Eufy Security Camera

Anker Admits to Lying About Eufy Security Camera Encryption; Describes Future Plans

Anker has acknowledged that its claims regarding the security camera encryption offered by Eufy were untrue. The smart home brand had previously stated that all video footage is end-to-end encrypted, but has now admitted there was an exception to this (which it has now fixed).

The company only finally came clean about the privacy breach after The Verge threatened to post a story about the company’s failure to answer its questions …

Background

When a user was able to access unencrypted video streams using the well-known VLC media player in December of last year, the security flaw was first identified. This was confirmed by a security researcher, who also demonstrated that video data was uploaded to the cloud even when the user had denied permission.

This followed a similar incident back in 2021, when users were able to view live and recorded camera feeds from complete strangers. Eufy blamed that one on a bug, and promised to contact the “0.001% of users” affected.

Anker, the company that owns the Eufy brand, took almost three weeks to respond to the December case before issuing a statement in which it partially acknowledged that its security claims were untrue.

Admission of Eufy Security Camera Encryption Flaw

At the time, The Verge posted a lengthy list of questions for The publication appears to have had difficulty obtaining responses as they were only provided after a threat to publish a story about the company’s failure to respond was made.

Apparently, Anker has now acknowledged two things that it had previously denied. First, its cameras can transmit unencrypted video footage. Second, there is one circumstance in which they do.

The discrepancy between the theory and the reality is now also explained, as are the company’s initial claims.

End-to-end encryption (E2E) was utilized when sending video to the companion iPhone and Android app, as stated. The video wouldn’t be visible to anyone who tampered with that stream.

The same thing was true of recorded footage sent to the web; that too used E2E encryption.

However, live video streams sent to the web were not encrypted, nor even authenticated, meaning that the streaming footage could be viewed by anyone who gained access to the link.

The Company’s Promises

Anker does finally seem to realize that it has a lot of work to do if anyone is to ever trust it again.

The company first claims to be remotely updating each and every Eufy camera to send only encrypted video to the web portal.

Second, it is commissioning external security companies to audit its practices, and conduct penetration testing (where consultants use hacking techniques to attempt to gain access). It will ask a “well-known security expert” to write an independent report.

In addition, a bug bounty program will be established to encourage security researchers and hackers to identify and report vulnerabilities.

Read More:

Source: 9to5mac

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top
0
Would love your thoughts, please comment.x
()
x