Eufy publicly acknowledges some parts of its “No clouds” controversy


Enlarge / Eufy’s security department has publicly addressed some of the major claims about the company’s locally-facing systems, but those who bought into the “no clouds” claims may not be fully insured.


Eufy, the Anker brand that positioned its security cameras as a “Local Storage” and “No Clouds” priority, has issued a statement in response to recent findings from security researchers and tech news sites. Eufy admits that things could be better, but also leaves some issues unresolved.

In a thread titled “Re: Recent Security Claims Against eufy Security,” “eufy_official” writes to its “Security Cutomers and Partners.” Eufy is taking “a new approach to home security,” the company writes, designed to work locally and “where possible” to avoid cloud servers. Video, facial recognition and identity biometrics are managed on devices, not the cloud.

This reiteration comes after a few questions about Eufy’s cloud policies in recent weeks. A British security researcher discovered in late October that telephone alerts sent by Eufy were stored on a cloud server, apparently unencrypted, including facial identification data. Another company of the time quickly summarized two years of Eufy security findings and noticed similar unencrypted file transfers.

At the time, Eufy acknowledged that they were using cloud servers to store thumbnail images, and that it would improve the installation language so that customers who wanted mobile alerts knew about it. The company declined to comment on other claims from security analysts, including that live video streams could be accessed through VLC Media Player using the correct URL, one whose encryption scheme could potentially be brute-forced.

A day later, tech site The Verge, in collaboration with a researcher, confirmed that a user who is not logged into a Eufy account can view a camera’s stream if given the correct URL. Getting that URL required a serial number (encoded in Base64), a Unix timestamp, an apparently unvalidated token, and a four-digit hexadecimal value.

Eufy then said it “strongly disagrees with the allegations made against the company regarding the safety of our products.” Last week, The Verge reported that the company has notably changed many of its statements and “promises” from its privacy policy page. Eufy’s statement on its own forums arrived last night.

Eufy states that its security model “has never been tried and tested and we expect challenges along the way,” but that it remains committed to customers. The company acknowledges that “several claims have been made” against the security and that the need for a response has frustrated customers. But, the company writes, it wanted to “gather all the facts before publicly addressing these claims.”

In responding to those claims, Eufy notes that it uses Amazon Web Services to relay cloud notifications. The image will be end-to-end encrypted and deleted shortly after transmission, Eufy says, but the company plans to better inform users and adjust marketing.

As for viewing live feeds, Eufy claims that “no user data has been released and the potential security flaws discussed online are speculative.” But Eufy adds that viewing live streams is disabled when they are not logged into a Eufy portal.

Eufy states that the claim that it sends facial recognition data to the cloud “is not true”. All identity processes are handled on local hardware, and users add recognized faces to their devices over a local network or peer-to-peer encrypted connections, Eufy claims. But Eufy notes that its Video Doorbell Dual previously used “our secure AWS server” to share that image with other cameras on a Eufy system; that feature has since been disabled.

The Verge, which did not receive answers to further questions about Eufy’s security practices following the findings, has some follow-up questions, and they are noteworthy. They include why the company denied viewing a remote stream was possible in the first place, its law enforcement request policy, and whether the company really used “[email protected]” as an encryption key.

Investigator Paul Moore, who raised some of the earliest questions about Eufy’s practices, has yet to respond directly to Eufy since he posted to Twitter on Nov. 28 that he “had a lengthy conversation with (Eufy’s) legal department”. Moore, in the meantime, has started researching other “local-only” video doorbell systems and found them Remarkable non-local. One of them even seemed to be copying Eufy’s privacy policyword by word.

Until now, it’s safer to use a doorbell that tells you it’s stored in the cloud, as those honest enough to tell you generally use solid crypto,” Moore wrote about his efforts. Some of Eufy’s most enthusiastic, privacy-conscious customers might agree.

Frame image by Eufy

The Valley Voice
The Valley Voice
Christopher Brito is a social media producer and trending writer for The Valley Voice, with a focus on sports and stories related to race and culture.


Please enter your comment!
Please enter your name here

Share post:


More like this