This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.
Your camera’s 16-digit serial number — likely visible on the box — is the biggest part of the key.But it also gets worse: Eufy’s best practices appear to be so shoddy that bad actors might be able to figure out the address of a camera’s feed — because that address largely consists of your camera’s serial number encoded in Base64, something you can easily reverse with a simple online calculator.On the plus side, Eufy’s serial numbers are long at 16 characters and aren’t just an increasing number.But we also don’t know how else these serial numbers might leak, or if Eufy might even unwittingly provide them to anyone who asks.Thompson also wonders whether there are other potential attack vectors now that we know Eufy’s cameras aren’t wholly encrypted: “If the architecture is such that they can order the camera to start streaming at any time, anyone with admin access has the ability to access the IT infrastructure and watch your camera,” he warns.Most worrying if true, he also claims that Eufy’s encryption key for its video footage is literally just the plaintext string “ZXSecurity17Cam@”.Wasabi, the security engineer who showed us how to get a Eufy camera’s network address, says he’s ripping all of his out