Anker had lied: there is indeed a security problem with its Eufy surveillance cameras which recorded videos captured in the cloud without encryption or authentication, thus making them accessible to third parties…
Nearly two months after the first accusations of security breaches and lack of end-to-end encryption of data, which was then accessible to third parties on the cloud, Anker, the Chinese brand behind Eufy surveillance cameras, has is finally expressed to The Verge. And again, the media had to insist heavily that the manufacturer finally give a clear and honest answer. Faced with the stubborn silence of the company, he had to issue an ultimatum and threaten the firm to publish an article highlighting the various problems detected on its products and its lack of transparency. A method that has obviously paid off.
Anker ended up admitting its wrongs and its lies, admitting that the video feed from its cameras was not end-to-end encrypted and could be accessed by third parties via the cloud to its web portal. . The company has since updated its devices – it is done automatically remotely – so that all videos are encrypted before being sent to the web portal – this is also the case for the mobile application. It has also agreed to undergo audits by independent experts, particularly on security issues and data hacking attempts. Finally, it has set up a bug bounty system to invite security researchers and ethical haulers to find and report any flaws – for a fee, therefore – and is preparing a site with clear explanations of its practices. The firm wishes to apologize for its lack of reaction during the past few weeks and promises to do better and to redeem itself. It remains to regain the trust of users and buyers.
Eufy cameras: the risks of cloud storage
Many security cameras and connected video doorbells have a storage system in the cloud – on the Internet, therefore. In the event of intrusion detection, the manufacturers record in real time the videos transmitted by the device on a remote server, located somewhere in the world.. A very handy feature to prevent everything from being lost if the device is destroyed or stolen by intruders. But that raises a question: because we can, quite legitimately, worry about the protection of the precious images captured as well as the use that the company that collects them can make of them.
Admittedly, most manufacturers equip their cameras with a memory card slot, so that everything is stored locally. A marketing argument that is obviously put forward to attract people concerned about the security of their data. But don’t trust it! If local storage may suggest that nothing goes to a cloud space, the reality is quite different. This is what owners of connected home cameras Eufy, Anker’s brand, have bitterly discovered. Against the advice of their users and without warning them, they send the captured images to the company’s servers. Worse still: the recordings can be viewed by third parties, because they are neither encrypted nor protected…
Eufy cameras: unencrypted videos accessible online
It was Paul Moore, a cybersecurity consultant, who discovered that the data recorded by his connected doorbell Eufy Doorbell Dual was sent to the Anker cloud. A very bad surprise insofar as they were supposed to be stored locally, on an external disk. Especially since he had deactivated the cloud storage option! In fact, he found that his camera sent video thumbnails – used in smartphone notifications – but also photos of detected faces with information to identify them, and – icing on the cake – his IDs. user ! To prove his point by point, Paul Moore has also made video demonstrations, posted on his YouTube channel.
Anker responded to Paul Moore by explaining that the images recorded by its cameras are only used for notifications and are immediately deleted from the server when the user clears the events from the mobile application. The consultant therefore verified the statements of the company. And found that the downloaded items are not deleted from Eufy’s servers at all. Worse still: other users looked into the matter and discovered that anyone could access a Eufy camera. This is because the data is not properly encrypted, and the videos can be viewed in a web browser by entering the correct URL. No authentication information is requested, and just use the famous VLC video player to view the images. A veritable gold mine for malicious people! Very serious journalists The Verge tried in turn to see stolen images. And they succeeded“proving that Anker has a way to bypass encryption and access these supposedly secure cameras via the cloud”. Certainly, the camera must be activated by a detection to see the images that it saves in the cloud. But that’s its primary function! And it shouldn’t be so easily accessible.
Since being informed of the problem, Anker has obviously corrected since some technical points. But the case still leaves an unpleasant impression. In addition to the security issues that this discovery raises, it is above all the manufacturer’s lack of transparency that is shocking. Not only does it “temporarily” store data, but it does so without the consent of the camera owner and without notifying them in advance. Eufy devices would thus be sold with false promises of privacy. The brand would even go so far as to lie, since an Anker spokesperson allegedly told The Verge that it was not “not possible to start a stream and watch live images using a third-party player such as VLC”... which however succeeded the American media. She also replied to Paul Moore that yes, data was being sent to the cloud, but not to worry because the URL was password protected, so only the user could share it with a third person. Anker, however, intends to encrypt the interface so that the URL is no longer displayed, and thus avoid other “misunderstandings”.
Update: An official response from @EufyOfficial
Paraphrasing…
“You’re right, we do send to the cloud but it’s password protected, so not publicly visible… but we intend to encrypt API messages so nobody else finds out”Completely & utterly missed the point. pic.twitter.com/Mr08D2t60c
— Paul Moore (@Paul_Reviews) November 24, 2022