Eufy, the Anker brand that positioned its security cameras as a “Local Storage” and “No Clouds” priority, has issued a statement in response to recent findings from security researchers and tech news sites. Eufy admits that things could be better, but also leaves some issues unresolved.
In a thread titled “Re: Recent Security Claims Against eufy Security,” “eufy_official” writes to its “Security Cutomers and Partners.” Eufy is taking “a new approach to home security,” the company writes, designed to work locally and “where possible” to avoid cloud servers. Video, facial recognition and identity biometrics are managed on devices, not the cloud.
This reiteration comes after a few questions about Eufy’s cloud policies in recent weeks. A British security researcher discovered in late October that telephone alerts sent by Eufy were stored on a cloud server, apparently unencrypted, including facial identification data. Another company of the time quickly summarized two years of Eufy security findings and noticed similar unencrypted file transfers.
At the time, Eufy acknowledged that they were using cloud servers to store thumbnail images, and that it would improve the installation language so that customers who wanted mobile alerts knew about it. The company declined to comment on other claims from security analysts, including that live video streams could be accessed through VLC Media Player using the correct URL, one whose encryption scheme could potentially be brute-forced.
A day later, tech site The Verge, in collaboration with a researcher, confirmed that a user who is not logged into a Eufy account can view a camera’s stream if given the correct URL. Getting that URL required a serial number (encoded in Base64), a Unix timestamp, an apparently unvalidated token, and a four-digit hexadecimal value.
Eufy states that its security model “has never been tried and tested and we expect challenges along the way,” but that it remains committed to customers. The company acknowledges that “several claims have been made” against the security and that the need for a response has frustrated customers. But, the company writes, it wanted to “gather all the facts before publicly addressing these claims.”
In responding to those claims, Eufy notes that it uses Amazon Web Services to relay cloud notifications. The image will be end-to-end encrypted and deleted shortly after transmission, Eufy says, but the company plans to better inform users and adjust marketing.
As for viewing live feeds, Eufy claims that “no user data has been released and the potential security flaws discussed online are speculative.” But Eufy adds that viewing live streams is disabled when they are not logged into a Eufy portal.
Eufy states that the claim that it sends facial recognition data to the cloud “is not true”. All identity processes are handled on local hardware, and users add recognized faces to their devices over a local network or peer-to-peer encrypted connections, Eufy claims. But Eufy notes that its Video Doorbell Dual previously used “our secure AWS server” to share that image with other cameras on a Eufy system; that feature has since been disabled.
The Verge, which did not receive answers to further questions about Eufy’s security practices following the findings, has some follow-up questions, and they are noteworthy. They include why the company denied viewing a remote stream was possible in the first place, its law enforcement request policy, and whether the company really used “[email protected]” as an encryption key.
“Until now, it’s safer to use a doorbell that tells you it’s stored in the cloud, as those honest enough to tell you generally use solid crypto,” Moore wrote about his efforts. Some of Eufy’s most enthusiastic, privacy-conscious customers might agree.
Frame image by Eufy