After security expert Paul Moore found that Eufy security cameras streamed data to the cloud even though cloud storage upload settings were off, Anker’s Eufy brand made news in November. Eufy camera broadcasts could be live-viewed using a program like VLC, creating a serious security risk.
Because Anker has long emphasized the security of its Eufy products, saying that they include local-only storage and end-to-end encryption for customers who want a more private video solution, the fact that the Eufy cameras were uploading content to the cloud was troublesome. After this disaster, The Verge started contacting Anker to ask about the security of Eufy cameras. Anker is required to explain the operation of Eufy cameras in more detail and frequently with correct information.
By threatening to write an article about the company’s lack of communication, The Verge ultimately got Anker to respond, which clarified Eufy’s security. Eufy cameras give unencrypted video streams through the Eufy website but do not support native end-to-end encryption. Anker claims that this problem has been resolved, nevertheless. By Eufy:
Previously, a registered user could access debug mode after logging into our secure Web portal at eufy.com, utilize the Web browser’s DevTool to find the live stream, and then play or share that link with another person to play outside of our protected system. The user would have had to sign into the eufy Web portal to obtain that link, and it would have been their decision to distribute it.
Due to industry feedback and caution, the eufy Security Web site now forbids users from entering debug mode, and the code has been hardened and obfuscated. Additionally, the video stream content is encrypted, making it impossible for third-party media players like VLC to play these video streams.
However, barely 0.1 percent of our daily active users currently access the secure Web portal at eufy.com. The eufy Security app is used by most consumers to watch live streams. In any case, there were certain problems with the former layout of our Web portal, but these have already been fixed.
In the future, requests for video streams made through the Eufy online portal will be end-to-end encrypted, just like they are now through the Eufy app, which according to Anker, is the main method by which Eufy users access camera streams. Every Eufy camera, according to Anker, has been modified to use WebRTC, which by default is encrypted. It won’t be possible to play Eufy video broadcasts from outside apps anymore.
Anker expressed sorry about its poor communication and promised to improve going forward. In addition to developing a formal bug bounty program, the company is enlisting outside security firms to examine its Eufy security products. In February, Anker will launch a security micro-site to tell customers of the modifications that have been made.
The Verge provided its full email exchanges with Anker officials in case anyone is interested in reading the specifics of what Eufy has to say.
