SoylentNews

Eufy Publicly Acknowledges Some Parts of its "No Clouds" Controversy

upstart writes:

Eufy changed some cloud behavior, admitted it can do more, ignored some issues:

Eufy, the Anker brand that positioned its security cameras as prioritizing "local storage" and "No clouds," has issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits it could do better but also leaves some issues unaddressed.

In a thread titled "Re: Recent security claims against eufy Security," "eufy_official" writes to its "Security Cutomers and Partners." Eufy is "taking a new approach to home security," the company writes, designed to operate locally and "wherever possible" to avoid cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices—"Not the cloud."

This reiteration comes after questions have been raised a few times in the past weeks about Eufy's cloud policies. A British security researcher found in late October that phone alerts sent from Eufy were stored on a cloud server, seemingly unencrypted, with face identification data included. Another firm at that time quickly summarized two years of findings on Eufy security, noting similar unencrypted file transfers.

[...] Eufy states its security model has "never been attempted, and we expect challenges along the way," but that it remains committed to customers. The company acknowledges that "Several claims have been made" against its security, and the need for a response has frustrated customers. But, the company writes, it wanted to "gather all the facts before publicly addressing these claims."

[...] The Verge, which had not received answers to further questions about Eufy's security practices after its findings, has some follow-up questions, and they're notable. They include why the company denied that viewing a remote stream was possible in the first place, its law enforcement request policies, and whether the company was really using "ZXSecurity17Cam@" as an encryption key.

[...] "Thus far, it's safer to use a doorbell which tells you it's stored in the cloud—as the ones honest enough to tell you generally use solid crypto," Moore wrote about his efforts. Some of Eufy's most enthusiastic, privacy-minded customers may find themselves agreeing.

Eufy Admits That its Cameras Have a "Security Flaw"

upstart writes:

eufy Admits That Its Cameras Have a "Security Flaw":

Here's a quick recap; eufy's smart security cameras rely on a "base station" to store video locally. This keeps your data off the cloud and away from hackers. But security researchers found that eufy cameras feeds can be accessed through VLC, a free media player. (As far as we know, this vulnerability hasn't been utilized by hackers.)

Researchers also discovered that eufy cameras send some data to the cloud. Encrypted video thumbnails are dumped into AWS to serve mobile push notifications, for example. Customers don't seem to care too much about these video thumbnails, but they're frustrated by eufy's lack of transparency on this matter.

Initially, eufy denied the existence of any vulnerabilities. It stopped responding to press inquires related to this matter, and it quietly deleted several lines from its "Privacy Commitment" page.

But the company now admits that the "Live View feature on its Web-Portal feature has a security flaw." It doesn't explain this "flaw," and it doesn't mention VLC, but it claims that users can no longer access Web Portal livestreams outside of the Web Portal. The ability to share livestreams with other people has also been removed—you need to log into an account associated with a camera to view its live feed. (We're still waiting for researchers to verify that this vulnerability is fixed.)

Original Submission #1  Original Submission #2