Skip to main content

Read what Anker’s customer support is telling worried Eufy camera owners

Read what Anker’s customer support is telling worried Eufy camera owners

/

Anker’s Eufy PR team still has not answered any questions, but its customer support agents have a prepared, if unsatisfying, statement.

Share this story

A Eufy camera covered in snow.
Image: Eufy

At this point, there’s zero chance I would buy a Eufy security camera for my own home. But if you already own some or if you’re on the fence, you might want to hear what the company has to say for itself.

While Eufy just nerfed its privacy promises rather than answering our questions about how we were able to play live footage from an end-to-end encrypted camera through VLC Media Player, the company’s customer support team does have a prepared statement, even if its PR department does not.

Unfortunately, only a tiny portion of the statement addresses that particular issue — but it does seem to tacitly admit Anker did not properly secure its Eufy web portal. And while it does also hint at some sort of fix, it’s not clear we’ll be anywhere near the company’s original promise of local-only, end-to-end encrypted cameras. (Besides, why would they delete those promises if they planned to honor them?)

Here’s the full statement so you can read for yourself:

eufy Security is designed as a local home security system. eufy records and stores videos locally when motion is detected by your device. If you subscribe to our cloud storage service, your videos are securely stored in the cloud and can be deleted at any time. Your videos will be permanently deleted from our servers according to the storage period on your plan.

To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.

Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.

That lack of communication was an oversight on our part and we sincerely apologize for our error.

This is how we plan to improve our communication in this matter:

- We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.

- We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.

And for the video can be shared by a URL link and opened by a 3rd party player, please have our reply as follows:

Today, around 1% of our total users access their account via our web portal. As per our design, prior to access any information, users have to log into their accounts. The URL links can only be obtained and shared by users themselves and will only be valid temporarily. It will be a personal activity if you obtain your own URL and share it with other people. Even so, we want to assure everyone that we have improved this point - even after users obtain the URL link by logging into their accounts, it cannot be played via a third party player or shared with others to play. Moreover, we’ve closed the port of browser developer mode, to avoid a similar process as Paul Moore demonstrated in his video.

Regarding our explanations above, we also recommend you to test these details from your side then you can find out the real truth.

eufy Security is committed to the privacy and protection of our users’ data and appreciates the security research community reaching out to us to bring this to our attention.

We also received a shorter, more pointed version of the statement from one reader, which makes it sound like end-to-end encryption was only ever a thing if you were accessing your cameras from a phone:

Eufy Security is a local home security system designed to store video footage locally and encrypt it on the user’s device. End-to-end encryption is used in the eufy Security app to ensure all private data is accessible only to its owner on the phone. Today, around 1% of our total users access their accounts via our web portal. As per our design, prior to accessing any information, users MUST log in successfully with their own account and password. The URL links can only be obtained and shared by users themselves and will only be valid temporarily. It will be a personal activity if you obtain your own URL and share it with other people. Even so, we want to assure everyone that we have improved this point - even after users obtain the URL link by logging into their accounts, it cannot be played via a third-party player or shared with others to play.

eufy Security is committed to the privacy and protection of our users’ data and appreciates the security research community reaching out to us to bring this to our attention.

We can confirm that Anker has made some changes to the web portal, and we weren’t able to use the exact same method to get a stream URL. Also — though we haven’t confirmed this ourselves — the anonymous hacker who originally showed us the technique says that Anker now uses m3u streams instead of RTMP ones and has added 12 bits of random to the end of the streams to make them far harder to guess as well. When Anker says “we have improved this point,” that might actually be true.

But for many, the questions aren’t “did Anker fix the hole” but rather “why did this happen at all when Anker said these cameras were exclusively local and end-to-end encrypted?” and “why did it first lie and then delete those promises when we asked those questions?” It’s hard to trust a company that reacts this way.

Remember, this is the company that just deleted the phrase: “Here at eufy, we’re not just all talk and no action.”

That about sums it up.