After two months of arguing with critics about how so many aspects of its No Clouds security cameras could be accessed online by security researchers, Anker smart home unit Eufy has issued a lengthy explanation and vows to do better.
In several responses to The Verge, which has repeatedly accused Eufy of not addressing key aspects of its security model, Eufy has made it clear that video streams produced by its cameras can be accessed through an unencrypted Eufy web portal, despite messages and marketing. , which suggested otherwise. Eufy also announced that it will bring in penetration testers, commission an independent security researcher’s report, create a bug bounty program and better detail its security protocols.
By the end of November 2022, Eufy had a prominent place among smart home security providers. For those willing to trust any company with their video streams and other home data, Eufy has billed itself as “No Clouds or Costs” with encrypted streams that only stream to local storage.
Then came the first of Euphy’s woeful revelations. Security consultant and researcher Paul Moore asked Euphy on Twitter about several inconsistencies he found. Images from his doorbell camera, which appeared to be tagged with facial recognition data, were available from public URLs. Camera streams, when enabled, were seemingly accessible without authentication from VLC Media Player (something later confirmed by The Verge ). Eufy issued a statement saying it had not, in fact, fully explained how it uses cloud servers to deliver mobile notifications and promised to update its language. Moore remained silent after tweeting about a “lengthy discussion” with Eufi’s legal team.
Days later, another security researcher confirmed that given the URL inside the Eufy user’s web portal, it could be broadcast. The URL encryption scheme also seems to lack complexity; As the same researcher told Ars, brute force required just 65,535 combinations, “which a computer can go through pretty quickly.” Anker later increased the number of random characters required to guess URL streams and said it removed the ability for media players to play users’ streams even if they had a URL.
Eufy released a statement to The Verge, Ars and other publications at the time, saying it “strongly” disagrees with “the allegations made against the company regarding the safety of our products.” After continued pressure from The Verge, Anker released a lengthy statement detailing his past mistakes and future plans.
Among the remarkable announcements of Anker/Eufy:
- Its web portal now prevents users from entering “debug mode”.
- The content of the video stream is encrypted and is not accessible outside the portal.
- Although “only 0.1 percent” of current daily users access the portal, it “had some issues” that have been resolved.
- Eufy pushes WebRTC to all of its security devices as an end-to-end encrypted streaming protocol.
- Facial recognition images were uploaded to the cloud to help replace/reset/add doorbells with existing image sets, but this has been discontinued. No identification data is included with images sent to the cloud.
- Outside of the latest web portal issue, all other videos use end-to-end encryption.
- A “leading and renowned security expert” will prepare a report on Eufy’s systems.
- “Several new security consulting, certification and penetration testing companies will be introduced to risk assessment.
- A “Eufy Security Bounty Program” will be created.
- The company promises to “provide more timely updates to our community (and the media).