Eufy Publicly Acknowledges Some Parts of its "No Clouds" Controversy
Eufy changed some cloud behavior, admitted it can do more, ignored some issues:
Eufy, the Anker brand that positioned its security cameras as prioritizing "local storage" and "No clouds," has issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits it could do better but also leaves some issues unaddressed.
In a thread titled "Re: Recent security claims against eufy Security," "eufy_official" writes to its "Security Cutomers and Partners." Eufy is "taking a new approach to home security," the company writes, designed to operate locally and "wherever possible" to avoid cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices—"Not the cloud."
This reiteration comes after questions have been raised a few times in the past weeks about Eufy's cloud policies. A British security researcher found in late October that phone alerts sent from Eufy were stored on a cloud server, seemingly unencrypted, with face identification data included. Another firm at that time quickly summarized two years of findings on Eufy security, noting similar unencrypted file transfers.
[...] Eufy states its security model has "never been attempted, and we expect challenges along the way," but that it remains committed to customers. The company acknowledges that "Several claims have been made" against its security, and the need for a response has frustrated customers. But, the company writes, it wanted to "gather all the facts before publicly addressing these claims."
[...] The Verge, which had not received answers to further questions about Eufy's security practices after its findings, has some follow-up questions, and they're notable. They include why the company denied that viewing a remote stream was possible in the first place, its law enforcement request policies, and whether the company was really using "ZXSecurity17Cam@" as an encryption key.
[...] "Thus far, it's safer to use a doorbell which tells you it's stored in the cloud—as the ones honest enough to tell you generally use solid crypto," Moore wrote about his efforts. Some of Eufy's most enthusiastic, privacy-minded customers may find themselves agreeing.
Eufy Admits That its Cameras Have a "Security Flaw"
eufy Admits That Its Cameras Have a "Security Flaw":
Here's a quick recap; eufy's smart security cameras rely on a "base station" to store video locally. This keeps your data off the cloud and away from hackers. But security researchers found that eufy cameras feeds can be accessed through VLC, a free media player. (As far as we know, this vulnerability hasn't been utilized by hackers.)
Researchers also discovered that eufy cameras send some data to the cloud. Encrypted video thumbnails are dumped into AWS to serve mobile push notifications, for example. Customers don't seem to care too much about these video thumbnails, but they're frustrated by eufy's lack of transparency on this matter.
Initially, eufy denied the existence of any vulnerabilities. It stopped responding to press inquires related to this matter, and it quietly deleted several lines from its "Privacy Commitment" page.
But the company now admits that the "Live View feature on its Web-Portal feature has a security flaw." It doesn't explain this "flaw," and it doesn't mention VLC, but it claims that users can no longer access Web Portal livestreams outside of the Web Portal. The ability to share livestreams with other people has also been removed—you need to log into an account associated with a camera to view its live feed. (We're still waiting for researchers to verify that this vulnerability is fixed.)
(Score: 5, Informative) by jasassin on Thursday December 29, @02:52AM (2 children)
Jesus Christ (yes I'm extremely frustrated with Euffy so please bare with me). Ok. Please allow me, as an owner of a Euffy camera, to explain what my major problem is. It is first necessary to explain a few things.
No, the cameras support microsd cards to save video locally. The base station has squat to do with the bigger picture (problem).
The problem is when they say video should be stored locally and function locally, that is exactly what it should do. It does NOT!
Example: The cameras have motion detection. If I block my camera from accessing the Internet, it should function. It should detect motion, record the video and alert my phone app through my LAN that motion was detected and allow me to view the event. It does NOT! I have blocked my camera's IP/MAC address and tested the camera. No alerts. No events to view. Nada. Then when I unblock it from the Internet in my router it alerts me about the events that were recorded while it was blocked (it still recorded them but no notification) and allows me to view them.
That is FUCKED! It should NOT need Internet access to alert me through my LAN that an event has occurred and to allow me to view the video! I just tested this yesterday!
I can understand requiring Internet access to allow me to get notifications and view video when I'm away from home, of course (a simple option to enable WAN access [amazon web service for notifications and device access away from home]), but for local viewing there should be an option to toggle WAN access to OFF! There is NO FUCKING REASON WHATSOEVER that this camera should need to access the Internet to send me motion detection alerts and allow me to view video stored on the cameras microsd card through my LAN! It totally goes against their whole local access shmeel.
Please excuse the French, but Euffy can blow me! This is some shady shit. I have a feeling this rabbit hole goes deeper than the Mariana Trench (hard core invasion of privacy, fat guy jerking off to fitty monitors with a big bottle of lotion South Park style).
Fuck you Euffy. Fuck you.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 3, Informative) by coolgopher on Thursday December 29, @03:29AM
And the sad thing is, they're arguably the best of a bad bunch. I say this as someone who has one of their "smart" doorbells.
(Score: 4, Interesting) by corey on Thursday December 29, @09:23PM
Thanks for the chuckle, but seriously your comment is 100%.
I have a firewall rule in my brain, if something has an app needed to function, I don’t buy it.
Though with my home Solar panels, it needed to install the Huawei app to read data on generation, import, export, etc. I decided not to do that but rather built a Modbus-RTU sniffer with an old RaspPi to read all the metrics myself (comms between the inverters and power meter in my meter box).
(Score: 4, Insightful) by Rosco P. Coltrane on Thursday December 29, @04:09AM (2 children)
What facts are there to gather? The company makes the product and makes the claims. If they don't lie, they already have all the facts on hand.
That very sentence paints them as extremely sketchy. Like if you're accused of a crime and you're interrogated by the police: if you start thinking hard and claiming you they need to "gather all the facts before answering", you sound guilty as hell.
(Score: 5, Insightful) by fraxinus-tree on Thursday December 29, @08:22AM
Never seen a boss that doesn't know (and generally doesn't care) what happens in their company? Most of them are even proud of it - until the shit hits the fan.
(Score: 2) by corey on Thursday December 29, @09:14PM
I love (not really) how they try to justify lying in their marketing by saying “we’re taking a different approach” to hone security.
(Score: 0) by Anonymous Coward on Thursday December 29, @08:48AM
Did someone say security cameras [insecam.org]?