After two months of arguing back and forth with critics about how so many aspects of its “No clouds” security cameras could be accessed online by security researchers, Anker smart home division Eufy has provided a lengthy explanation and promises to do better.
In multiple responses to The Verge, which has repeatedly called out Eufy for failing to address key aspects of its security model, Eufy has plainly stated that video streams produced by its cameras could be accessed, unencrypted, through the Eufy web portal, despite messaging and marketing that suggested otherwise. Eufy also stated it would bring in penetration testers, commission an independent security researcher’s report, create a bug bounty program, and better detail its security protocols.
Prior to late November 2022, Eufy had enjoyed a distinguished place among smart home security providers. For those willing to trust any company with video feeds and other home data, Eufy marketed itself as offering “No Clouds or Costs,” with encrypted feeds streamed only to local storage.
Then came the first of Eufy’s woeful revelations. Security consultant and researcher Paul Moore asked Eufy on Twitter about several discrepancies were discovered. Images from his doorbell camera, seemingly tagged with facial recognition data, were accessible from public URLs. Camera feeds, when activated, were apparently accessible without authentication from VLC Media Player (something later confirmed by The Verge). Eufy issued a statement stating that, essentially, it had not fully explained how it used cloud servers to provide mobile notifications and pledged to update its language. Moore went quiet after tweeting about “a lengthy discussion” with Eufy’s legal team.
Days later, a different security researcher confirmed that, given the URL from inside a Eufy user’s web portal, it could be streamed. The encryption scheme on the URLs also seemed to lack sophistication; as the same researcher told Ars, it took only 65,535 combinations to brute-force, “which a computer can run through pretty quickly.” Anker later increased the number of random characters required to guess URL streams and said it had removed media players’ ability to play a user’s streams, even if they had the URL.
Eufy issued a statement to The Verge, Ars, and other publications at the time, noting that it “adamantly” disagreed with “accusations levied against the company concerning the security of our products.” After continued pressure by The Verge, Anker issued a lengthy statement detailing its past mistakes and future plans.
Among Anker/Eufy’s notable statements:
- Its web portal now prohibits users from entering “debug mode.”
- Video stream content is encrypted and inaccessible outside the portal.
- While “only 0.1 percent” of current daily users access the portal, it “had some issues,” which have been resolved.
- Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
- Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
- Outside of the “recent issue with the web portal,” all other videos use end-to-end encryption.
- A “leading and well-known security expert” will produce a report about Eufy’s systems.
- “Several new security consulting, certification, and penetration testing” firms will be brought in for risk assessment.
- A “Eufy Security bounty program” will be established.
- The company promises to “provide more timely updates in our community (and to the media!).”