We adamantly disagree with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions.
How can you disagree? You have already made changes to the wording in the app and to your marketing materials. It was clearly shown by a user the data being unencrypted. And how about being able to play the feed over VLC?
Sites are removing Eufy from their recommended cameras lists very publicly, which would not happen without some plausible reason (Gizmodo was able to reproduce the unencrypted uploads).
This response seems tone-deaf and really lowers my trust in my Eufy products and does nothing to address the concerns that you say you are aware users have.
This is disheartening.
I’m an engineer and own multiple eufy security products. I tested the problem reported by the media in these two days and did not reproduce the problems. Has anyone tested it, how is it going?
So I was basically livestreaming videos from my bedroom for 2 years? People get paid for this shit… I should be a millionaire by now…
That statement contradicts your other statement. Eufy Security Statement to Our Community
You disagree with the accusations, but that does not make them any less true. No different than you guys using HotJar to capture keystrokes on all of your websites. Last time I checked that is not something that was covered under GDPR or anything else without giving consent (and not the “click here to accept cookies”, GDPR states Consent must be specific for a purpose, so consent e.g. for ad personalization cannot be bundled together with consent for keystroke/mouse logging), which we obviously know that is not the case when it comes to Eufy. So who is to say that you are actually deleting the data, never using it for purposes other than those stated, or really anything at this point?
I too own multiple security products and purchased these cameras for two reasons, 1 so I don’t have a monthly payment and 2 so my stuff isn’t stored unencrypted in the cloud. Based off your customer support engineer’s response that photos are deleted/locked within 24 hours of being logged on I can confirm that’s not true. I’m still able to look at my video feeds and thumbnails without logging in so long as I have the right URL.
That’s not good enough, Eufy. Shame on you.
Why is Two threads started?
Eufyofficial then Eufyofficial2? will there be 3 and 4?
I suggest instead of defending, provude proof tge problem found is not real or Euty has block the privacy leaky hole.
Can Eufy do it, of course, Eufy can block these leaky privacy.
So then, when will you address the issue that the recordings become unaccessible on the Always secure Homebase, when someone pushes a Button on the camera for 10 Seconds?
This is a Security flaw as well and has been communicated to Eufy more than 1 year ago?
Please respond to this!
And please don’t say this is as designed. As the recordings on the camera are mine, no one should be able to delete them without MY consent.
If you want to have such reset functionality it is totally fine, but there needs to be an approval via the app then, like press the sync button for 10 seconds, a meaningful approval request is sent to the app, and then - only if approved - the data can be removed. But if declined the recordings stay accessible for the Homebase OWNER.
Can we return our Homebases and other products?
Because security researchers whose findings are verified by multiple tech outlets is not “credible”? And then you go on to say you comply with laws, but even if you aren’t doing anything strictly illegal, it can still be something contrary to how you market your product to privacy and security minded individuals that want a local, secure, and private system and who YOU put under the impression they had that with a physical Homebase that is supposed to perform tasks locally and be a secure hub for the cameras and app. Now we have two things outside that “secure”, local ecosystem: your servers and any rando with VLC and a handful of information not terribly hard to obtain because the verification token system for streams apparently does not function (publications were entering literally any text they wanted and still were able to stream).
Anker lied. It’s that simple. They can put their BS PR spin on this all they want. It won’t change reality.
Not only there are security issues with three POC available on this article Eufy cameras caught sending local footage to cloud by Paul Moore, TheVerge, and AndroidCentral but also the behavior of Eufy company trying to hide the problem, put everything under the rug, and poorly handled the problem.
Unfortunately for you, the security issue coming from Eufy camera has spread and was relayed on several websites on the internet.
Looking at the timeline, Eufy made the news and not in a good way:
5/19/2021 - https://www.cnet.com/home/security/eufy-says-software-bug-that-exposed-users-video-footage-to-strangers-has-been-fixed/
6/16/2022 - Anker Eufy smart home hubs exposed to RCE attacks by critical flaw
11/29/2022 - Eufy cameras caught sending local footage to cloud
IMHO, like Lastpass, this is a structural issue and Eufy cannot be trusted. I need to find another company and delete my account.
Encryption is not the biggest issue in this context, it’s the fact that the endpoint to watch your video is unauthenticated and procedurally generated. This is the same nonsense that basically all camera manufacturers have been pulling for the last decade with UDP hole-punching and P2P, though we thought Eufy was different.
In terms of controls;
- Inflight encryption - The risk of this is fairly benign for a non-targeted individual. If you live in a western country with a reasonable legal system, you are probably ok.
- Camera → WiFi AP - Yes
- WiFi AP → AWS - Presumably not
- AWS → User - No
- At rest encryption
- Based on the statements I believe that they are using AWS-SSE. This a security feature enabled by default which is enabled at the service layer which would allows an authenticated user or service access to the contents. Frankly in terms of risk mitigation - while essential - defends against people pulling hard disks and inspecting their data which is fairly low likelihood with Amazon’s rather robust destruction procedure.
Authentication to view stream - None, relies on the obscurity of the device ID’s which are not private (I believe they are printed on the device body). If I’m not mistaken these can also be enumerated; a double foul.
Authorization given it’s a view only not much to talk about here, I would expect that Eufy does a reasonable job of controlling access to the bits that control panning/tilting/etc.
Eufy if your security position is as robust as you state, I do not understand why you have chosen to remain silent on all specific elements of the claims.
Of particular concern is the unauthenticated RSTP feed which you have not responded to.
Shared facial recognition across accounts has also come up.
If you wish to engender trust within the community it is incumbent on you to explain to the community how we ended up here, not for users to individually ferret out via support tickets. Your response saying that you disagree with the findings while also saying you’ve changed your wording are somewhat at odds.
Releasing a blog article with simplified solution architecture diagrams and design decisions explaining where the misunderstanding lies – given your claim that your security position is significantly different than presented by the researcher - is how you get your credibility back, rather than going on the attack saying that the researcher is non-credible. Based on the dumping of sponsorships/recommendations it’s clear that you have lost the trust of the user base.
Class action, class action, class action. You’re through.