downloaded directly, as their path cannot be inferred. However, an attacker can still obtain a directory listing of the first 1,000 entries by signing and requesting the root path (“/”). These entries seem to contain crash data logs that might include serial numbers, user IDs, and other sensitive information that might help an attacker gain further access to these devices.

Download the research paper

Mitigation

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.

tags

IoT Research Whitepapers

Author

Bitdefender

Bitdefender

The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”

View all posts

Right now Top posts

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
Anti-Malware Research

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 08, 2023

5 min read
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
IoT Research Whitepapers

Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series

May 02, 2023

2 min read
EyeSpy - Iranian Spyware Delivered in VPN Installers
Anti-Malware Research Whitepapers

EyeSpy - Iranian Spyware Delivered in VPN Installers

January 11, 2023

2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Anti-Malware Research Free Tools

Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor

January 05, 2023

1 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

Abusing the Ad Network – Threat Actors Now Hacking into Companies via Search
Whitepapers Anti-Malware Research

Abusing the Ad Network – Threat Actors Now Hacking into Companies via Search
Victor VRABIEAlexandru MAXIMCIUC

July 26, 2023

2 min read
Exposing RDStealer Deep Dive into a Targeted Cyber-Attack Against East-Asia Infrastructure
Anti-Malware Research Whitepapers

Exposing RDStealer Deep Dive into a Targeted Cyber-Attack Against East-Asia Infrastructure
Victor VRABIE

June 20, 2023

2 min read
Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology
Anti-Malware Research

Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology

Bookmarks

loader