Tag Archives: Eufy

Technology

Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul

Leave a comment

Enlarge / Anker’s Eufy division has said its web portal was not designed for end-to-end encryption and could allow outside access with the right URL.

Eufy

After two months of arguing back and forth with critics about how so many aspects of its “No clouds” security cameras could be accessed online by security researchers, Anker smart home division Eufy has provided a lengthy explanation and promises to do better.

In multiple responses to The Verge, which has repeatedly called out Eufy for failing to address key aspects of its security model, Eufy has plainly stated that video streams produced by its cameras could be accessed, unencrypted, through the Eufy web portal, despite messaging and marketing that suggested otherwise. Eufy also stated it would bring in penetration testers, commission an independent security researcher’s report, create a bug bounty program, and better detail its security protocols.

Prior to late November 2022, Eufy had enjoyed a distinguished place among smart home security providers. For those willing to trust any company with video feeds and other home data, Eufy marketed itself as offering “No Clouds or Costs,” with encrypted feeds streamed only to local storage.

Then came the first of Eufy’s woeful revelations. Security consultant and researcher Paul Moore asked Eufy on Twitter about several discrepancies he discovered. Images from his doorbell camera, seemingly tagged with facial recognition data, were accessible from public URLs. Camera feeds, when activated, were seemingly accessible without authentication from VLC Media Player (something later confirmed by The Verge). Eufy issued a statement stating that, essentially, it hadn’t fully explained how it used cloud servers to provide mobile notifications and pledged to update its language. Moore went quiet after tweeting about “a lengthy discussion” with Eufy’s legal team.

Days later, a different security researcher confirmed that, given the URL from inside a Eufy user’s web portal, it could be streamed. The encryption scheme on the URLs also seemed to lack sophistication; as the same researcher told Ars, it took only 65,535 combinations to brute-force, “which a computer can run through pretty quick.” Anker later increased the number of random characters required to guess URL streams and said it had removed media players’ ability to play a user’s streams, even if they had the URL.

Eufy issued a statement to The Verge, Ars, and other publications at that time, noting it “adamantly” disagreed with “accusations levied against the company concerning the security of our products.” After continued pressure by The Verge, Anker issued a lengthy statement detailing its past errors and future plans.

Among Anker/Eufy’s notable statements:

  • Its web portal now prohibits users from entering “debug mode.”
  • Video stream content is encrypted and inaccessible outside the portal.
  • While “only 0.1 percent” of current daily users access the portal, it “had some issues,” which have been resolved.
  • Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
  • Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
  • Outside of the “recent issue with the web portal,” all other video uses end-to-end encryption.
  • A “leading and well-known security expert” will produce a report about Eufy’s systems.
  • “Several new security consulting, certification, and penetration testing” firms will be brought in for risk assessment.
  • A “Eufy Security bounty program” will be established.
  • The company promises to “provide more timely updates in our community (and to the media!).”



Read original article here

Technology

Throw away all your Eufy cameras right now

Leave a comment

What you need to know

  • Eufy has begun removing and changing the wording of its own privacy and security policies from its website.
  • The company has yet to fully address security issues found over two weeks ago.
  • Eufy previously had camera footage privacy breaches in May 2021, further compounding issues with the company’s products.

Over the past month, Eufy has gone from a darling brand of many tech sites and mainstream outlets — including Android Central — to a brand whose trust evaporated nearly overnight. After the events of late November (opens in new tab) and the previous year’s similar issues, Android Central moved to an official “no recommendation” stance (opens in new tab) on Eufy products.

We’re now upgrading that to a warning that Eufy users should remove all Eufy cameras they have set up on their premises. We have a list of the best Eufy camera alternatives (opens in new tab) if you want to replace them with something more reputable, including recommendations for price, local storage, and object detection requirements.

Why did the recommendation change? It’s come to light that Eufy has begun removing security and privacy promises from its own website instead of actually addressing the issues put forth against the company’s products (per The Verge (opens in new tab)). If you view the company’s website on archive.org (opens in new tab) and then compare it with the current Eufy Privacy Commitment (opens in new tab) page, you’ll notice several parts of the site have been changed. Here’s a collection of all the major changes we found:

Image 1 of 3

(Image credit: Android Central)

Among the many changes on Eufy’s Privacy Policy site, we found these three to be the most heinous. Some of the wording on many of the company’s policies seems to have been changed to enhance clarity but these three examples are outright changes to policies, not just clarifications.

Additionally, Eufy completely removed the policy around sharing footage with law enforcement entirely.

(Image credit: Android Central)

As Eufy has begun to change its promises and backtrack on company policies, Android Central is officially recommending that Eufy users begin sunsetting their Eufy cameras as soon as possible. The company has not responded to Android Central’s requests since after the initial November incidents which already sends up red flags about Eufy’s behavior.

Additionally, changing key terms of service or privacy and security commitments completely erodes any remaining trust in the company’s products. Even if these policy changes don’t bother you right now, there’s no telling what else Eufy will backtrack on or what it might change in the future.

Google Nest Cam (battery)

Google’s Nest Cam (battery) offers months-long battery life, onboard people, package, animal, and vehicle detection, and free 3-hour video history without the need for a subscription.



Read original article here

Technology

Eufy Cameras Have Been Uploading Unencrypted Footage to Cloud

Leave a comment

The Eufy SoloCam E40.
Photo: Florence Ion / Gizmodo

Eufy, the company behind a series of affordable security cameras I’ve previously suggested over the expensive stuff, is currently in a bit of hot water for its security practices. The company, owned by Anker, purports its products to be one of the few security devices that allow for locally-stored media and don’t need a cloud account to work efficiently. But over the turkey-eating holiday, a noted security researcher across the pond discovered a security hole in Eufy’s mobile app that threatens that whole premise.

Paul Moore relayed the issue in a tweeted screengrab. Moore had purchased the Eufy Doorbell Dual Camera for its promise of a local storage option, only to discover that the doorbell’s cameras had been storing thumbnails of faces on the cloud, along with identifiable user information, despite Moore not even having a Eufy Cloud Storage account.

After Moore tweeted the findings, another user found that the data uploaded to Eufy wasn’t even encrypted. Any uploaded clips could be easily played back on any desktop media player, which Moore later demonstrated. What’s more: thumbnails and clips were linked to their partner cameras, offering additional identifiable information to any digital snoopers sniffing around.

Android Central was able to recreate the issue on its own with a EufyCam 3. It then reached out to Eufy, which explained to the site why this issue was cropping up. If you choose to have a motion notification pushed out with an attached thumbnail, Eufy temporarily uploads that file to its AWS servers to send it out. Moore had enabled the option manually, which is how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text-only and don’t have the same issue, since there’s nothing to upload.

Though Eufy says its practices comply with Apple’s Push Notification Service terms of use and Google’s Firebase Cloud Message standards, it’s since patched some of the issues discovered by Moore. The company told Android Central that it would do the following to communicate to its users about how it’s storing data:

1. We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.

2. We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.

Unfortunately, this isn’t the first time Eufy has had an issue regarding security on its cameras. Last year, the company faced similar reports of “unwarranted access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to patching things up.



Read original article here