Anker admits Eufy security cameras weren’t encrypted

Since the discovery of security flaws in its system, Anker has been discreet. Indeed, many disgruntled users later wondered if they could trust its Eufy security cameras. Anker is the parent company of Eufy.

This week, Anker Electronics finally acknowledged that, yes, Eufy security cameras do produce video feeds for the web portal, without native encryption, according to The Verge.

In the fall of 2022, the smart home device maker was caught uploading user data to cloud servers without their consent. On top of that, customers have claimed that it’s possible to use a link from Eufy’s web portal to view their camera’s livestream using a media player – in this case VLC.

Anker claims that is no longer the case.

“Today, all videos use end-to-end encryption”

“Today, all video (live and recorded) shared between the user’s device and the Eufy Security web portal or Eufy Security app uses end-to-end encryption, which is implemented using AES and RSA algorithms,” says Anker communications manager Eric Villines.

Image: Maria Diaz/ZDNET.

As for what gets uploaded to the cloud, Eufy now makes it clear on its mobile app that certain data needs to be uploaded to cloud servers, especially when users enable features like video previews for push notifications.

From my perspective, the problem is not uploading screenshots to the cloud, as most connected security cameras do the same. The problem is that Eufy knew this was happening, and still tricked his clients into believing otherwise.

Camera updates start rolling out

Since it sells security cameras and alarm systems, Eufy also claims that all your data is kept locally. There’s no need to worry, everything will be safe on your HomeBase’s built-in storage drive, or whatever hard drive or SSD you choose to add to it if you can. .

In its emails to The Verge, Anker apologized to customers for the lack of response and pledged to do a better job in the future. Notably, the company is now working with an independent company to perform security and penetration testing for the purpose of auditing Eufy’s system and practices.

The objective is to “carry out a complete assessment of the security risks of our products and to eliminate potential risks”, specifies Eric Villines.

The company is also committed to ensuring that all video stream requests from Eufy’s web portal are end-to-end encrypted. It updates all Eufy cameras to use WebRTC, which HomeBase 3 and EufyCam 3/3C already use. According to Anker, only 0.1% of current daily users use the web portal.

Firmware updates for other Eufy cameras started rolling out last week. Users of the Eufy Security mobile app can rest assured that their footage and camera feeds were already end-to-end encrypted, and that it was done locally, either on the camera or on the HomeBase, according to Anker.

The question of facial recognition still unresolved

Eufy Security’s web portal, which requires users to log in before accessing it, was not originally designed with end-to-end encryption, which Eric Villines admits is a problem. This is the only video streaming process that did not use encryption.

The company has implemented new protocols and procedures for features that may be developed in the future, ensuring that all data from user devices to the Eufy Security mobile app or web portal must use encryption of end to end.

“Several normal processes require the use of the cloud, such as account setup, push notifications, initial device setup, device OTA, etc. “, explains Eric Villines.

Screenshot of the

Eufy’s “privacy evidence” on its website at the time of the incident. It has since been modified. Screenshot by Maria Diaz/Eufy Security.

Eufy also denies sending facial recognition data to the cloud, but mentions that an update was made for the camera, which was the only one to use AWS cloud servers to send an initial facial recognition image to users. other cameras. The LAN/P2P process is now used to do this. ZDNET has yet to receive a response from Anker regarding these issues.

The company also plans to launch a microsite with information on key processes that are performed locally and those that require the use of the cloud, and promises to provide “more timely updates to our community (and the media!) to ensure customers are better informed of any updates to these policies,” with one such update scheduled for early February.

So can you trust Eufy security cameras?

From time to time, we hear about cybersecurity breaches and data leaks from companies that have earned the trust of users. It’s not new. Each time, it seems that people with an opinion on this topic fall into three groups: one who thinks it’s all over the top, one who can’t believe people aren’t more outraged, and one who stays neutral. .

In general, I try to stay in the neutral field. I try to take the bad with the good, and recognize how difficult it is to build a completely waterproof system only to then throw it into a hurricane and hope for the best. Over the past few weeks, however, I have oscillated between these three positions.

Having a number of Eufy devices in my house, I think the company has a long way to go to regain consumer trust, and while these new processes look promising, it will take time to get there.

“Our apologies should be accompanied by more details about what happened and the corrective actions we have taken to ensure it does not happen again,” added Eric Villines. On this point, I believe that we are all in agreement.


Source link -97