Eufy Wireless Camera DoS

Eufy wireless cameras consist of a NVR called the home base and the cameras. The home base is marketed as WiFi 2.4 and sub GHz wireless.

The cameras appear autonomous and use the sub GHz for command and control. When a camera performs a recording. The 2.4GHz wifi will startup and the home base will store the recording on the MMC/SD card plugged into the home base.

The DoS attack works the same way as a normal WiFi deauthentication attack. The MAC of all the devices is readily available. The SSID is hidden but still discoverable. And the said appears to be generated in the same way as a home router.

The way the attack is most successful. When the camera wakes run airdump-ng. Then use airreplay-ng to deauthenticate against the bssid. When the camera reconnects it will display the ssid of the base station.

When you get the ssid of the base station. Start up airbase-ng and start an AP spoofing the ssid of the access point and turn up the power. Script some deauthentication runs on the base stations bssid. When the camera reconnects it will begin dumping all its footage out addresses to the wrong bssid.

Most of the footage is discarded in this process.

I would expect this attack would work on most WiFi based cameras. Eufy cameras are also susceptible to deauthentication on the broadcast address, ff:ff:ff:ff:ff:ff.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s