The year 2022 did not end very well for Eufy. The Anker group’s home equipment brand has come under considerable criticism for its handling of user data, and especially images captured by its surveillance cameras. And for good reason.
A cybersecurity specialist first found that images could be stored in the cloud without the user’s consent, but a more disturbing discovery was soon added to the case against Eufy. According to another cybersecurity specialist quoted by our colleagues from The Verge, it was possible to access the live video stream of the brand’s cameras from a simple third-party video player, such as VLC. A breach finally recognized following reminders from the American media, which also obtained information on the measures adopted and envisaged to avoid future leaks.
Encryption finally deployed on the web client
First of all, Eufy admits having been negligent by opening access to the live video stream of its cameras on its web client. More precisely, the encryption put in place for sending live video to the mobile application – not to be confused with that of recordings, which takes place locally on the cameras – did not apply. to the latter.
The manufacturer defends itself, however, by indicating that the only way to access a camera via a third-party player was to use a link provided by the user, after identification and switching to debug mode. In addition, less than 0.1% of active users would actually use the web client to access live, and there would be no leaks to deplore so far. Nevertheless, in order to better protect the privacy of its users – and above all to reassure them – Eufy has decided to take new measures, starting with the adoption of end-to-end encryption for sending live material to its portal. web.
Access to debug mode has also been cut off, and the manufacturer adds that it has called in security experts to evaluate its system. A bounty program will also be launched to reward and motivate bug hunters, while a microsite should see the light of day to clearly explain the various means implemented to ensure the confidentiality of user data and images.