Vulnerabilities Identified in Eufy 2K Indoor Camera
At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT device manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Eufy 2K Indoor Camera and is based on our research of the 18.104.22.168 firmware version.
Vulnerabilities at a glance
- Pre-authentication buffer overflow in the RTSP server on the local network (CVE-2021-3555). The vulnerable method of authentication needs to be enabled, as it is disabled by default.
- Man-in-the-middle attack that allows a third party to perform a malicious firmware upgrade and gain complete control over the device.
- Partial access to the AWS bucket. An AWS bucket is used to store media and crash log data. Although access keys cannot be obtained directly, there is an endpoint that will sign a request for an arbitrary path in the bucket. Uploaded files contain a random string in their name so they cannot be downloaded directly, as their path cannot be inferred. However, an attacker can still obtain a directory listing of the first 1,000 entries by signing and requesting the root path (“/”). These entries seem to contain crash data logs that might include serial numbers, user IDs, and other sensitive information that might help an attacker gain further access to these devices.
Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.
Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.
To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
December 06, 2022
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
October 05, 2022
A Red Team Perspective on the Device42 Asset Management Appliance
August 10, 2022
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021