Anker Admits Eufy Cameras Did Not Offer End-to-End Encryption as Promised, Pledges to Do Better
Back in November, Anker's Eufy brand made headlines after security consultant Paul Moore discovered that Eufy security cameras were sending data to the cloud, even when cloud storage upload settings were disabled. Further, Eufy camera streams were allegedly able to be watched live through an app like VLC, which presented a glaring security issue.
That the Eufy cameras were uploading content to the cloud was problematic because Anker has long touted the security of its Eufy devices, claiming that they feature local-only storage and end-to-end encryption for those who want a more private camera solution. Following this debacle, The Verge began trying to get answers about Eufy camera security from Anker, and Anker was providing deliberately unclear and often misleading answers about how Eufy cameras worked.
The Verge was finally able to get answers from Anker by threatening to publish a story about the company's lack of communication, which has led to some clarification about Eufy security. Eufy cameras do not offer native end-to-end encryption, and they did indeed provide unencrypted video streams through the Eufy web portal, though Anker says this is an issue that has now been fixed. From Eufy:
Previously, after logging into our secure Web portal at eufy.com, a registered user could enter debug mode, use the Web browser’s DevTool to locate the live stream, and then play or share that link with someone else to play outside of our secure system. However, that would have been the user’s choice to share that link, and they would have needed to first log into the eufy Web portal to get this link.
Today, based on industry feedback and out of an abundance of caution, the eufy Security Web portal now prohibits users from entering debug mode, and the code has been hardened and obfuscated. In addition, the video stream content is encrypted, which means that these video streams can no longer be played on third-party media players such as VLC.
I should note, however, that only 0.1 percent of our current daily users use the secure Web portal feature at eufy.com. Most of our users use the eufy Security app to view live streams. Either way, the previous design of our Web portal had some issues, which have since been resolved.
Video stream requests originating from the Eufy web portal will be end-to-end encrypted going forward, as they are with the Eufy app, which Anker says is the primary way that Eufy users access camera streams. Anker says that every Eufy camera is being updated to use WebRTC, which is encrypted by default, and it will no longer be possible to play Eufy video streams through third-party apps.
Anker was regretful about its lack of communication, and said that it would do better in the future. The company is bringing in third-party security companies to audit the Eufy security products, and it is working on an official bug bounty program. Anker will also establish a security micro-site in February, and will provide customers with more information on the changes that have been implemented.
For those who are interested in the full details of what Eufy has to say, The Verge published its complete email communications with Anker spokespeople.