Eufy, the Anker brand that positioned its security cameras prioritizing “local storage” and “No clouds,” issued a statement in response to recent findings from security researchers and tech news sites. Eufy admits that it could do better, but it also leaves some issues unresolved.
In a thread titled “Re: Recent security complaints against eufy Security”, “eufy_official” writes to his “Security Cutomers and Partners”. Eufy is “taking a new approach to home security,” the company writes, designed to operate locally and “wherever possible” to bypass cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices, “not in the cloud.”
This reiteration comes after questions have been raised multiple times in recent weeks about Eufy’s cloud policies. A British security researcher discovered in late October that phone alerts sent from Eufy were being stored on a cloud server, apparently unencrypted, with facial identification data included. Another company at the time quickly summarized two years of findings on Eufy’s security, noting similar unencrypted file transfers.
At the time, Eufy acknowledged that it used cloud servers to store thumbnail images, and that it would improve its configuration language so customers who wanted mobile alerts would know about it. The company did not address other claims by security analysts, including that live video streams could be accessed through VLC Media Player with the correct URL, whose encryption scheme could be brute-forced.
A day later, tech site The Verge, working with a researcher, confirmed that a user not logged into a Eufy account would be able to view a camera feed, with the correct URL. Getting that URL required a serial number (Base64 encoded), a Unix timestamp, an apparently unvalidated token, and a four-digit hexadecimal value.
Eufy says its security model has “never been tried and we expect challenges along the way,” but that it remains committed to customers. The company acknowledges that “several complaints have been made” against its security, and the need for a response has frustrated customers. But, the company writes, it wanted to “gather all the facts before publicly addressing these claims.”
Responses to those claims include Eufy pointing out that it uses Amazon Web Services to forward notifications in the cloud. The image is end-to-end encrypted and deleted shortly after it is sent, Eufy claims, but the company intends to better notify users and adjust its marketing.
As for viewing live streams, Eufy states that “no user data has been exposed, and potential security flaws discussed online are speculative.” But Eufy adds that it has disabled viewing live streams when you’re not connected to a Eufy portal.
Eufy claims that the claim that it sends facial recognition data to the cloud is “not true.” All identity processes are handled on local hardware, and users add recognized faces to their devices via the local network or encrypted peer-to-peer connections, says Eufy. But Eufy notes that your Video Doorbell Dual previously used “our secure AWS server” to share that image with other cameras on a Eufy system; that feature has since been disabled.
The Verge, which received no answers to further questions about Eufy’s security practices after its findings, has a few follow-up questions, and they’re noteworthy. They include why the company denied remote streaming was possible in the first place, its law enforcement request policies, and whether the company was actually using “ZXSecurity17Cam@” as the encryption key.
“So far, it’s safer to use a doorbell that tells you it’s stored in the cloud, as the ones that are honest enough to tell you usually use strong cryptography,” Moore said. wrote about his efforts. Some of Eufy’s most enthusiastic and privacy-conscious customers may agree.
Listing Image by Eufy