Eufy, an Anker brand that has positioned security cameras as “local storage” and “no cloud” as a priority, made a statement In response to recent findings by security researchers and tech news sites. Eufy acknowledges that it could be improved, but leaves some issues unresolved.
In a thread titled “Re: Recent Security Requests to eufy Security”, “eufy_official” writes to “Security Customers and Partners”. Eufy “takes a new approach to home security,” the company writes. It is designed to work locally and avoid cloud servers “as much as possible”. Video footage, facial recognition, and identity biometrics are managed “on the device, not in the cloud.”
This iteration comes after questions have been raised several times over the past few weeks regarding Eufy’s cloud policy.A British security researcher said a phone alert sent by his Eufy in late October Stored on a cloud server that appears to be unencrypted, which contains face identification data.Another company at the time quickly summarized Two Years of Eufy Security Findingsnote similar unencrypted file transfers.
At the time, Eufy admitted to using a cloud server to store thumbnail images and improving the setup language so that customers who needed mobile alerts could recognize this. The company did not address other allegations made by security analysts. For example, a live video stream can be accessed through VLC Media Player with the correct URL and its encryption method can be brute-forced.
A day later, tech site The Verge worked with researchers to confirm that users who were not logged into their Eufy accounts were able to do so. watch the camera stream, Specify the correct URL. Getting that URL required a serial number (base64-encoded), a Unix timestamp, an apparently unverified token, and a 4-digit hex value.
Eufy says its security model “has never been attempted before and we expect challenges to arise along the way,” but says it remains committed to its customers. . The company has admitted that “several allegations have been made” against its security, and the need to respond has frustrated customers. I wanted to collect all the facts,” he wrote.
Responses to these claims include Eufy pointing out that they use Amazon Web Services to forward cloud notifications. Images are end-to-end encrypted and deleted immediately after transmission, Eufy said, though the company plans to better notify users and adjust marketing.
Regarding viewing live feeds, Eufy claims that “user data is not public and potential security flaws discussed online are speculation.” However, Eufy adds that they have disabled viewing the live stream if they are not logged into the Eufy portal.
Eufy says claims that it sends facial recognition data to the cloud are “not true.” All his identity processes are handled by local hardware, and users add their recognized faces to their devices, either over a local network or a peer-to-peer encrypted connection, Eufy claims. doing. But Eufy points out that the company’s Video Doorbell Dual used to previously use “secure AWS servers,” whose images he shared with other cameras on the Eufy system. . That feature has since been disabled.
The Verge did not receive responses to further questions regarding Eufy’s security practices following the findings of the investigation. I have a follow-up question, and they are noteworthy. It includes why the company denied being able to watch remote streams in the first place, law enforcement request policies, and whether the company really used “ZXSecurity17Cam@” as an encryption key.
“So far it’s safer to use the doorbell that tells you it’s stored in the cloud. To be honest, it’s because they generally use solid cryptography,” Moore said. wrote about his effortsSome of Eufy’s most dedicated and privacy-conscious customers might agree.
Listing image by Eufy