After the security concerns at eufy, the company had not reacted professionally. Instead of fixing the problems and apologizing to users, they denied everything, deleted some promises from the website and equipped the app with cloud hints. Now Anker, the company behind eufy, has confirmed that video streams were unencrypted.
At the end of last year, a security researcher uncovered that cameras from eufy were uploading footage to the manufacturer’s own cloud even when the option was not activated at all. In addition, the livestream could be viewed unencrypted via the VLC media player, for example, as long as the URL was known.
But instead of dealing openly with the problems and finding a solution, Anker initially denied everything. Instead, the company equipped the notification settings with hints that the preview images end up in the cloud.
In a lengthy email exchange with The Verge, Anker has since admitted that the security cameras are not inherently end-to-end encrypted and that unencrypted video streams were used for the eufy web portal. According to Anker, however, this will no longer be the case in the future. The company wants to equip all cameras with WebRTC, which is encrypted by default.
In addition, the company apologized for the lack of communication and announced that it would bring in external security companies for independent audits in the future, introduce a bug bounty program, and publish a microsite explaining its security approach in February.
Leave a Reply