In November, security researcher Paul Moore highlighted that Eufy cameras were uploading data even when cloud upload settings were disabled. However, an even more concerning finding was that camera streams could be watched live through external video players.
Anker promoted local storage and end-to-end encryption as core features of its security cameras. Several publications have tried getting an official answer from Anker about whether that’s actually the case but only received vague or misleading responses at best.
After threatening to publish an article regarding Anker’s lack of proper communication over the issue, The Verge managed to get a definitive answer: Anker’s cameras weren’t end-to-end encrypted.
“Previously, after logging into our secure Web portal at eufy.com, a registered user could enter debug mode, use the Web browser’s DevTool to locate the live stream, and then play or share that link with someone else to play outside of our secure system,” wrote Eric Villines, Global Head of Communications at Anker.
Anker says it was an issue that’s now fixed and every video stream request from Eufy’s web portal is now end-to-end encrypted. Furthermore, it’s updating every Eufy camera to use WebRTC (which is fully encrypted by default.)
The company acknowledged that it handled the situation poorly and says it will do better going forward.
Some of the steps that Anker says it is taking include:
- Launching a bounty program to reward security researchers that help Anker discover vulnerabilities
- Bringing in new security consulting, certification, and penetration testing companies to help eliminate potential risks
- Post security audits from reputable firms like PwC and TrustARC
- Launch a microsite to better explain how Anker devices work and what functions are done locally and what requires the use of its cloud service
- Provide more timely updates about changes to its strategies and policies
Anker says an official response to the security issues originally reported will be sent to users in early February.
“At that time, and with all these details laid out more transparently, we can provide a more thoughtful apology. And an apology that is better backed up by a real plan,” says Villines.
While it was a long time coming, Anker’s response is fairly comprehensive—so long as it keeps to its promises.
(Image Credit: Eufy)
Explore other upcoming enterprise technology events and webinars powered by TechForge here.