Security Bits Logo no alpha channel

Security Bits — 11 December 2022 Deep Dives on Eufy Credibility Problems and Apple New Security Features

Feedback & Followups

Deep Dive 1 — Eufy Destroy their Credibility

A security researcher found that Eufy’s cameras interact with the cloud in ways that go against Eufy’s promises, and are fundamentally flawed in terms of their design.

The details are complex, and there are lots of twists and turns. Rather than re-tell the whole saga, I’m just going to summarise the important facts as I understand them.

The three problems found:

  1. Thumbnails — with some notification settings, thumbnails of videos get uploaded to Eufy’s cloud. This was initially done without informing users, but Eufy have issued guidance explaining which settings do and don’t result in the uploads, so if thumbnails being uploaded concerns you, you’ll need to check your settings.
  2. Unencrypted Video Streams — this is the single biggest problem. Eufy promise end-to-end encryption, and yet, for each camera there exists an obfuscated URL that provides an unencrypted live stream from the camera. If the streams really were end-to-end encrypted, that would be impossible, by definition! Eufy have made the URLs harder to find, but they still exist, and it’s not clear if they’re going to be truly removed.
  3. A Flawed Design — the live stream URLs that should be impossible are obscured through apparent complexity, but actually, they’re derived from the serial number, and various API calls revealed that information. Eufy have removed the serial number leaks researchers are currently aware of, but since serial numbers are not considered secret, there’s every chance they’re still leaking in other ways researchers haven’t found yet. Much worse is that the design is fundamentally unsound. Security should not depend on non-secret identifiers, and definitely not on non-secret identifiers that can’t be changed. This terrible design choice makes it impossible to safely use a secondhand Eufy camera.

Eufy’s Response to Date:

  1. False categorical denials
  2. Unwarranted down-playing of the seriousness
  3. Technical changes to hide rather than fix the problem

Trust is fundamental to something as inherently dangerous as a network-connected camera. Eufy have squandered that trust, and I can’t see how they could ever earn it back. Personally, this has put me off the entire Anker stable, which makes me very sad, because I like their chargers and SoundCore-branded headphones.

I noticed while reading the various stories that it’s not just me who’s lost trust in Eufy — many of the researchers and journalists highlighted the fact that they’d removed all Eufy’s gear from their homes.

Solution if you already have Eufy Cams — HomeKit Secure Video

  1. Make sure your camera supports HomeKit
  2. Become any level of iCloud+ (paid-for storage)
  3. Learn about HomeKit Secure Video support article at support.apple.com/…
  4. How to Set Up HomeKit on Eufy Cams support.eufy.com/…

Further Reading

Deep Dive 2 — Apple Announce New Security Features

Apple have pre-announced three important up-coming security enhancements, and, a little more quietly, the formal end of their controversial previously suspended CSAM plans.

CSAM Scanning Officially Cancelled

Apple had planned a controversial system which would scan photos about to be uploaded to iCloud for matches to known child abuse images on the user’s devices before the upload. This was widely seen as paving the way for Apple to introduce full end-to-end encryption for iCloud photos without causing too much controversy. Ironically, the attempt to avoid making full encryption controversial proved catastrophically controversial, and Apple have now officially abandoned the project.

New Feature 1 — iMessage Contact Key Verification

The most substantial security-based criticism of Apple’s messaging service has been the lack of transparency in how encryption keys are managed. The design uses strong end-to-end encryption based on each iOS device having a public/private key-pair, and each message being encrypted with each participant’s public key. For that to work you need to be sure the public key you have for someone really is theirs, and not that of an eves dropper.

Until now Apple have silently managed the key exchanges, and we have simply had to trust that Apple were not making mistakes or being forced to add extra keys for law enforcement through secret court orders. Given how strongly they fought the FBI when they tried force Apple to unlock a terrorist’s iPhone some years ago, that trust seemed reasonable, but it’s still trust it would be nice to avoid needing.

One obvious solution would be to require users to distribute their own public keys through some other communication channel, but that would be utterly impractical — who has time to do that kind of thing? The app that comes closest to that approach is Threema which colour codes keys by the level of trust you are being asked to have in each key — red for keys shared by the app on the user’s behalf, green for keys directly shared by scanning each other’s QR codes, and orange for keys vouched for by a directly shared key. Threema is not a popular app, and this complex key exchange model probably has something to do with that!

Thankfully Signal has shown the way — the official Signal app shares the keys automatically as Apple does, but, it also allows you to verify the keys by representing them as a visual fingerprint — if you and I both see the same image for my key, then we know you have my real key, and ditto for my key.

This is the approach Apple are taking — they’ll keep doing the work, but we’ll be able to verify it’s been done correctly.

This new feature is rolling out ‘in 2023’.

New Feature 2 — Security Keys for Apple ID

Users will be able to opt in to requiring 2FA with a hardware token on their Apple IDs. The press release is low on detail, but it seems almost certain Apple will use the FIDO standard for hardware tokens to implement this feature.

This will be a nice option for high-value targets.

The official launch target is ‘early 2023’.

New Feature 3 — Advanced Data Protection for iCloud

This is by far the biggest announcement.

At the moment Apple only provide full end-to-end encryption for especially sensitive iCloud data like passwords and health data, but with this new feature Apple will allow having all iCloud data not associated with pre-security protocols like email to be fully end-to-end encrypted.

The advantage is total privacy — your devices will have the only keys. The disadvantage is total privacy, if you lose all your devices and forget your passwords you’ve lost everything — not even Apple will be able to help you! A side-effect of this security enhancement is that Apple also can’t help law enforcement.

If Apple don’t have the encryption keys they can’t lose then, share them, or return them to you.

This feature is available now to beta users in the US, and will roll out to everyone else in ‘early 2023’.

Further Reading

❗ Action Alerts

Worthy Warnings

  • Google have moved Google Maps from its own sub-domain onto the primary Google domain, bringing a massive loss of privacy many may not realise – if you let your browser share location data with Maps, you’ve just granted all of Google’s web apps your locationdaringfireball.net/… (Editorial by Bart: this is a really slimy move, and makes a total mockery of Google’s recent settlement with the US government over misleading location privacy settings)
  • Details, including email address and phone number, of 5.4 million Twitter users that leaked through an API bug earlier in the year have been published — www.bleepingcomputer.com/…
  • LastPass have announced that they detected and stopped another security breach that used information stolen in their major breach in August to get in again. LastPass are still investigating the full scope of the breach, but like before, users passwords are end-to-end encrypted, so they can’t have been taken by the attackers — nakedsecurity.sophos.com/…
  • Mike Price Listener Submitted: after seriously messing it up, Disney have rolled back their rollout of 2FA for the Disney Vacation Club (the password was not being checked, only the 2FA code was!) They’ll try again in a few months — dvcfan.com/…

Notable News

Excellent Explainers

Palate Cleansers

  • From Bart:
    • An amazing ‘selfie’ from Artemis One looking back towards earth from the far side of the Moon showing itself in the foreground, the Moon, and the Earth in the background — apod.nasa.gov/…
  • From Allison:
    • an amazing gallery of images of Jupiter and its moons taken by the Juno probe — www.nasa.gov/…
    • 🎦 A stunning video of Mars’s moon Phobos passing between the ESA Mars Express orbiter and the surface of the planet — fosstodon.org/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top