Since discovering the security flaws in its system, Anker has been cautious. Indeed, many dissatisfied users later wondered if they could trust Eufy’s security cameras. Anker is the parent company of Eufy.
This week, Anker Electronics finally admitted that yes, Eufy’s security cameras are transmitting video for a web portal without encryption built in, reports The Verge.
In the fall of 2022, a smart home device maker was caught uploading user data to cloud servers without their consent. In addition, customers claim that it is possible to use the link from the Eufy web portal to view live feed from the camera using a media player – in this case VLC.
Anker claims that this is no longer the case.
“Today, all videos use end-to-end encryption”
“Today, all video (live and recorded) transmitted between a user’s device and the Eufy Security web portal or Eufy Security app uses end-to-end encryption, which is implemented using AES and RSA algorithms,” says Anker Communications Manager Eric Willines.
Image: Maria Diaz/ZDNET.
In terms of what gets uploaded to the cloud, Eufy is now making it clear on its mobile app that certain data needs to be uploaded to cloud servers, especially when users turn on features like video previews for push notifications.
From my point of view, uploading screenshots to the cloud is not the problem, as most connected security cameras do the same. The problem is that Yufi knew this was happening and yet he tricked his customers into believing otherwise.
Camera updates start rolling out
Since Eufy sells security cameras and alarm systems, it also claims that all of your data is stored locally. Don’t worry, everything will be safe on your HomeBase’s built-in storage or any other hard drive or SSD you decide to add to it if you can.
In his emails to The Verge, Anker apologized to clients for the lack of response and promised to do better in the future. Notably, the company is currently working with an independent company to conduct security and penetration testing to audit Eufy’s system and practices.
The goal is to “completely assess the security threats to our products and eliminate potential risks,” says Eric Vilines.
The company is also committed to end-to-end encryption of all requests for video streams from the Eufy web portal. It updates all Eufy cameras to use WebRTC, which is already used in HomeBase 3 and EufyCam 3/3C. According to Anker, only 0.1% of current daily users use the web portal.
Firmware updates for other Eufy cameras started rolling out last week. According to Anker, users of the Eufy Security mobile app can be sure that their footage and camera streams have already been end-to-end encrypted and that this was done locally, either on the camera or on HomeBase.
The issue of face recognition is still unresolved
The Eufy Security web portal, which requires users to log in before accessing it, was not originally designed with end-to-end encryption, which Eric Vilines admits is a problem. This is the only video streaming process that did not use encryption.
The company has implemented new protocols and procedures for features that may be developed in the future, ensuring that all data from user devices to the Eufy Security mobile app or web portal must use end-to-end encryption.
“Several common processes require the use of the cloud, such as account setup, push notifications, initial device setup, device OTA, etc.,” explains Eric Wilins.
Eufy’s “Proof of Privacy” on its website at the time of the incident. It has since been changed. Screenshot by Maria Diaz/Eufy Security.
Eufy also denies sending face recognition data to the cloud, but mentions that an update was made to the camera, which was the only one that used AWS cloud servers to send the original face recognition image to users of other cameras. Now the LAN/P2P process is used for this. ZDNET has not yet received a response from Anker regarding these issues.
The company also plans to launch a microsite with information about key processes that run locally and require the use of the cloud, and promises to provide “more timely updates to our community (and media!) to keep customers better informed.” any updates to these policies,” with one such update scheduled for early February.
So can Eufy security cameras be trusted?
From time to time, we hear about cybersecurity breaches and data breaches from companies that have earned the trust of users. This is not new. Each time, it seems that people with their opinion on this topic are divided into three groups: some believe that this is already too much, others cannot believe that people are no longer outraged, and still others remain neutral. .
In general, I try to stay neutral. I try to balance the bad with the good and understand how difficult it is to build a completely waterproof system only to throw it into a hurricane and hope for the best. However, over the past few weeks, I have fluctuated between these three positions.
With multiple Eufy devices in my home, I think the company has a long way to go to regain consumer confidence, and while these new processes look promising, it will take time.
“Our apologies should be accompanied by more details about what happened and the corrective actions we have taken to make sure this doesn’t happen again,” added Eric Wilins. On this issue, I think we all agree.