Eufy caught lying about local-only security cameras with footage sent to cloud

Topic

New Reply

Eufy caught lying about local-only security cameras with footage sent to cloud, accessible in unencrypted streams

…Anker’s Eufy brand claims to keep data local, but a security researcher has exposed that the claim is far from true, with footage not only going to the cloud, but remaining visible even after it was supposed to be deleted.

Eufy sells several of its security cameras with the promise that video footage and other data are local only, explicitly saying “no one has access to your data but you” on its website.

Paul Moore, a security researcher, posted on Twitter last week a frightening security situation with Eufy home security products including camera-equipped doorbells. In the thread and accompanying videos, Moore shows proof that Eufy cameras are sending data that is said to be “stored locally” to the cloud, even when cloud storage is disabled.

The security hole was first discovered on Eufy’s Doorbell Dual camera which utilizes two cameras to view both people walking up to your door as well as your doorstep where packages may be left…

https://twitter.com/Paul_Reviews/status/1595421705996042240

Paul Moore
@Paul_Reviews

You have some serious questions to answer
@EufyOfficial

Here is irrefutable proof that my supposedly “private”, “stored locally”, “transmitted only to you” doorbell is streaming to the cloud – without cloud storage enabled.

2 users thanked author for this post.

Michael432, Sky

Reply | Quote

Replies

You find some of the most interesting stuff that anyone does. Thank you.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

3 users thanked author for this post.

SueW, Sky, Alex5723

Reply | Quote

Anker’s Eufy breaks its silence on security cam security

After ignoring questions for weeks, Anker’s PR department forwarded us a statement from Eufy that admits but neither explains nor apologizes.

Now, Anker is finally taking a stab at a public explanation, in a new blog post titled “To our eufy Security Customers and Partners.” Unfortunately, it contains no apology, and doesn’t begin to address why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera…

What it does contain is a clear admission: “eufy Security ’s Live View Feature on its Web-Portal Feature Has a Security Flaw,” the company admits in bold letters…

1 user thanked author for this post.

SueW

Reply | Quote

It just goes to show you that the only equipment you can trust is the equipment you build yourself, for yourself, and code yourself.  Which is a tall order for today’s individuals who aren’t educated in both hardware and software.

Reply | Quote

Anker finally comes clean about its Eufy security cameras

Anker admits its always-encrypted cameras weren’t always encrypted — and promises to do better.

First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers.

It worked.

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.

But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

That’s not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it’s bringing in outside security and penetration testing companies to audit Eufy’s practices..

Reply | Quote