Brand owner Anker has finally responded to proof of a major Eufy camera security breach, but its official statement still leaves a great many questions unanswered.
The company has now admitted that it lied to users about all footage and images being stored locally, and never sent to the cloud, after a security researcher proved that this was not true …
One of the biggest developments in consumer-grade home security cameras has been the addition of facial-recognition technology. Rather than just identifying movement, the camera can tell the difference between a person and, for example, a pet. Additionally, face recognition prevents it sending needless security alerts when a known member of the household is spotted.
Most facial-recognition tech is performed on cloud servers, but Anker said that its Eufy cameras do this on the devices themselves, without the need to send images to the cloud. The company’s website still states unequivocally that it does not send data to the cloud.
No Clouds or Costs. This means that no one has access to your data but you.
Eufy camera security breach
Paul Moore recently provided proof that Anker’s privacy claim isn’t true.
Moore shows proof that Eufy cameras are sending data that is said to be “stored locally” to the cloud, even when cloud storage is disabled […]
The doorbell’s camera was uploading facial recognition data from the camera to Eufy’s cloud servers with identifiable information attached, and that this data wasn’t actually removed from Eufy’s servers when the related footage had been deleted from the Eufy app. In the video below, Moore also notes that Eufy used the facial recognition data from two different cameras on two completely different accounts to link data from each, and points out that Eufy never notifies the user that this is happening – the company’s market rather implies just the opposite.
Even worse, another user discovered that it was possible to view unencrypted live video footage without authentication.
Simply using the popular VLC media player, a user was able to access a camera’s feed, and Paul Moore confirmed (though without showing how it works) that the streams can be accessed with no encryption or authentication required.
The Verge additionally confirmed this.
Company partly admits the issues
Anker this week published a blog post providing a partial admission of the problems, while claiming that no user data had been exposed (our emphasis):
“eufy Security Uses the Cloud to Send Users Mobile Push Notifications”
This is true. As mentioned earlier, eufy Security is committed to reducing the use of the cloud in our security processes wherever possible. However, some processes today still require us to use our secure AWS server.
For example, in the case of security push notifications – when the user has chosen to include a thumbnail with that security notification – a small preview image of the security event is sent to our secure AWS server and then pushed to the user’s phone. This image is protected through end-to-end encryption and is deleted shortly after the push notification has been sent. This process also complies with all industry standards.
It also admitted weaknesses in its web portal, while denying that any user data has been exposed.
No user data has been exposed, and the potential security flaws discussed online are speculative. However, we do agree there were some key areas for improvement. So we have made [authentication] changes.
The company continues to deny that facial recognition data is sent to the cloud.
Many questions remain unanswered
The Verge says that the statement leaves a great many questions unanswered, beginning with the key one:
Why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera.
The site sent Anker a lengthy list of additional questions:
Why do your supposedly end-to-end encrypted cameras produce unencrypted streams at all?
Under what circumstances is video actually encrypted?
Do any other parts of Eufy’s service rely on unencrypted streams, such as Eufy’s desktop web portal?
How long is an unencrypted stream accessible?
Are there any Eufy camera models that do not transmit unencrypted streams?
Will Eufy completely disable the transmission of unencrypted streams? When? How? If not, why not?
If not, will Eufy disclose to its customers that their streams are not actually always end to end encrypted? When and where?
Has Eufy changed the stream URLs to something more difficult to reverse engineer? If not, will Eufy do so? When?
Are unencrypted streams still accessible when cameras use HomeKit Secure Video?
Is it true that ”ZXSecurity17Cam@” is an actual encryption key? If not, why did that appear in your code labeled as an encryption key and appear in a GitHub repo from 2019?
Beyond the thumbnails and the unencrypted streams, are there any other private data or identifying elements that Eufy’s cameras allow access to via the cloud?
Beyond potentially tapping into an unencrypted stream, are there any other things that Eufy’s servers can remotely tell a camera to do?
What keeps Eufy and Anker employees from tapping into these streams?
Which other specific measures will Eufy take to address its security and reassure customers?
Has Anker retained any independent security firms to conduct an audit of its practices following these disclosures? Which?
Will Anker be offering refunds to those customers who bought cameras based on Eufy’s privacy commitment?
Why did Anker tell The Verge that it was not possible to view the unencrypted stream in an app like VLC?
Does eufy share video recordings with law enforcement agencies?
It’s not the first time third parties have been able to view supposedly end-to-end encrypted video streams from Eufy cameras: the same thing happened back in May of last year.
Thank you for reading this post, don't forget to subscribe!