Privacy/Security assessment of Ezviz home security cameras?

Hello PG community,

My uncle installed Ezviz cameras and had family install mobile apps to b able to view feeds on their phones.

I’m wondering if someone with technical knowledge here can advise on their privacy/security situation? I’m not knowledgeable enough to be able to do that.

How would I go about assessing? I’m guessing I an read their privacy policy, (but that also requires some experience to understand what’s loose and what’s boilerplate problematic and what’s genuine).

I could look into local only (no cloud) options if that’s available.

I searched the forum here and there’s no previous mention of ezviz. I also searched privacy subreddits and there’s nothing much there as well. Normal web search found bitdefender revealed serious vulenrabilities in 2022 but I think they were addressed and patched.

Would appreciate any input from you guys,

Thanks

There are multiple ways IoT devices like cameras can be hacked. There’s a saying in the community that “The ‘S’ in IoT stands for Security”. I would need a reference here, but pretty much every home camera company had a good number of vulnerabilities in their software, or simply unrestricted access to streams.

I’ve found that Ezviz cameras in 2022 had been prone to remote access. At the time, Bitdefender identified 4 different vulnerabilities. This just goes to show how broad this issue is.

If you want to assess the risk, look up when the breaches occured and how they happened. There’s always room for improvement, like disabling unnesescary features. Making the cameras completely cut off from the internet is one of the best ideas imo. But then it defeats some of the purpose, as you won’t be able to check up on your house.

References from reddit, as you told us you searched for them:

• Ezviz - Hacked?
• Possible security flaw
• useful info on hacking your own setup (in order to improve security)
  If you want more, look for “ezviz breach reddit”

Hi and thanks for your response. Yeah I’m aware of those vulns as I mentioned them in OP. So I was looking into the option of using these cameras offline only. As you also said this might disable ability to check them on phone. found this useful link.

But my question is, can’t I have a sort of wifi network that’s local only and not connected to their cloud? I don’t know vpns, dns, servers, blah blah. I don’t know shit about those tbh but theoretically would it be possible?

If you want to assess the risk, look up when the breaches occured and how they happened.

I’m not an expert to assess this tbh. But it seems from the bitdefender blog post that they were happy with the response time.

Now, tbh I’m wondering about privacy more than security (if the above seems reasonable). If I’m connected to their cloud, how much access do they have? Is it e2ee? I thought privacy policy on their website would show but either I lack the exp. to undersand it or I’m correct that they’re only referring to the privacy on the website.

What do you think?

wifi network that’s local only and not connected to their cloud

If the comapny doesn’t explicitly tell you, that you can use them locally - you probably can’t at all. Such cameras are connecting to their cloud as well as your phone do. You fetch data from them (the cloud), not from the cameras themselves. It’s just how it works. Cameras interact with API (an interface, like a catalogue in a magazine), and connect to the servers.

vpns, dns, servers

VPNs would tunnel your connection from your device to their servers. You can’t “bend” that tube to make it camera=phone.
DNS resolves text like “ezviz.com” to IP: 115.238.23.21, irrelevant.
Servers: Even if you had your own servers you wouldn’t be able to interact with API the way these cameras do. API, the management mechanism, works on Ezviz servers.

You can’t make this completely local without sacrificing features.

I’m not an expert to assess this tbh

You don’t have to be. Ask yourself “How likely is that my cameras are going to be hacked?”. “What would I lose?”. “What a hacker could gain?”.

There are several tables on the internet that can help you with the assessment. I don’t believe you need an expert for that matter.

bitdefender blog post that they were happy with the response time

Fixing an issue promptly is a nice thing to see. But if you, yourself, will expose your camera to the internet by improper configuration, Ezviz pretty much has nothing to do with that, nor they or you will know unless noticed.

I’m wondering about privacy

IoT cameras are never private. In my eyes IoT in general is one of the least private fields of IT.
Also, if you use cloud services for anything, you must know that they aren’t private. Even services like Proton need to collect some type of data.

how much access do they have?

I believe they might have all of the access - even more than you do. That’s the thing with cloud services and IoT.

Is it e2ee?

That I couldn’t tell you. You can check it for yourself with network sniffers like Wireshark. If the all of the packets go through HTTPS, it’s probably ee2e. It just means that nobody from outside your connection can see what’s inside. It does NOT mean that the connection is secure as a whole. We won’t know how the servers process data, and history shows that most of IoT companies don’t care about this. That’s why there were breaches where cameras were exposed to the whole internet.

This isn’t a technical specification. Most companies don’t tell their secrets. They would tell you that “Your privacy and security is valuable to us”, and that’s pretty much it…

I lack the exp. to undersand it

Here to help you. For some things you need to use web search though.

they’re only referring to the privacy on the website

They’re referring to the privacy as a whole. Every company in the world would tell you the same. And breaches still happen, because ultimately they don’t care.

I’m not trusting companies with my privacy, espiecially if it involves my household.