Skip to content

In November, Anker’s Eufy brand made headlines after security consultant Paul Moore discovered that Eufy security cameras were sending data to the cloud, even when cloud storage upload settings were disabled. Further, Eufy camera streams could allegedly be viewed live through an app like VLC, which presented an obvious security issue.

eufy deal
The fact that the Eufy cameras were uploading content to the cloud was problematic because Anker has long defended the security of its Eufy devices, claiming they only have local storage and end-to-end encryption for those who want a more private camera solution. After this debate, threshold started trying to get answers about Eufy camera security from Anker, and Anker was deliberately giving vague and often misleading answers about how Eufy cameras worked.

threshold was finally able to get a response from Anker threatening to publish a story about the company’s lack of communication, which has led to some clarification about Eufy’s security. The Eufy cameras don’t offer native end-to-end encryption, and they did provide unencrypted video streams through the Eufy web portal, though Anker says that’s an issue that’s now been fixed. From Eufy:

Previously, after logging into our secure web portal at eufy.com, a registered user could enter debug mode, use the web browser’s DevTool to find the live stream, and then play or share it that link with someone else to play outside of our secure system. However, it would have been the user’s choice to share that link, and they would have had to log into the eufy Web portal first to get that link.

Today, based on industry feedback and out of an abundance of caution, the eufy Security web portal now prevents users from entering debug mode, and the code has been hardened and obfuscated. Furthermore, the content of the video stream is encrypted, which means that these video streams can no longer be played in third-party media players such as VLC.

However, I should note that only 0.1 percent of our current daily users use the secure web portal feature on eufy.com. Most of our users use eufy Security app to watch live streams. However, the previous design of our web portal had some issues, which have since been resolved.

Video streaming requests coming from the Eufy web portal will be end-to-end encrypted going forward, as they are with the Eufy app, which Anker says is the primary way Eufy users access camera streams. Anker says that every Eufy camera is being updated to use WebRTC, which is encrypted by default, and it will no longer be possible to play Eufy video streams through third-party apps.

Anker regretted the lack of communication and said it would be better in the future. The company is bringing in third-party security companies to audit Eufy security products and is working on an official bug bounty program. Anker will also create a security microsite in February and provide customers with more information on the changes that have been implemented.

For those interested in the full details of what Eufy has to say, threshold published the full email communications with Anker spokespeople.

.

[ad_2]

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *