Register now for better personalized quote!

Anker admits Eufy security cameras were not natively encrypted

Feb, 01, 2023 Hi-network.com
DALL-E/Maria Diaz/

Eufy Security  has remained mostly silent since security flaws were uncovered in its system, which made a lot of users understandably unhappy and many began wondering if they could even trust Eufy security cameras. But now, that's changed.

This week Anker Electronics has finally acknowledged that, yes, Eufy Security cameras did produce video streams for the web portal, with no encryption, according to The Verge. Anker is Eufy's parent company. 

Also: The best security cameras

In the fall of 2022, the smart home devices manufacturer was caught uploading user data to cloud servers without consent. 

Featured

  • New iPhone 15 Pro overheating reports: Still too hot after iOS 17.0.3 and fresh issues arise after the update
  • Generative AI will far surpass what ChatGPT can do. Here's everything on how the tech advances
  • iPhone 15 Pro review: Prepare to be dazzled
  • The best USB-C cables for the iPhone 15: What the experts recommend

On top of that, customers claimed that someone could use a link from Eufy's web portal to view the camera's livestream using a media player, in this case VLC. 

Anker says that is no longer the case.

"Today, all videos (live and recorded) shared between the user's device to the Eufy Security Web portal or the Eufy Security App utilize end-to-end encryption, which is implemented using AES and RSA algorithms," said Anker's global head of communications, Eric Villines, who responded to The Verge's inquiries after weeks of the company remaining silent regarding these issues.

As far as what gets uploaded to the cloud, Eufy has made clear disclaimers on the mobile app explaining that some data must be uploaded to cloud servers when users turn on features like video previews for push notifications.

From my point of view, the problem is not uploading screenshots to the cloud, as most smart security cameras do the same. The problem is that Eufy was aware that this was happening and still led customers to believe the opposite. 

Review: EufyCam 3 and HomeBase 3: Why I'm not getting rid of these cameras yet

For as long as it's been selling security cameras and theHomeBase , Eufy had also been claiming that all your data is kept completely local. There's no need to worry, everything will be safe and sound right in your HomeBase's built-in storage drive, or any HDD or SSD you choose to add to it if you have thelatest version .

In its emails to The Verge, Anker apologized to customers for the lack of response and is voicing a commitment to doing a better job in the future. One of the ways it's doing so is by working with an independent company to perform security and penetration testing in an effort to audit Eufy's system and practices. 

The pictured EufyCam 3 and HomeBase 3 already use WebRTC.

Maria Diaz/

The goal is to "conduct a comprehensive security risk assessment of our products and eliminate potential risks," Villines explained.

The company is also committing to ensuring that all video stream requests from Eufy's web portal will be end-to-end encrypted and is updating all Eufy cameras to use WebRTC, which the HomeBase 3 and EufyCam 3/3C already use. According to Anker, only about 0.1% of current daily users use the web portal.

The firmware updates to the remaining Eufy cameras began rolling out last week. 

Also: Eufy Edge Security System hands-on: The most advanced security cameras yet?

Users of the Eufy Security mobile app can rest assured that their footage and camera feeds were already end-to-end encrypted, and this was done locally either on the camera or HomeBase, according to Anker. 

The Eufy Security web portal, which requires users to log in before accessing, was not originally designed with end-to-end encryption, which Villines admits it should have been from the beginning. It is the only video streaming process that did not use encryption.

Going forward, the company has put in place new protocols and procedures for features that may be developed in the future, ensuring that all data going from users' devices to the Eufy Security mobile app or web portal must use end-to-end encryption.

"There are several normal processes that require the use of the cloud such as account setup, push notifications, initial device setup, device OTA, etc.," Villines said. 

Screenshot of Eufy's "Proof of Privacy" on its website at the time of the incident that has since been edited.

Screenshot by Maria Diaz/Eufy Security

Recommends

The best security cameras

Our top picks for commercial properties will help secure your workplace.

Read now

Eufy also denies that it ever sent facial recognition data to the cloud, but it does mention an update was done for theVideo Doorbell Dual , which was the only one that used AWS cloud servers to send an initial facial recognition image to other cameras, but now uses LAN/P2P process to do so. still hasn't heard back from Anker about any of these issues. 

The company is also planning on launching a microsite with information on which of its key processes are done locally and which require the use of the cloud, and is promising to provide "more timely updates in our community (and to the media!) to keep consumers better informed on any updates to these strategies," with one of those updates coming in early February.

So, can you trust Eufy security cameras?

Every so often, we hear about cybersecurity flaws and data leaks from companies that have gained user trust -- this isn't new. Each time it happens it seems people with opinions sort into three general groups: one that thinks it's all overblown, one that can't believe people aren't more outraged, and one that remains neutral. 

Generally, I try to stay in the neutral field. I try to take the bad with the good, and to recognize how hard it is to build a completely impermeable system and then throw it into a hurricane and hope for the best. Throughout the past few weeks, however, I've shifted between all three positions.

Having a number of Eufy devices all over my home, I think the company has a long way to go to regain consumer trust, and though these new processes seem promising, it'll take time for that to happen.

Regarding an apology, Villines said, "An apology should come with more details on what happened and the corrective steps we've done to make sure this doesn't happen again," and I think that's one thing we can all agree on.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Our process Security Cyber Threats

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.