Eufy, the Anker brand that positions its security cameras as prioritizing “local storage” and “no cloud,” issued a statement in response to recent findings by security researchers and technology news sites. Eufy acknowledges it could do better but also leaves some issues unaddressed.
In a thread titled “Re: Re: recent security claims against eufy Security,” eufy_official writes to “Security Cutomers and Partners.” Eufy “takes a fresh approach to home security,” the company writes, and is designed to operate on premises and “where possible” to avoid cloud servers. Video capture, facial recognition, and identity biometrics are all managed on devices — “not the cloud.”
This recurrence comes after questions have been raised several times in the past weeks about Eufy’s cloud policies. A British security researcher discovered in late October that phone alerts sent from Eufy were stored on a cloud server, apparently unencrypted, with facial identification data included. Another company at the time quickly summed up two years of findings on Eufy’s security, noting similar unencrypted file transfers.
At the time, Eufy acknowledged using cloud servers to store thumbnails, and that it would improve its setup language so customers who wanted mobile alerts would know that. The company has not addressed other claims from security analysts, including that live video streams can be accessed through VLC Media Player with the correct URL, whose encryption scheme is likely coercive.
A day later, technology site The Verge, working with a researcher, confirmed that a user who is not logged into an Eufy account can view the camera’s feed, given the correct URL. Getting this URL requires a serial number (encoded in Base64), a Unix timestamp, an apparently unvalidated token, and a four-digit hexadecimal value.
Eufy has stated that its security model is “never tried, and we expect challenges along the way”, but it remains committed to customers. The company acknowledges that “several allegations have been made” against its security, and the need for a response has frustrated customers. But the company wrote that it wanted to “gather all the facts before addressing these allegations publicly.”
Responses to these allegations include Eufy stating that it uses Amazon Web Services to redirect cloud notifications. The image was end-to-end encrypted and deleted shortly after it was sent, Eufy explains, but the company intends to better notify users and adjust its marketing.
Regarding watching the live broadcast, Eufy claims that “no user data has been exposed, and the possible security flaws discussed on the Internet are purely speculative.” But Eufy adds that it has disabled viewing live broadcasts when not logged into the Eufy portal.
Eufy says the claim that it sends facial recognition data to the cloud is “incorrect”. All identity operations are handled on local machines, and users add known faces to their machines through a local network or encrypted peer-to-peer connections, Eufy claims. But Eufy notes that the Video Doorbell Dual previously used an “AWS secure server” to share that image with other cameras on the Eufy system; This feature has since been disabled.
The Verge, which has not received answers to more questions about Eufy’s security practices following its findings, has some follow-up questions, which are noteworthy. They include why the company denies that the broadcast can be viewed remotely in the first place, the policies of the law enforcement request and whether the company really uses “ZXSecurity17Cam@” as an encryption key.
“By far, it’s much safer to use a doorbell that tells you it’s stored in the cloud—people who are honest enough to tell you generally use strong encryption,” Moore wrote about his efforts. Some of Eufy’s more ardent, privacy-minded customers might find themselves agreeing.
Listing image by Eufy
#Yoffe #Yoffe #public #parts #Clouds #controversy