eufy

Anker’s central smart home device hub, Eufy Homebase 2, was vulnerable to three vulnerabilities, one of which is a critical remote code execution (RCE) flaw.

Homebase 2 is the video storage and networking gateway for all Anker’s Eufy smart home devices, including video doorbells, indoor security cameras, smart locks, alarm systems, and more.

Homebase operates as a central station for Eufy devices, and it connects to the cloud to provide services that enhance the functionality of those products, give users remote control via an app, etc.

Researchers at Cisco Talos have discovered that Homebase 2 is plagued by three potentially dangerous vulnerabilities that could result in privacy intrusion, service disruption, and code execution.

Three dangerous flaws

The most severe of the trio, CVE-2022-21806 is a critical (CVSS: 10.0) RCE triggered by sending a specially-crafted set of network packets to the target device.

The flaw lies in a user-after-free problem in the functionality of an internal server that Homebase uses to receive specifically formatted messages from the network, such as for device pairing, configuration, etc.

The second vulnerability, tracked as CVE-2022-26073, is a high-severity (CVSS: 7.4) problem also triggered remotely by sending a set of specially crafted network packets.

Exploitation puts the device in a reboot state, so the main repercussion is a denial of service. However, in the context of impacting home security systems, there are several scenarios when this flaw would come in handy to malicious actors.

Repeated crash that causes device reboot
Crash that causes device reboot if repeated multiple times (Cisco Talos)

Finally, there’s CVE-2022-25989, a high-severity (CVSS: 7.1) authentication bypass problem triggered with a specially-crafted DHCP packet, forcing Homebase to send traffic to an external server.

An attacker might be able to exploit this flaw to receive the video feed from connected camera devices and spy on the owners.

Fixes are available

Cisco Talos reported the above problems to Anker before disclosure, allowing them time to resolve the issues via security updates.

Anker addressed these security vulnerabilities by releasing firmware versions 3.1.8.7 and 3.1.8.7h, which came out in April 2022.

That means that most of the Homebase 2 devices out there that haven’t updated their firmware after purchase are vulnerable to the above flaws.

Cisco provided in-depth technical details on exploiting the above flaws, so threat actors could use the available information to launch actual attacks.

The easiest way to update your Eufy device’s firmware is through the app, which is explained on this support webpage.

Related Articles:

CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites

VMware fixes critical vCenter RCE vulnerability, patch now

Widely used modems in industrial IoT devices open to SMS attack

PHP fixes critical RCE flaw impacting all versions for Windows

Zyxel issues emergency RCE patch for end-of-life NAS devices