Anker has admitted that its statements about Eufy security camera encryption were not accurate. The smart home brand had previously stated that all video footage is end-to-end encrypted, but has now admitted there was an exception to this (which it has now fixed).
The company only finally came clean about the privacy breach after The Verge threatened to post a story about the company’s failure to answer its questions …
The security flaw was first discovered in December of last year, when a customer was able to access unencrypted video streams using the popular VLC media player. A security researcher confirmed this, and additionally proved that video data was being uploaded to the cloud even when the user denied permission for this.
Simply using the popular VLC media player, a user was able to access a camera’s feed, and Paul Moore confirmed (though without showing how it works) that the streams can be accessed with no encryption or authentication required […]
In the thread and accompanying videos, Moore shows proof that Eufy cameras are sending data that is said to be “stored locally” to the cloud, even when cloud storage is disabled.
This followed a similar incident back in 2021, when users were able to view live and recorded camera feeds from complete strangers. Eufy blamed that one on a bug, and promised to contact the “0.001% of users” affected.
Eufy brand owner Anker took almost three weeks to respond to the December case, before issuing a statement with a partial admission that its security claims weren’t true.
No user data has been exposed, and the potential security flaws discussed online are speculative. However, we do agree there were some key areas for improvement. So we have made [authentication] changes.
Admission of Eufy security camera encryption flaw
At the time, The Verge posted a lengthy list of questions for Anker to answer. It seems the publication has been struggling to get answers, as it only got a response by threatening to post a story about the company’s failure to address them.
It reports that Anker has finally admitted to two things it has previously denied. First, its cameras can transmit unencrypted video footage. Second, there is one circumstance in which they do.
In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.
We now also have an explanation about the difference between the theory (and the company’s original claims) and the reality.
Video sent to the companion iPhone and Android app did indeed use end-to-end encryption (E2E), as claimed. Anyone who intercepted that stream would not be able to view the video.
The same thing was true of recorded footage sent to the web; that too used E2E encryption.
However, live video streams sent to the web were not encrypted, nor even authenticated, meaning that the streaming footage could be viewed by anyone who gained access to the link.
The company’s promises
Anker does finally seem to realize that it has a lot of work to do if anyone is to ever trust it again.
First, it says, it is remotely updating every single Eufy camera to send only encrypted footage to the web portal.
Second, it is commissioning external security companies to audit its practices, and conduct penetration testing (where consultants use hacking techniques to attempt to gain access). It will ask a “well-known security expert” to write an independent report.
Finally, it will create a bug bounty program which will incentivise security researchers and hackers to find and report vulnerabilities.
The Verge has published all of Anker’s responses, in full.
As the old saying has it, never ascribe to malice that which can be adequately explained by incompetence. Given the nature of the flaw, I tend to believe that the company did not knowingly lie or mislead anyone. Rather, its management failed to realize that a massive flaw existed, simply because it related to a feature (viewing live video feeds on the video portal) that was hardly ever used by anyone.
However, that is no excuse. Inadvertent or not, it did lie. When a security camera company promises that all video footage never leaves the camera without E2E encryption, it must be 100% certain that this statement is correct. It’s simply not good enough to believe this to be the case.
Even more inexcusable is continuing to make inaccurate claims after the company’s statements had been demonstrated to be false. When that happens, you don’t blithely continue to repeat the same reassurances: You immediately verify the claim (which was trivial to do), admit to it, and then fix it.
The fact that Anker didn’t do this is, in my view, unforgivable.
FTC: We use income earning auto affiliate links. More.