In a statement, Anker admitted the security problems of the Eufy cameras and confirmed that – contrary to the original advertising promise – they transmit data to the cloud. However, the manufacturer has not issued an apology.
Anchor confirms cloud use of Eufy cameras
In late November 2022, security researcher Paul Moore found a critical data and security vulnerability in security cameras made by Anker subsidiary Eufy. The cameras, specifically including the Doorbell Dual model, transmit facial recognition data to the cloud without being asked.
According to Moore, even names and locations are transmitted, and the data can be accessed comparatively easily, while it can also be viewed in the stream without authentication.
On December 20, the manufacturer then removed any references to local storage, which they had originally marketed as an important security feature, from their website and made extensive adjustments to it.
Now Eufy addressed users, customers and partners in its own forum, admitting the security problems. However, there is still no trace of an insight or even an apology.
One wanted to collect first all important information and evaluate these, explains the enterprise. That is why it took so long to make a statement. In the future, however, one wants to publish important information for customers faster, it says further.
Attempt at appeasement on the part of Eufy
“As previously stated, Eufy Security is committed to reducing the use of the cloud in our security processes whenever possible. However, some processes today require the use of our secure AWS servers,” Eufy’s statement on the security issues reads.
Promotional promises like “Your recorded data is kept private and stored locally. With military-grade encryption. And transmitted to them and only them,” which were originally on the Eufy homepage, then sound quite different.
Security-relevant push notifications for smartphones would have to be transmitted to the servers. This includes, for example, small preview images that would have to be transferred to the cloud, but this would be done with end-to-end encryption and the images would be deleted again shortly after the push notification.
A new security information would still be published on the company’s own website in the course of the week. In the future, Eufy added that it would need to improve communication from its marketing and communications team and publish more details on security-related issues.
Livestream now only after login
“Initially, no user data has been published and possible security risks that have been discussed online are purely speculative,” the manufacturer continues. Livestreams via the web portal would still be possible as of now, but they could no longer be shared outside the secure web portal.
Anyone who wants to watch the videos would first have to log into their own Eufy web portal. At least this is a step in the right direction. On the other hand, many other questions remain unanswered.
It is unclear, for example, whether these streams can be shared with law enforcement agencies, whether company employees have access to them, and why the Eufy security cameras transmit unencrypted video streams in the first place.
There is also no apology in the statement. One user appropriately notes, “Maybe it’s a translation from another language or something, but I couldn’t find anything where they apologized.” Neither could we.