2 min read

Vulnerabilities Identified in Eufy 2K Indoor Camera

Bitdefender

May 31, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Vulnerabilities Identified in Eufy
2K Indoor Camera

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT device manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Eufy 2K Indoor Camera and is based on our research of the 2.0.9.3 firmware version.

Vulnerabilities at a glance

  • Pre-authentication buffer overflow in the RTSP server on the local network (CVE-2021-3555). The vulnerable method of authentication needs to be enabled, as it is disabled by default.
  • Man-in-the-middle attack that allows a third party to perform a malicious firmware upgrade and gain complete control over the device.
  • Partial access to the AWS bucket. An AWS bucket is used to store media and crash log data. Although access keys cannot be obtained directly, there is an endpoint that will sign a request for an arbitrary path in the bucket. Uploaded files contain a random string in their name so they cannot be downloaded directly, as their path cannot be inferred. However, an attacker can still obtain a directory listing of the first 1,000 entries by signing and requesting the root path (“/”). These entries seem to contain crash data logs that might include serial numbers, user IDs, and other sensitive information that might help an attacker gain further access to these devices.

Download the research paper

Mitigation

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Vulnerabilities Identified in EZVIZ Smart Cams Vulnerabilities Identified in EZVIZ Smart Cams
Bitdefender

September 15, 2022

2 min read
Vulnerabilities Identified in Eufy
2K Indoor Camera Vulnerabilities Identified in Eufy 2K Indoor Camera
Bitdefender

May 31, 2022

2 min read
Vulnerabilities Identified in Neos SmartCam IoT Device Vulnerabilities Identified in Neos SmartCam IoT Device
Bitdefender

April 22, 2022

3 min read