Anker admits Eufy camera security issues
>
Anker has confirmed that one of its security camera products had some serious security flaws that allowed unauthorized third parties to view the camera’s live feeds. It also confirmed that it has sent mobile push notifications featuring people’s faces to user endpoints via the cloud (opens in new tab).
Security researcher Paul Moore recently discovered that the feed from the Eufy Doorbell Dual camera (owned by Anker) could be accessed through a web browser simply by knowing the correct URL, with no password required.
Camera videos encrypted with AES-128 use a simple key that is relatively easy to break, Moore said at the time, adding that the app uploaded thumbnails to the cloud before sending them as notifications to people’s mobile apps, and that the camera uploaded facial recognition data to its AWS cloud without encryption.
Confirming research reports
Now, in one blog post (opens in new tab) titled “To Our Eufy Security Customers and Partners,” the company has addressed these claims, confirming some but denying others.
As for accessing the camera feed, the researcher was right. “Eufy Security’s Live View feature on its web portal has a security flaw,” the company said before adding that no user data had been released. “Potential security flaws discussed online are speculative,” the blog reads.
Still, the company has made some changes, so people can now watch live streams over the internet only by logging into the eufy.com 3 web portal. “Users will no longer be able to watch live streams (or share active links to those live streams with others) outside of eufy’s secure web portal,” it said.
Anker also confirmed using the cloud to send mobile push notifications to users. While it said the feature “complies with all industry standards”, it did make a few tweaks – it updated the eufy Security app with a more detailed explanation of the various push notification options, and updated its privacy statement at eufy.com. revised, which should be published “later this week”.
“In the future, this will be a significant area of improvement for our marketing and communications teams and will be added to our website, privacy policy and other marketing materials,” the blog explains.
Finally, it resolved concerns that the camera is sending facial recognition data to the cloud, with a brief statement saying “This is not true”.
“This is a key differentiator for eufy Security – all facial recognition and biometric processes are performed locally on the user’s device. This information is never processed in the cloud.”
The company has been criticized by security researchers and the media for poor communication – something it also wanted to address with this update:
“Going forward, we will need to strike a better balance between our need to get ‘all the facts’ and our obligation to keep our customers informed faster,” the company said.