SoylentNews is people
SoylentNews
Submission Preview
Merge: hubie (12/27 15:42 GMT)
Eufy Publicly Acknowledges Some Parts of its “No Clouds” Controversy
████ # This file was generated bot-o-matically! Edit at your own risk. ████
Eufy publicly acknowledges some parts of its “No clouds” controversy [arstechnica.com]:
Eufy, the Anker brand that positioned its security cameras as prioritizing "local storage" and "No clouds," has issued a statement [eufy.com] in response to recent findings by security researchers and tech news sites. Eufy admits it could do better but also leaves some issues unaddressed.
In a thread titled "Re: Recent security claims against eufy Security," "eufy_official" writes to its "Security Cutomers and Partners." Eufy is "taking a new approach to home security," the company writes, designed to operate locally and "wherever possible" to avoid cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices—"Not the cloud."
This reiteration comes after questions have been raised a few times in the past weeks about Eufy's cloud policies. A British security researcher found in late October that phone alerts sent from Eufy were stored on a cloud server, seemingly unencrypted [arstechnica.com], with face identification data included. Another firm at that time quickly summarized two years of findings on Eufy security [sec-consult.com], noting similar unencrypted file transfers.
At that time, Eufy acknowledged using cloud servers to store thumbnail images, and that it would improve its setup language so customers who wanted mobile alerts knew this. The company didn't address other claims from security analysts, including that live video streams could be accessed through VLC Media Player with the right URL, one whose encryption scheme could potentially be brute-forced.
One day later, tech site The Verge, working with a researcher, confirmed that a user not logged into a Eufy account could watch a camera's stream, [arstechnica.com] given the right URL. Getting that URL required a serial number (encoded in Base64), a Unix timestamp, a seemingly non-validated token, and four-digit hex value.
Eufy said then it "adamantly disagrees with the accusations levied against the company concerning the security of our products." Last week, The Verge reported that the company notably changed many of its statements [theverge.com] and "promises" from its privacy policy page. Eufy's statement on its own forums [eufy.com] arrived last night.
Eufy states its security model has "never been attempted, and we expect challenges along the way," but that it remains committed to customers. The company acknowledges that "Several claims have been made" against its security, and the need for a response has frustrated customers. But, the company writes, it wanted to "gather all the facts before publicly addressing these claims."
The responses to those claims include Eufy noting that it uses Amazon Web Services to forward cloud notifications. The image is end-to-end encrypted and deleted shortly after sending, Eufy states, but the company intends to better notify users and adjust its marketing.
As to viewing live feeds, Eufy claims that "no user data has been exposed, and the potential security flaws discussed online are speculative." But Eufy adds it has disabled the viewing of livestreams when not logged into a Eufy portal.
Eufy states that the claim it is sending facial recognition data to the cloud is "not true." All identity processes are handled on local hardware, and users add recognized faces to their devices through either local network or peer-to-peer encrypted connections, Eufy claims. But Eufy notes that its Video Doorbell Dual previously used "our secure AWS server" to share that image to other cameras on a Eufy system; that feature has since been disabled.
The Verge, which had not received answers to further questions about Eufy's security practices after its findings, has some follow-up questions [theverge.com], and they're notable. They include why the company denied that viewing a remote stream was possible in the first place, its law enforcement request policies, and whether the company was really using "ZXSecurity17Cam@" as an encryption key.
Researcher Paul Moore, who raised some of the earliest questions about Eufy's practices, has yet to comment directly on Eufy since he posted on Twitter on November 28 [twitter.com] that he had "a lengthy discussion with (Eufy's) legal department." Moore has, in the meantime, taken to investigating other "local-only" video doorbell systems and found them notably [twitter.com]non-local [twitter.com]. One of them even seemed to copy Eufy's privacy policy [twitter.com], word for word.
"Thus far, it's safer to use a doorbell which tells you it's stored in the cloud—as the ones honest enough to tell you generally use solid crypto," Moore wrote about his efforts [twitter.com]. Some of Eufy's most enthusiastic, privacy-minded customers may find themselves agreeing.
Listing image by Eufy
← Previous story [arstechnica.com]Next story → [arstechnica.com]
Eufy Admits That its Cameras Have a “Security Flaw”
████ # This file was generated bot-o-matically! Edit at your own risk. ████
eufy Admits That Its Cameras Have a “Security Flaw” [reviewgeek.com]:
After three weeks of silence, eufy finally acknowledges that its cameras have a “security flaw.” The company published a blog post [shop-links.co] explaining how it will increase the privacy, security, and transparency of its smart cameras. Still, eufy hasn’t apologized to customers or explained how camera streams were accessed in VLC.
Here’s a quick recap; eufy’s smart security cameras rely on a “base station” to store video locally. This keeps your data off the cloud and away from hackers. But security researchers found that eufy cameras feeds can be accessed through VLC, a free media player. (As far as we know, this vulnerability hasn’t been utilized by hackers.)
Researchers also discovered that eufy cameras send some data to the cloud. Encrypted video thumbnails are dumped into AWS to serve mobile push notifications, for example. Customers don’t seem to care too much about these video thumbnails, but they’re frustrated by eufy’s lack of transparency on this matter.
Initially, eufy denied the existence [reviewgeek.com] of any vulnerabilities. It stopped responding to press inquires related to this matter, and it quietly deleted several lines [reviewgeek.com] from its “Privacy Commitment” page.
But the company now admits that the “Live View feature on its Web-Portal feature has a security flaw.” It doesn’t explain this “flaw,” and it doesn’t mention VLC, but it claims that users can no longer access Web Portal livestreams outside of the Web Portal. The ability to share livestreams with other people has also been removed—you need to log into an account associated with a camera to view its live feed. (We’re still waiting for researchers to verify that this vulnerability is fixed.)
Additionally, eufy is taking steps to increase transparency. The eufy Security app now provides detailed explanations for its push notification settings, allowing users to see which settings require interaction with the cloud. The Video Doorbell Dual is also updated to prevent facial recognition data from traveling to the cloud (previously, this doorbell used the cloud to send a new face to your other eufy cameras).
Later this week, eufy will publish a revised security statement. We hope that this statement gives customers a better understanding of how their cameras work. Still, we’re dissatisfied by how eufy handled this incident. For this reason, Review Geekno longer recommends [reviewgeek.com] eufy’s smart security cameras.
Source: eufy [shop-links.co]
;
