On the last episode of “Will Anker ever tell us what’s actually going on with its security cameras rather than lying and covering its tracks,” we told you how Eufy’s customer support team is now quietly providing some of the answers to the questions that the company had publicly ignored about its smart home camera security.
Now, Anker is finally taking a stab at a public explanation, in a new blog post titled “To our eufy Security Customers and Partners.” Unfortunately, it contains no apology, and doesn’t begin to address why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera.
What it does contain is a clear admission: “eufy Security ’s Live View Feature on its Web-Portal Feature Has a Security Flaw,” the company admits in bold letters.
But this is all Anker has to say about that very suspicious issue:
eufy Security ’s Live View Feature on its Web-Portal Feature Has a Security Flaw
First, no user data has been exposed, and the potential security flaws discussed online are speculative. However, we do agree there were some key areas for improvement. So we have made the following changes.
Today, users can still log in to our eufy.com Web portal to view live streams of their cameras. However, users can no longer view live streams (or share active links to these live streams with others) outside of eufy’s secure Web portal. Anyone wishing to view these links must first log in to the eufy.com Web portal.
We will continue to look for ways to enhance this feature.
While stopping short of an apology, the company does acknowledge that “we know the need for more straightforward and timely communications on these issues has frustrated many customers,” and says it has stayed silent because it’s “been using the last few weeks to research these possible threats and gather all the facts before publicly addressing these claims.”
“Moving forward, we will need to better balance our need to get ‘all the facts’ with our obligation to keep our customers more quickly informed,” promises Anker.
The post also addresses some other concerns that security researchers have raised, like how Eufy was uploading thumbnails from its cameras, including pictures of faces, to the cloud without making users aware, so that it can deliver push notifications. Anker says those images are protected with end-to-end encryption, and reiterates that it’s now making customers aware that they have a choice of local or cloud push notifications in an updated version of its app. Good!
Here is a list of questions that still need to be answered. I’m sending them to Anker/Eufy today:
Why do your supposedly end-to-end encrypted cameras produce unencrypted streams at all?
Under what circumstances is video actually encrypted?
Do any other parts of Eufy’s service rely on unencrypted streams, such as Eufy’s desktop web portal?
How long is an unencrypted stream accessible?
Are there any Eufy camera models that do *not* transmit unencrypted streams?
Will Eufy completely disable the transmission of unencrypted streams? When? How? If not, why not?
If not, will Eufy disclose to its customers that their streams are not actually always end to end encrypted? When and where?
Has Eufy changed the stream URLs to something more difficult to reverse engineer? If not, will Eufy do so? When?
Are unencrypted streams still accessible when cameras use HomeKit Secure Video?
Is it true that ”ZXSecurity17Cam@” is an actual encryption key? If not, why did that appear in your code labeled as an encryption key and appear in a GitHub repo from 2019?
Beyond the thumbnails and the unencrypted streams, are there any other private data or identifying elements that Eufy’s cameras allow access to via the cloud?
Beyond potentially tapping into an unencrypted stream, are there any other things that Eufy’s servers can remotely tell a camera to do?
What keeps Eufy and Anker employees from tapping into these streams?
Which other specific measures will Eufy take to address its security and reassure customers?
Has Anker retained any independent security firms to conduct an audit of its practices following these disclosures? Which?
Will Anker be offering refunds to those customers who bought cameras based on Eufy’s privacy commitment?
Why did Anker tell The Verge that it was not possible to view the unencrypted stream in an app like VLC?
We will provide the company’s responses — or lack of responses — in a future story.