![reddit ezviz app reddit ezviz app](https://i.ytimg.com/vi/zR3U25uPQd0/hqdefault.jpg)
![reddit ezviz app reddit ezviz app](https://149455152.v2.pressablecdn.com/wp-content/uploads/2015/10/EZVIZ-Contents.jpg)
![reddit ezviz app reddit ezviz app](https://s3.amazonaws.com/mfs.ezvizlife.com/bc5461d5fed3ea43c2132bc7a34bf665.jpg)
"Here we have a Chinese company that is never mentioned anywhere, developing insecure products and sending our most private information home to their Chinese servers." "Obviously, the device and the cloud service is not GDPR compliant," SEC Consult said. The Yoosee app has over 1 million installs through the Google Play Store alone, meaning that millions of video streams can be easily accessible through this service. The privacy implications are enormousĪll these rebranded devices use the same Gwelltimes cloud service and Gwelltimes app (named Yoosee) to let customers manage devices. The reseller companies order entire batches of Shenzhen Gwelltimes cameras with their own brand and customized manuals, and then turn around to re-sell these cameras on Amazon or in their countries. Researchers tracked the FREDI devices to a Chinese company named "Shenzhen Gwelltimes Technology Co., Ltd." They said this is a vendor of white-label security cameras and baby monitors that sells devices to other vendors across the world.
#Reddit ezviz app password
SEC Consult looked at the baby monitor used in that case, a FREDI pet and baby monitor, and discovered the same vulnerable management model that involved a mobile app, a remote cloud sever, and a device with sequential IDs and default password of "123." The mother posted her account of the event on Facebook, which was later picked up by several news outlets. Yesterday, security researchers from SEC Consult published a report that analyzed the device at a recent spying scandal.Įarlier this month, a mother from South Carolina complained that a hacker took control over her baby monitor and started moving the camera around the room as she was taking care of her child. Security firm tracks real vendor behind many resellers Below is a video demonstration of such a script.
#Reddit ezviz app android
This simple scheme allows hackers to add hijacked cameras to their own Android apps, and interact with the camera or watch its video stream. SRLabs said that because the IDs weren't randomly generated, it was trivial for an attacker to create a script that connects to the vendor's backend cloud server and attempt to add devices by cycling through the sequential device IDs and using the default password. The company found that several vendors were using this "camera management scheme" but were using sequential IDs for their devices with default passwords such as "123," "123456," or "888888." The company found over 810,000 devices exposed this way. Last year, Security Research Labs (SRLabs) published a report and gave a talk at a security conference in Berlin about this issue. Under the hood, the mobile app connects to the vendor's backend cloud server, and this server establishes connections to each of the user's device in turn, based on the device ID and the last IP address the device has reported from. The mobile app requires the user to enter a device ID, and a password found on the device's box or the device itself. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream. In the last nine months, two security firms have published research on the matter. Many brands of webcams, security cameras, pet and baby monitors, use a woefully insecure cloud-based remote control system that can allow hackers to take over devices by performing Internet scans, modifying the device ID parameter, and using a default password to gain control over the user's equipment and its video stream.