Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul
Expand / Anker’s Eufy division has said its web portal was not designed for end-to-end encryption and could allow outside access with the right URL.
After two months of arguing with critics about how so many aspects of “Cloudless” security cameras could be accessed online by security researchers, Anker’s smart home division Eufy has issued a lengthy explanation and promises to do better .
In multiple responses to The Verge, which has repeatedly called out Eufy for failing to address key aspects of its security model, Eufy has clearly stated that video streams produced by its cameras can be accessed, unencrypted, through the portal of the Eufy website, despite messaging and marketing that suggested otherwise. Eufy also stated that it would bring in penetration testers, commission an independent report by security researchers, create a bug bounty program and better detail its security protocols.
Before the end of November 2022, Eufy had a prominent place among smart home security providers. For those willing to trust any company with video and other data sources at home, Eufy proved itself by offering “No Cloud or Cost”, with encrypted sources streamed only to local storage.
Then came the first of Euphu’s woeful pronouncements. Security consultant and researcher Paul Moore asked Eufy on Twitter about some inconsistencies he discovered. Images from his doorbell camera, apparently tagged with facial recognition data, were accessible from public URLs. Camera feeds, when enabled, were apparently accessible without authentication from VLC Media Player (something later confirmed by The Verge). Eufy issued a statement saying that, in essence, it had not fully explained how it used cloud servers to deliver mobile notifications and pledged to update its language. Moore went silent after tweeting about “a lengthy discussion” with Eufy’s legal team.
Days later, another security researcher confirmed that, given the URL from within a Eufy user’s web portal, it could be transmitted. The encryption scheme in the URLs also seemed to lack sophistication; as the same researcher told Ars, it took just 65,535 combinations to brute-force, “which a computer can go through very quickly.” Anker later increased the number of random characters required to find URL streams and said it had removed the ability of media players to play a user’s streams, even if they had the URL.
Eufy released a statement to The Verge, Ars and other publications at the time, noting that it “strongly disagreed” with “allegations made against the company regarding the safety of our products.” After continued pressure from The Verge, Anker released a lengthy statement detailing its past mistakes and future plans.
Among Anker/Eufy’s notable statements:
Its web portal now prevents users from entering “debug mode”. The video streaming content is encrypted and inaccessible outside the portal. While “only 0.1 percent” of current daily users access the portal, it “had some issues,” which have been resolved. Eufy is pushing WebRTC on all of its security devices as an end-to-end encrypted transmission protocol. Facial recognition images were uploaded to the cloud to help replace/replace/add doorbells with existing image sets, but it has been discontinued. No identifying data is included with images sent to the cloud. Outside of the “recent issue with the web portal”, all other videos use end-to-end encryption. A “leading and recognized security expert” will produce a report about Eufy’s systems. “Several new consulting, certification and penetration testing firms” will be brought in for risk assessment. A “Eufy Security bounty program” will be created. The company promises to “provide more timely updates to our community (and the media!).”