Anker Confirms Eufy Cameras Not Fully Encrypted, Raising Concerns
Anker has finally admitted that its Eufy security cameras were not using end-to-end encryption to protect users' data. Here's what led to the confession.
Security researchers discover flaws in Eufy cameras
The issue surfaced in late November 2022, when a couple of security experts, Paul Moore and Wasabi, revealed that they were able to access the stream from Eufy cameras via VLC media player. How was that possible? Because the cameras were connecting to Eufy's cloud servers, without any encryption whatsoever.
Image credits: Eufy, The Verge
One of the researchers also discovered that the cameras were storing every face that they see on their servers along with the names/usernames in servers accessible by the public. This was happening without explicit permission from the user. It gets worse, they were able to unearth the AES key (encryption key) for the videos, it was just ZXSecurity17Cam@. The researcher made a video to highlight how they could access the data on the cloud even after deleting their user account.
Note: The encryption key has since been changed.
When confronted by The Verge, an Anker representative had denied that this was possible. The blog didn't let the issue die, and followed it up with further tests, and confirmed that they could access the live feed from their own Eufy cameras through VLC. This is a huge privacy issue, and is probably infringing several laws.
The testers gained access to the stream's feed, i.e. the URL, by logging into their account on Eufy's website. The problem with this web address was that it was based on the camera's serial number, which was encoded in Base64. So anyone who knew the serial number could decode it. So if you threw your camera's box packaging away, yeah someone could have that information. The URL in question also had a Unix timestamp and a token, both of which could be spoofed, and a 4-digit hex.
Anker's marketing/privacy policy stated that the cameras would store data locally, it never leaves your home, and that it is only accessible by the user. However, after it gained some negative attention from blogs, the company backtracked on its privacy promises, deleted some statements from its privacy policy.
Later, Eufy's support team answered queries raised by The Verge to tell them that the cameras record and store videos locally when the motion sensor in the device detects some movement, in other words it sort of says that it is not a continous live feed.
Note: One of The Verge's articles about this issue mentions that while they were able to access the feed directly via the URL, the issue seemed to have been partially addressed, as they could only view the video after pressing a button on the camera.
Anker admits its Eufy security cameras were not end-to-end encrypted
The email from the company also says that the videos are stored on the company's cloud servers based on the customer's storage plan. In order to alert users about motion detection events, the cameras create some thumbnail previews and uploads them to the cloud (AWS server), and these images are encrypted on the server's side. This is the first acknowledgement that the data is not end-to-end encrypted. These previews are sent to the user's mobile devices to notify them about the incident.
The statement also explains that the Eufy Security app allows the user to choose between text-based notifications and thumbnails, and that choosing the latter requires the images to be uploaded to the cloud. This wasn't made clear in the app, so that's an error on the company's part. This issue was fixed, along with the URL method that the testers had used earlier. More importantly, the end-to-end encryption only worked when accessing the stream through Eufy's mobile app, and not via other methods such as browsers or VLC.
Eufy later confirmed that user data have not been exposed, i.e., these issues have not been exploited by hackers. In a new statement that was released today, Eufy has finally come clean. It has admitted that its security cameras are not end-to-end encrypted, and that the video streams available via Eufy's website were unencrypted.
The issue has been fixed, and now all video streams from the site are end-to-end encrypted. Eufy is also updating its cameras to use the WebRTC protocols for encrypting the data. The company is also working with a security expert to conduct a security audit and publish an independent report.
You may want to check your home security camera or doorbell, to make sure it is secure, and is using end-to-end encryption for storing media on the cloud, or better yet, see if it can be used offline.
Who buys chinese equipment and actually expect privacy????
LOL. Exactly!
Our cameras are hard wired to a DVR on the local network.
Sure they were more trouble to install but we are talking about security right?
Security is neither easy nor convenient.
Companies hate when this happens. Rest assured that 99% of all similar companies products lie to you as well. The funniest one being WhatsApp encrypted messages. Yeah, the very second you are under suspiscion of any crime, the law enforcement has access to every damn message you ever sent via WhatsApp =) Now do you really think Facebook can’t read your WhatsApp messages.. Really..? They of course won’t tell you this because they need you to keep using WhatsApp, for spying on you, ratting you out and to sell your data. WhatsApp users are sheep. Blind, dumb sheep.
I absolutely agree
It’s very difficult to have privacy those days. Thanks @Ashwin for the article! :]