Anker Eufy smart home hubs exposed to RCE attacks by critical flaw
Anker’s central smart home device hub, Eufy Homebase 2, was vulnerable to three vulnerabilities, one of which is a critical remote code execution (RCE) flaw.
Homebase 2 is the video storage and networking gateway for all Anker’s Eufy smart home devices, including video doorbells, indoor security cameras, smart locks, alarm systems, and more.
Homebase operates as a central station for Eufy devices, and it connects to the cloud to provide services that enhance the functionality of those products, give users remote control via an app, etc.
Researchers at Cisco Talos have discovered that Homebase 2 is plagued by three potentially dangerous vulnerabilities that could result in privacy intrusion, service disruption, and code execution.
Three dangerous flaws
The most severe of the trio, CVE-2022-21806 is a critical (CVSS: 10.0) RCE triggered by sending a specially-crafted set of network packets to the target device.
The flaw lies in a user-after-free problem in the functionality of an internal server that Homebase uses to receive specifically formatted messages from the network, such as for device pairing, configuration, etc.
The second vulnerability, tracked as CVE-2022-26073, is a high-severity (CVSS: 7.4) problem also triggered remotely by sending a set of specially crafted network packets.
Exploitation puts the device in a reboot state, so the main repercussion is a denial of service. However, in the context of impacting home security systems, there are several scenarios when this flaw would come in handy to malicious actors.
Finally, there’s CVE-2022-25989, a high-severity (CVSS: 7.1) authentication bypass problem triggered with a specially-crafted DHCP packet, forcing Homebase to send traffic to an external server.
An attacker might be able to exploit this flaw to receive the video feed from connected camera devices and spy on the owners.
Fixes are available
Cisco Talos reported the above problems to Anker before disclosure, allowing them time to resolve the issues via security updates.
Anker addressed these security vulnerabilities by releasing firmware versions 220.127.116.11 and 18.104.22.168h, which came out in April 2022.
That means that most of the Homebase 2 devices out there that haven’t updated their firmware after purchase are vulnerable to the above flaws.
Cisco provided in-depth technical details on exploiting the above flaws, so threat actors could use the available information to launch actual attacks.
The easiest way to update your Eufy device’s firmware is through the app, which is explained on this support webpage.