Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul

Enlarge / Anker’s Eufy division said its web portal was not designed for end-to-end encryption and could allow outside access with the correct URL.

Eufy

After two months of wrangling with critics over how so many aspects of its “No clouds” security cameras could be viewed online by security researchers, Anker’s smart home division Eufy has provided a lengthy explanation and promise to do better.

In multiple responses to The Verge, which repeatedly called out Eufy for failing to address key aspects of its security model, Eufy made it clear that video feeds produced by its cameras could be viewed, unencrypted, through the Eufy web portal, despite messaging and marketing that suggested otherwise. Eufy also said it would employ penetration testers, commission a report from an independent security researcher, create a bug bounty program, and better detail its security protocols.

Before the end of November 2022, Eufy had a strong position among smart home security vendors. For those willing to trust any company with video streams and other home data, Eufy has marketed itself as offering “No Cloud or Costs”, with encrypted streams streamed only to local storage.

Then came the first of Eufy’s dismal revelations. Security consultant and researcher Paul Moore asked Eufy on Twitter about several discrepancies he discovered. Images from his doorbell camera, apparently tagged with facial recognition data, were accessible from public URLs. Camera streams, when enabled, were apparently accessible without authentication from VLC Media Player (which was later confirmed by The Verge). Eufy released a statement saying that it essentially didn’t fully explain how it uses cloud servers to deliver mobile notifications and committed to updating its language. Moore remained silent after tweeting “long discussion” with Eufy’s legal team.

Advertising

A few days later, another security researcher confirmed that given the URL of a Eufy user’s web portal, it could be streamed. The URL encryption scheme also seemed to lack sophistication; as the same researcher told Ars, it only took 65,535 brute-force combinations, “which a computer can perform quite quickly.” Anker then increased the number of random characters required to guess URL streams and said it removed the ability of media players to play a user’s streams even if they had the URL.

Eufy released a statement to The Verge, Ars and other publications at the time, noting that he “categorically” disagrees with “the accusations made against the company regarding the safety of our products.” After continued pressure from The Verge, Anker released a lengthy statement detailing its past mistakes and future plans.

Among notable statements from Anker/Eufy:

Its web portal now prohibits users from entering “debug mode”. The content of the video stream is encrypted and inaccessible outside the portal. While “only 0.1%” of current daily users access the portal, it “had some issues”, which have been resolved. Eufy pushes WebRTC on all of its security appliances as an end-to-end encrypted streaming protocol. Facial recognition images were uploaded to the cloud to facilitate replacing/resetting/adding doorbells to existing image sets, but these have been discontinued. No recognition data was included with images uploaded to the cloud. Apart from the “recent problem with the web portal”, all other videos use end-to-end encryption. A “leading and well-known security expert” will produce a report on Eufy’s systems. “Several new security consulting, certification and penetration testing companies” will be approached for risk assessment. A “Eufy Security Bounty Program” will be implemented. The company promises to “provide more timely updates to our community (and the media!).”