Anker admits Eufy camera security issues

Security
(Image credit: Future)

Anker has confirmed that one of its security camera products had some serious security flaws that allowed unauthorized third parties to view the camera live feeds. It also confirmed that it’s been sending mobile push notifications with people’s faces via the cloud to user endpoints.

Security researcher Paul Moore recently discovered that the (Anker-owned) Eufy Doorbell Dual camera’s feed could be accessed via a web browser by simply knowing the right URL, with no password was required. 

Camera videos encrypted with AES-128 are using a simple key that can be broken with relative ease, Moore said at the time, adding that the app was uploading thumbnails to the cloud, before sending them to people’s mobile apps as notifications, and that the camera was uploading facial recognition data to its AWS cloud without encryption.

Confirming researcher reports

Now, in a blog post titled “To our eufy Security Customers and Partners”, the company has addressed these claims, confirming some of them, but denying others.

As for accessing the camera feed - the researcher was right. “eufy Security 's Live View Feature on its Web-Portal Feature Has a Security Flaw,” the company said, before adding that no user data had been exposed. “Potential security flaws discussed online are speculative,” the blog reads. 

Still, the company has made some changes, now only allowing people to view live streams via the web if they sign in to the eufy.com 3 Web portal. “Users can no longer view live streams (or share active links to those live streams with others) outside of eufy’s secure Web portal,” it said.

Anker also confirmed using the cloud to send users mobile push notifications. While it said the feature “complies with all industry standards” it did make a few tweaks - it updated the eufy Security app with a more detailed explanation of the different push notification options, and revised its Privacy Statement on eufy.com 3, which should be published “later this week”.

“Moving forward, this will be a significant area of improvement for our marketing and communication teams and will be added to our website, privacy policies, and other marketing materials,” the blog explains.

Finally, it addressed the worries that the camera is sending facial recognition data to the cloud, shortly stating “This is not true.” 

“This is a key differentiator for eufy Security - all facial recognition and biometric processes are completed locally on the user’s device. This information is never processed in the cloud.”

The company has been slammed by security researchers and the media for poor communication - something it also aimed to address with this update:

“Moving forward, we will need to better balance our need to get “all the facts” with our obligation to keep our customers more quickly informed,” it said. 

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.