{"id":27407,"date":"2022-12-11T13:17:27","date_gmt":"2022-12-11T21:17:27","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27407"},"modified":"2022-12-11T13:17:27","modified_gmt":"2022-12-11T21:17:27","slug":"sb-2022-12-11","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/12\/sb-2022-12-11\/","title":{"rendered":"Security Bits \u2014 11 December 2022 Deep Dives on Eufy Credibility Problems and Apple New Security Features"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The Twitter Chaos Continues:\n<ul>\n<li>&#x1f1ea;&#x1f1fa; EU Commissioner Thierry Breton has warned Twitter that it needs to bring its moderation practices up to speed before the Digital Services Act (DSA) goes into effect next year \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/30\/twitter-faces-ban-in-eu-over-too-loose-content-moderation\">appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; <strong>Related:<\/strong> an excellent interview with Twitter&#8217;s former chief safety officer \u2014 <a href=\"https:\/\/overcast.fm\/+7_XR5-gSw\">On with Kara Swisher: Why Twitter\u2019s Former Safety Chief Left Elon Musk \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/07\/ios-162-implements-10-minute-airdrop-time-limit-globally\">iOS 16.2 implements 10-minute AirDrop time limit globally \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>Google Chrome&#8217;s Passkeys support comes out of beta and into the official releases \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/09\/google-chrome-now-supports-passkeys-to-eventually-replace-passwords\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Eufy Destroy their Credibility<\/h2>\n<p>A security researcher found that Eufy&#8217;s cameras interact with the cloud in ways that go against Eufy&#8217;s promises, and are fundamentally flawed in terms of their design.<\/p>\n<p>The details are complex, and there are lots of twists and turns. Rather than re-tell the whole saga, I&#8217;m just going to summarise the important facts as I understand them.<\/p>\n<p>The three problems found:<\/p>\n<ol>\n<li><strong>Thumbnails<\/strong> \u2014 with some notification settings, thumbnails of videos get uploaded to Eufy&#8217;s cloud. This was initially done without informing users, but Eufy have issued guidance explaining which settings do and don&#8217;t result in the uploads, so if thumbnails being uploaded concerns you, you&#8217;ll need to check your settings.<\/li>\n<li><strong>Unencrypted Video Streams<\/strong> \u2014 this is the single biggest problem. Eufy promise end-to-end encryption, and yet, for each camera there exists an obfuscated URL that provides an unencrypted live stream from the camera. If the streams really were end-to-end encrypted, that would be impossible, by definition! Eufy have made the URLs harder to find, but they still exist, and it&#8217;s not clear if they&#8217;re going to be truly removed.<\/li>\n<li><strong>A Flawed Design<\/strong> \u2014 the live stream URLs that should be impossible are obscured through apparent complexity, but actually, they&#8217;re derived from the serial number, and various API calls revealed that information. Eufy have removed the serial number leaks researchers are currently aware of, but since serial numbers are not considered secret, there&#8217;s every chance they&#8217;re still leaking in other ways researchers haven&#8217;t found yet. Much worse is that the design is fundamentally unsound. Security should not depend on non-secret identifiers, and definitely not on non-secret identifiers <strong>that can&#8217;t be changed<\/strong>. This terrible design choice makes it <strong>impossible to safely use a secondhand Eufy camera<\/strong>.<\/li>\n<\/ol>\n<p>Eufy&#8217;s Response to Date:<\/p>\n<ol>\n<li>False categorical denials<\/li>\n<li>Unwarranted down-playing of the seriousness<\/li>\n<li>Technical changes to hide rather than fix the problem<\/li>\n<\/ol>\n<p>Trust is fundamental to something as inherently dangerous as a network-connected camera. Eufy have squandered that trust, and I can&#8217;t see how they could ever earn it back. Personally, this has put me off the entire Anker stable, which makes me very sad, because I like their chargers and SoundCore-branded headphones.<\/p>\n<p>I noticed while reading the various stories that it&#8217;s not just me who&#8217;s lost trust in Eufy \u2014 many of the researchers and journalists highlighted the fact that they&#8217;d removed all Eufy&#8217;s gear from their homes.<\/p>\n<p>Solution if you already have Eufy Cams \u2014 HomeKit Secure Video<\/p>\n<ol>\n<li>Make sure your camera supports HomeKit<\/li>\n<li>Become any level of iCloud+ (paid-for storage)<\/li>\n<li>Learn about HomeKit Secure Video support article at <a href=\"https:\/\/support.apple.com\/guide\/icloud\/set-up-homekit-secure-video-mm7c90d21583\/icloud\" target=\"%5Fblank\" rel=\"noopener\">support.apple.com\/&#8230;<\/a> <\/li>\n<li>How to Set Up HomeKit on Eufy Cams <a href=\"https:\/\/support.eufy.com\/s\/article\/How-to-Setup-HomeKit-for-HomeKit-Enabled-Security-Devices\" target=\"%5Fblank\" rel=\"noopener\">support.eufy.com\/&#8230;<\/a><\/li>\n<\/ol>\n<h3>Further Reading<\/h3>\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.theverge.com\/2022\/11\/30\/23486753\/anker-eufy-security-camera-cloud-private-encryption-authentication-storage\">Anker\u2019s Eufy lied to us about the security of its security cameras \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/eufy-says-its-security-cameras-are-local-only-but-thats-not-always-true\/\">Eufy Says Its Security Camera Footage Is Local-Only, But That\u2019s Not Always True \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/29\/eufy-cameras-upload-content-to-the-cloud-without-owners-knowledge\">Eufy cameras upload content to the cloud without owners knowledge \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/06\/eufy-not-patching-cameras-instead-just-warning-users-about-cloud-use\">Eufy not patching cameras, instead just warning users about cloud use \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/eufy-wont-patch-potential-security-issue-affecting-its-video-doorbells-instead-adds-disclaimer\/\">Eufy Doesn\u2019t Patch Potential Security Issue Affecting Its Video Doorbells, Instead Adds Disclaimer \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 Apple Announce New Security Features<\/h2>\n<p>Apple have pre-announced three important up-coming security enhancements, and, a little more quietly, the formal end of their controversial previously suspended CSAM plans.<\/p>\n<h3>CSAM Scanning Officially Cancelled<\/h3>\n<p>Apple had planned a controversial system which would scan photos about to be uploaded to iCloud for matches to known child abuse images on the user&#8217;s devices before the upload. This was widely seen as paving the way for Apple to introduce full end-to-end encryption for iCloud photos without causing too much controversy. Ironically, the attempt to avoid making full encryption controversial proved catastrophically controversial, and Apple have now officially abandoned the project.<\/p>\n<h3>New Feature 1 \u2014 iMessage Contact Key Verification<\/h3>\n<p>The most substantial security-based criticism of Apple&#8217;s messaging service has been the lack of transparency in how encryption keys are managed. The design uses strong end-to-end encryption based on each iOS device having a public\/private key-pair, and each message being encrypted with each participant&#8217;s public key. For that to work you need to be sure the public key you have for someone really is theirs, and not that of an eves dropper.<\/p>\n<p>Until now Apple have silently managed the key exchanges, and we have simply had to trust that Apple were not making mistakes or being forced to add extra keys for law enforcement through secret court orders. Given how strongly they fought the FBI when they tried force Apple to unlock a terrorist&#8217;s iPhone some years ago, that trust seemed reasonable, but it&#8217;s still trust it would be nice to avoid needing.<\/p>\n<p>One obvious solution would be to require users to distribute their own public keys through some other communication channel, but that would be utterly impractical \u2014 who has time to do that kind of thing? The app that comes closest to that approach is Threema which colour codes keys by the level of trust you are being asked to have in each key \u2014 red for keys shared by the app on the user&#8217;s behalf, green for keys directly shared by scanning each other&#8217;s QR codes, and orange for keys vouched for by a directly shared key. Threema is not a popular app, and this complex key exchange model probably has something to do with that!<\/p>\n<p>Thankfully Signal has shown the way \u2014 the official Signal app shares the keys automatically as Apple does, but, it also allows you to verify the keys by representing them as a visual fingerprint \u2014 if you and I both see the same image for my key, then we know you have my real key, and ditto for my key.<\/p>\n<p>This is the approach Apple are taking \u2014 they&#8217;ll keep doing the work, but we&#8217;ll be able to verify it&#8217;s been done correctly.<\/p>\n<p>This new feature is rolling out &#8216;in 2023&#8217;.<\/p>\n<h3>New Feature 2 \u2014 Security Keys for Apple ID<\/h3>\n<p>Users will be able to opt in to requiring 2FA with a hardware token on their Apple IDs. The press release is low on detail, but it seems almost certain Apple will use the FIDO standard for hardware tokens to implement this feature.<\/p>\n<p>This will be a nice option for high-value targets.<\/p>\n<p>The official launch target is &#8216;early 2023&#8217;.<\/p>\n<h3>New Feature 3 \u2014 Advanced Data Protection for iCloud<\/h3>\n<p>This is by far the biggest announcement.<\/p>\n<p>At the moment Apple only provide full end-to-end encryption for especially sensitive iCloud data like passwords and health data, but with this new feature Apple will allow having all iCloud data not associated with pre-security protocols like email to be fully end-to-end encrypted.<\/p>\n<p>The advantage is total privacy \u2014 your devices will have the only keys. The disadvantage is total privacy, if you lose all your devices and forget your passwords you&#8217;ve lost everything \u2014 not even Apple will be able to help you! A side-effect of this security enhancement is that Apple also can&#8217;t help law enforcement.<\/p>\n<p><strong>If Apple don&#8217;t have the encryption keys they can&#8217;t lose then, share them, or return them to you.<\/strong><\/p>\n<p>This feature is available now to beta users in the US, and will roll out to everyone else in &#8216;early 2023&#8217;.<\/p>\n<h3>Further Reading<\/h3>\n<ul>\n<li>Apple&#8217;s press release: <a href=\"https:\/\/www.apple.com\/newsroom\/2022\/12\/apple-advances-user-security-with-powerful-new-data-protections\/\">Apple advances user security with powerful new data protections \u2014 www.apple.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1902749\">Apple adds end-to-end encryption to iCloud device backups and more \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/07\/apples-plan-to-scan-iphone-photos-for-child-abuse-material-is-dead\">Apple&#8217;s plan to scan iPhone photos for child abuse material is dead \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/inside\/ios-16\/tips\/how-to-use-advanced-data-protection-apples-other-new-security-features\">How to use Advanced Data Protection &amp; Apple&#8217;s other new security features \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/08\/fbi-deeply-concerned-about-apples-new-security-protections\">FBI &#8216;deeply concerned&#8217; about Apple&#8217;s new security protections \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/28\/chrome-fixes-8th-zero-day-of-2022-check-your-version-now\/\">Chrome fixes 8th zero-day of 2022 \u2013 check your version now (Edge too!) \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/12\/05\/number-nine-chrome-fixes-another-2022-zero-day-edge-not-patched-yet\/\">Number Nine! Chrome fixes another 2022 zero-day, Edge patched too \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/apple-releases-ios-16-1-2-with-security-fixes-and-crash-detection-optimization\/\">Apple Releases iOS 16.1.2 with Security Fixes and Crash Detection Optimization \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Google have moved Google Maps from its own sub-domain onto the primary Google domain, bringing a massive loss of privacy many may not realise \u2013 if you let your browser share location data with Maps, you&#8217;ve just granted <strong>all of Google&#8217;s web apps your location<\/strong> \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2022\/12\/02\/google-maps-location-privacy\">daringfireball.net\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> this is a really slimy move, and makes a total mockery of Google&#8217;s recent settlement with the US government over misleading location privacy settings)<\/li>\n<li>Details, including email address and phone number, of 5.4 million Twitter users that leaked through an API bug earlier in the year have been published \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>LastPass have announced that they detected and stopped another security breach that used information stolen in their major breach in August to get in again. LastPass are still investigating the full scope of the breach, but like before, users passwords are end-to-end encrypted, so they can&#8217;t have been taken by the attackers \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/12\/02\/lastpass-admits-to-customer-data-breach-caused-by-previous-breach\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Mike Price Listener Submitted:<\/strong> after seriously messing it up, Disney have rolled back their rollout of 2FA for the Disney Vacation Club (the password was not being checked, only the 2FA code was!) They&#8217;ll try again in a few months \u2014 <a href=\"https:\/\/dvcfan.com\/2022\/12\/02\/dvc-removes-two-factor-authentication-due-to-issues\/\">dvcfan.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/01\/digital-car-keys-can-be-shared-between-iphone-and-pixel-users\">Digital car keys can be shared between iPhone and Pixel users \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+b-m1PTJ6U\">Know a Little More: About Passkey \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong>\n<ul>\n<li>An amazing <em>&#8216;selfie&#8217;<\/em> from Artemis One looking back towards earth from the far side of the Moon showing itself in the foreground, the Moon, and the Earth in the background \u2014 <a href=\"https:\/\/apod.nasa.gov\/apod\/ap221201.html\">apod.nasa.gov\/\u2026<\/a> <\/li>\n<\/ul>\n<\/li>\n<li><strong>From Allison:<\/strong>\n<ul>\n<li>an amazing gallery of images of Jupiter and its moons taken by the Juno probe \u2014 <a href=\"https:\/\/www.nasa.gov\/mission_pages\/juno\/images\/index.html\">www.nasa.gov\/\u2026<\/a><\/li>\n<li>&#x1f3a6; A stunning video of Mars&#8217;s moon Phobos passing between the ESA Mars Express orbiter and the surface of the planet \u2014 <a href=\"https:\/\/fosstodon.org\/@andrealuck\/109491462945517246\">fosstodon.org\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The Twitter Chaos Continues: &#x1f1ea;&#x1f1fa; EU Commissioner Thierry Breton has warned Twitter that it needs to bring its moderation practices up to speed before the Digital Services Act (DSA) goes into effect next year [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"quote","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[5620,46,239,5619,1135,5618,167,5617,50,569],"class_list":["post-27407","post","type-post","status-publish","format-quote","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-advanced-data-protection","tag-apple","tag-camera","tag-eufy","tag-homekit","tag-homekit-secure-video","tag-icloud","tag-secure-camera","tag-security","tag-security-bits","post_format-post-format-quote"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27407"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27407\/revisions"}],"predecessor-version":[{"id":27410,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27407\/revisions\/27410"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}