“Those aren’t my kids!” – Eufy camera owners report video mixups

Users of video cameras from home gadget maker Eufy are reporting that their video feeds seem to have been getting mixed up.

Apparently, it’s not so much that anyone could sneakily login as user X and snoop on X’s video feed remotely…

…more a case that sometimes, when existing user X logged in, they ended up looking at Y’s account instead.

From what we’ve seen, user X couldn’t force this mixup to happen, and if it did, then X couldn’t predict who Y was going to be.

In other words, the glitch, if indeed there was one, doesn’t seem to have been reliably exploitable for any sort of targeted attack.

Indeed, one user in Australia noted that he and his wife, each supposedly hooked up to the same account under their own email addresses, ended up redirected to two completely different accounts and each had access to unrelated but incorrect feeds.

This isn’t the first time we’ve heard of a SNAFU like this, where virtual wires got crossed inside a video surveillance company’s own back end, causing customers not only to lose track of their own video cameras but also to gain access to someone else’s.

In one case, three years ago, a user of a cloud video service offered by a UK company called Swann received a video notification that showed surveillance footage from the kitchen

…just not the kitchen in the user’s own house.

Amusingly, if that is the right word, the victim in this incident just happened to be a BBC staffer, relaxing at the weekend, who was gifted an ideal story to write up in the upcoming week.

In that incident, the camera vendor blamed human error, with two cameras accidentally set up with a “unique identifier” that wasn’t unique at all, leaving the system unable to decide which camera belonged to which account.

Alhough the vendor dismissed it as a “one off”, the BBC tracked down an even more amusing (though no less worrying) occurrence of the same problem in which a user received a surveillance video of a property that looked like a pub.

With a few days of search engine wrangling, that user managed to identify the pub online, only to find out that it was, by fluke, just 5 miles away.

So he went there and took a picture of himself in the beer garden, via the pub landlord’s webcam, but using his own online account:

We haven’t seen any reports from Eufy users who have actually managed to recognise anyone (or any locations) in the video feeds that they claim to have seen by mistake.

Nevertheless, we don’t doubt that many videos feeds will, at least some of the time, give away personal details or precise location information that really ought to be kept private.

What to do?

The problem here is that even if this turns out to be a transient server-side problem that has now been sorted out, rather than an exploitable vulnerability in the camera firmware or the company’s app, the question remains, “What if it happens again?”

Indeed, you can argue that cybersecurity problems that end up getting tracked down to vulnerabilities in an app that you can then update, and where you can verify for yourself that you’ve updated, can more comfortably be considered “closed bugs” than security glitches that appear for a while and then apparently vanish without explanation.

Our advice is therefore:

  • Watch for an official update from Eufy that comments on what happened. We assume that any such statement will not only be able to describe what went wrong, if anything, but what has been done to reduce the chance of it happening again.
  • Identify any cameras that could reveal sensitive information if someone else saw the feed, even by chance. Consider turning them off until this alleged problem is explained away. For example, a general “who’s there” view of a warehouse frontage that can be seen from the street anyway is probably worth leaving on, while a camera inside your living area probably isn’t.
  • If you end up connected to someone else’s video feed by mistake, do the right thing and get out early. It’s tempting to “take a peek” on the grounds that it’s not your fault that the feeds got mixed up, but if you know that the data is supposed to be private, do the right thing and keep it that way until the issue is fixed.

Oh, and if you hear any more from Eufy (we can’t find a statement on their website yet [2021-05-17T14:45Z]), please let us know by emailing tips@sophos.com or by commenting below…