Anker Finally Comes Clean About Its Eufy Security Cameras

An anonymous reader quotes a report from The Verge: First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn't answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams -- among other questions -- we would publish a story about the company's lack of answers. It worked.

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted -- they can and did produce unencrypted video streams for Eufy's web portal, like the ones we accessed from across the United States using an ordinary media player. But Anker says that's now largely fixed. Every video stream request originating from Eufy's web portal will now be end-to-end encrypted -- like they are with Eufy's app -- and the company says it's updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

That's not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it's bringing in outside security and penetration testing companies to audit Eufy's practices, is in talks with a "leading and well-known security expert" to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail. Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It's a little hard to take the company at its word! But we also think Anker Eufy customers, security researchers and journalists deserve to read and weigh those words, particularly after so little initial communication from the company. That's why we're publishing Anker's full responses [here]. As highlighted by Ars Technica, some of the notable statements include: - Its web portal now prohibits users from entering "debug mode."
- Video stream content is encrypted and inaccessible outside the portal.
- While "only 0.1 percent" of current daily users access the portal, it "had some issues," which have been resolved.
- Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
- Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
- Outside of the "recent issue with the web portal," all other video uses end-to-end encryption.
- A "leading and well-known security expert" will produce a report about Eufy's systems.
- "Several new security consulting, certification, and penetration testing" firms will be brought in for risk assessment.
- A "Eufy Security bounty program" will be established.
- The company promises to "provide more timely updates in our community (and to the media!)."

Eu

[ickleberry]

Eu oh oh oh oh uhfi

Re:

[Locke2005]

EIEIO!

Once a BSer

[RitchCraft]

Always a BSer.

Whatever...

[Ritz_Just_Ritz]

So they ignored the complaints for a good long while, but finally responded when threatened with publication of their antics and hiring some PR critters to do damage control.

Why on earth would anyone buy their products?

Re:Whatever...

[hawguy]

So they ignored the complaints for a good long while, but finally responded when threatened with publication of their antics and hiring some PR critters to do damage control.

Weren't their antics already published? Are there more unpublished antics?

Why on earth would anyone buy their products?

Because most people don't understand or really care about security and the average consumer isn't going to find out about this breach at all. They'll see the product on Amazon, see that it has a 4.7 star rating, then click "Buy"

Re:

[TheRealMindChild]

Why on earth would anyone buy their products?
 
Because they work well for a reasonable price

But is it local only?

[raynet]

These things don't seem to fix the most important thing, the device was advertised as storing things only locally. At any point, no data should be leaving to the cloud from these devices. Only thing they should use external service, is to do NAT penetration/VPN tunnel, so you can access the device from you phone.

Re:

[quantaman]

These things don't seem to fix the most important thing, the device was advertised as storing things only locally. At any point, no data should be leaving to the cloud from these devices. Only thing they should use external service, is to do NAT penetration/VPN tunnel, so you can access the device from you phone.

Well it sounds like the notification thumbnails were literally impossible to provide without uploading them to the cloud due to the phone OS APIs.

As for the web portal, I'd certainly assume that was being sent through the cloud (though the unencrypted stream sounds like a serious issue).

Overall, I can't shake the feeling I'm reading a bit of a hit piece. I'd really like to see some analysis by 3rd party security experts.

Re:

[rossz]

Then they should have stated that "thumbnails will be uploaded if you enable that feature", instead of lying.

Re:

[duffel]

I don't know if it always said this, but it literally does say this in the settings.

"Include Thumbnail" Get full notification including text and thumbnail (if available). Note: in this mode, footage preview thumbnails will be temporarily stored in the cloud...

Re:

[mccalli]

That's a recent update.

Re:

[AmiMoJo]

The data could easily be end-to-end encrypted, like many instant messenger apps that work just fine sending images that the mediating server cannot decrypt. No issue at all with "phone OS APIs".

I'm disappointed...

[Jerry Rivers]

...that Anker let this happen at all, but I'm generally happy with Anker products, of which I own several. This response seems responsible and reasonable, if what they say is true. I have actually been casually shopping for a multi-camera system, and I will give this one another look.

Re:

[RJFerret]

Feit is an oft overlooked consideration. Known more for their LED products than camera offerings. Footage stored encrypted in camera, no subscription, no web portal.

Re:

[Jerry Rivers]

Feit is an oft overlooked consideration. Known more for their LED products than camera offerings. Footage stored encrypted in camera, no subscription, no web portal.

That's a tip I will definitely take seriously. Thanks.

Re:

[AmiMoJo]

Anker seem to be more of a hardware engineering company than a software one. As if often the case, when they want to add IoT features to a product they end up botching the software side of things.

At the very least it will take them some time to assemble a new, competent team, and replace all their old firmware and backend systems. Meanwhile the pressure will be on to develop new products, so I wouldn't expect updates to be well supported.

If you want privacy guarantees then some Hikvision cameras with custom

Too late.

[Guspaz]

The problem was not with all the security problems, or even the false advertising about the products (not entirely, anyway), but how they handled the public disclosure of the security problems and practices. They handled it by lying, concealing, denigrating, and covering up. If Anker's response to the whole fiasco had been something along the lines of "Yeah, we messed up, and here are the steps we're going to take to immediately improve the situation", then I'd still be fine with buying Anker products. But instead they tried their damnedest to pretend that there was no problem and everybody reporting on it was making things up, and that's why I don't buy their products anymore.

It's too bad, they've always been my go-to for cables, batteries, chargers, and various other types of accessories. But how a company handles a crisis is more important than the cause of the crisis, and they could not have handled this more poorly.

Re:

[bill_mcgonigle]

I used to buy only Anker but haven't in about two years. The quality went to hell - a change in management would explain all of this.

This [amzn.to] is my new go-to brand. It's like finding Anker in 2013.

The first time I've actually been happy with USB cables, not just less annoyed. I have to reorder them periodically because the kids steal them preferentially.

Wyzecam v3 with RTSP FTW!

[SpzToid]

The quality, including color in the city at night from cheap WyzeCam v3 is worth 4-5x the price, plus they offer RTSP firmware, so nothing has to leave your LAN. Put this traffic on its own VLAN if you're so motivated. https://support.wyze.com/hc/en... [wyze.com]

Mine is pointed at the street outside and along with Open Broadcast Studio's Virtual Camera mode, and a green screen, my web conference quality is vastly improved. Old smartphones blow away even modern cheap webcams in terms of quality. BTW I use an Android phone as my main webcam in the setup. Search Amazon for 'SmallRig photo' to see a plethora of holders/adapters.

Re:

[EvilSS]

Yep much more open and responsive company https://www.consumerreports.or... [consumerreports.org]

Re:

[antdude]

I use Arlo and might be dropping it soon since their free cloud storage will be ending in a few months. Can WyzeCam's videos be viewed online from home and optional cloud for free (no subscriptions)?

Re:

[SpzToid]

There are paid cloud features available, but none interest me, plus I don't want an IoT device phoning home for anything. By using RTSP the camera is an IP server available to various client options, like VLC to name one. Open Broadcast studio is another, and makes it easy to capture multiple camera views. Obviously you really only want a single client-server transmission to maintain a large bitrate and RTSP makes that possible. Once the firmware is flashed, you can even remove the SD card so there's nothin

Another issue?

[viperidaenz]

Is this different from the December 2022 security issue, where Eufy claimed no data was uploaded to their servers, where in actual fact they were uploading images for facial recognition training, and keeping the images after you delete your account?

China based business

[rossz]

If you trust a company in China with something that should be secure, you are an idiot. Even if they implement end to end encryption, I would assume they would include a backdoor to siphon off data on demand.

Glad they fixing Eufy camera

[bsdetector101]

What security camera is perfect and can't be hacked ? BTW, my Eufy security works great and alerts sent to my phone when away. Suppose to be an indoor model, but works great when 10 degrees. Won't buy any Goggle/Ring security cameras cause you KNOW they TATTLE !!!!

Re:

[JasterBobaMereel]

They claimed it was secure, did not upload anything, and all streams were encrypted ...

and when people showed all these claims were untrue - they just said "you're wrong" and tried to sue them ...

Google and Ring security say they do upload images, do give access to authorities, do have unencrypted streams ... people can easily tell they are not very secure

What about others?

[antdude]

Arlo, Ring, etc. How are they?