Anker’s eufy admits unencrypted video can be accessed, plans review

After two months of arguing with critics about how security researchers could access so many aspects of its “Cloudless” security cameras online, Anker’s smart home division Eufy has provided a lengthy explanation and promises to do so. better.

In multiple responses to The Verge, which has repeatedly criticized Eufy for failing to address key aspects of its security model, Eufy has clearly stated that the video footage produced by its cameras can be accessed, unencrypted, through the Eufy web portal, despite from messages and marketing that suggest otherwise. Eufy also stated that it would bring in penetration testers, commission an independent security researcher’s report, create a bug bounty program, and further detail its security protocols.

Before the end of November 2022, eufy had enjoyed a prominent place among smart home security providers. For those willing to trust any company with home video streams and other data, Eufy was marketed as offering “No Clouds, No Cost”, with encrypted streams delivered only to local storage.

then came the first of eufy’s unfortunate revelations. Security consultant and researcher. Paul Moore asked Eufy on Twitter about various discrepancies he discovered. Doorbell camera images of him, apparently tagged with facial recognition data, were accessible from public URLs. Camera footage, when on, was apparently accessible without VLC Media Player authentication (somewhat later confirmed by The Verge). Eufy issued a statement stating that she essentially had not fully explained how he used cloud servers to provide mobile notifications and was committed to updating his language. Moore went silent after tweeting about “a long discussion” with Eufy’s legal team.

Days later, another security researcher confirmed that, given the URL inside a Eufy user’s web portal, could be transmitted. The URL encryption scheme also seemed to lack sophistication; as the same researcher told Ars, only 65,535 combinations were needed for brute force, “which a computer can execute quite fast.” Anker then increased the number of random characters needed to guess URL strings and said it had removed the ability for media players to play a user’s strings even if they had the URL.

Eufy issued a statement to The Verge, Ars and other publications at the time, noting that it “totally” disagreed with the “allegations made against the company regarding the safety of our products.” After continued pressure from The Verge, Anker issued a lengthy statement detailing his past mistakes and future plans.

Among Anker/Eufy’s notable statements:

• Your web portal now prohibits users from entering “debugging mode”.
• The content of the video transmission is encrypted and is inaccessible outside the portal.
• While “only 0.1 percent” of current daily users access the portal, it “had some issues,” which have been resolved.
• eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
• Facial recognition images have been uploaded to the cloud to help replace/reset/add doorbells with existing image sets, but have been discontinued. No recognition data was included with images sent to the cloud.
• Outside of the “recent problem with the web portal”, all other videos use end-to-end encryption.
• A “leading and well-known security expert” will produce a report on Eufy’s systems.
• “Several new security consulting, certification and penetration testing companies” will be contracted for risk assessment.
• A “Eufy Security rewards program” will be established.
• The company promises to “provide more timely updates in our community (and the media!).”