Skip to main content

Anker finally comes clean about its Eufy security cameras

Anker finally comes clean about its Eufy security cameras

/

Anker admits its always-encrypted cameras weren’t always encrypted — and promises to do better.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

A wall-mounted camera with three floodlights spread out above its ball-shaped security camera below.
An Anker Eufy Floodlight camera.
Image: Eufy

First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers.

It worked.

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.

But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

That’s not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it’s bringing in outside security and penetration testing companies to audit Eufy’s practices, is in talks with a “leading and well-known security expert” to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail.

Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It’s a little hard to take the company at its word!

But we also think Anker Eufy customers, security researchers and journalists deserve to read and weigh those words, particularly after so little initial communication from the company.

That’s why we’re publishing Anker’s full responses below.

General statement from Eric Villines, Anker’s global head of comms

Playing Live Videos in Third-Party Media Players

Today, there are two primary ways to view live streams of eufy Security cameras. One is to use the eufy Security App, and the other is to use our secure Web portal at eufy.com. 

Previously, after logging into our secure Web portal at eufy.com, a registered user could enter debug mode, use the Web browser’s DevTool to locate the live stream, and then play or share that link with someone else to play outside of our secure system. However, that would have been the user’s choice to share that link, and they would have needed to first log into the eufy Web portal to get this link.

Today, based on industry feedback and out of an abundance of caution, the eufy Security Web portal now prohibits users from entering debug mode, and the code has been hardened and obfuscated. In addition, the video stream content is encrypted, which means that these video streams can no longer be played on third-party media players such as VLC.

I should note, however, that only 0.1 percent of our current daily users use the secure Web portal feature at eufy.com. Most of our users use the eufy Security app to view live streams. Either way, the previous design of our Web portal had some issues, which have since been resolved. 

Concerning the PR representative who answered your question about using VLC, they conflated the question. This was a known issue, easily replicated and had been reported by the media. However, they thought you were asking if people other than the registered user could discover links on their own and then view them through a third-party media player like VLC. The dynamic naming convention of the video links was also addressed in the media coverage, so I can see how this may have confused them. But it was not the official answer from our product teams. The real answer to this question has been addressed above. 

Video End-to-End Encryption

Today, all videos (live and recorded) shared between the user’s device to the eufy Security Web portal or the eufy Security App utilize end-to-end encryption, which is implemented using AES and RSA algorithms.

Additionally, when a user uses the eufy Security App to access videos from their devices, the connection between the eufy Security App and the user’s device is end-to-end encrypted through a secure P2P service. 

Homebase3 and eufyCam3/3C devices released in October 2022 use WebRTC for end-to-end encrypted communication when using the Web portal to access live streams in a browser. And we are rolling out WebRTC to ALL eufy Security devices right now.

I should also note if a user selects to use eufy Security’s optional cloud storage add-on, this operation is end-to-end encrypted. In addition, maintenance of our cloud server complies with the requirements of ISO27701 and ISO27001 standards. We are also audited by external third-party regulators every year. 

Consumer Privacy

When using local storage, eufy Security cannot access our users’ video recordings. All video data is encrypted and stored on the device itself and can only be accessed or shared by the user.  Furthermore, eufy Security has no access to the user’s biometric details such as fingerprints or facial recognition data created by the users’ local devices. All these processes are also done and stored locally.

User Image Added To The Cloud

Previously, we had one device, the Video Doorbell Dual, that sent and stored an image of the user to our secure cloud. There is a lot of speculation and misinformation on this, so let me explain how this seemingly incongruent process came about. 

First, the purpose of sending a user image from the eufy App to our devices is to give the local facial recognition software a baseline to run its algorithm. All facial recognition processes are and have always been done locally on the user’s device. In the case of our Video Doorbell Dual, a copy of that set-up image was stored using end-to-end encryption on our secure cloud. The reason for this, was in case the user decided to replace the Video Doorbell Dual or add an additional Video Doorbell Dual to their eufy Security system, the system would pull the existing image from the cloud during setup, rather than making the user take a new image. 

Again, this process was not in line with our “local” mission and has been removed. Today, like all other devices in the eufy Security lineup, our Video Doorbell Dual relies on local-only storage of user images and video data. Not the cloud.

It’s important to note, that no user or facial recognition data has ever been included with the images that were sent to the cloud.

Specific answers, also from Eric Villines, Anker’s global head of comms

Why do your supposedly end-to-end encrypted cameras produce unencrypted streams at all? 

Since the very beginning, eufy Security was designed to allow users to stream live and recorded footage from their devices to their eufy Security mobile app. These streams have always used end-to-end encryption. And that encryption has always been done locally either directly on the camera or on a eufy HomeBase device.

The eufy Web portal was created for users to manage their account details and add optional services such as service plans and cloud storage. After receiving requests from some users, the product team decided to add a live view function to the Web portal so users could extend their security monitoring to their desktops. The Web portal was designed to require the user to login, but it was not designed using end-to-end encryption. 

Today, less than 0.1 percent of our active users utilize the live streaming feature on the Web portal; however, it is very clear to all of us that encryption protocols should have been designed into this solution from the very beginning. This has been addressed, and today all the live streams from the user’s devices to the Web portal now use end-to-end encryption.

Furthermore, all devices will now use WebRTC to bring end-to-end encrypted communication when using the Web portal to access live streams in a browser. This is already available on our new HomeBase 3 and eufyCam 3 series. We began rolling out firmware updates to all other devices last week.

With the recent issues, there has been a lot of internal discussions on how our teams develop and launch new features. Several new protocols and procedures have been put in place to make sure that all data flowing from the user’s devices to the eufy Security App or Web portal must utilize end-to-end encryption. 

If the cameras have always been encrypting footage locally, as you say, how did they suddenly have unencrypted footage to send to your web portal?  

First, video triggered by the security system’s normal processes (motion, someone ringing the doorbell, etc.), is always recorded, stored, and encrypted locally. 

Live video is not recorded. Therefore, the point-to-point encryption process only happens when the eufy Security system receives a request from the user to begin live streaming.

The P2P process then begins, waking up the camera, encoding the live video in real-time using a dynamic key, and then decoding that video on the other side using a dynamic key.

The eufy Security app supports both live and recorded video streaming and has always used P2P encryption. This is used by 99.9 percent of our users and is the primary method to view live and recorded videos.

But point-to-point encryption requires processes to be set up on both ends, and the P2P processes and requirements are very different for the eufy device to the eufy Mobile app than the eufy device to the eufy Web portal (browser),

That said, the Web portal previously was not designed to support P2P encryption for viewing live streams. This was protected through a user login to the Web portal.

This wasn’t enough, and it’s been fixed.

Furthermore, we are also upgrading the Web portal live encryption process to WebRTC. This is currently being pushed to all devices as an OTA firmware update.

Is it true that “ZXSecurity17Cam@” is an actual encryption key? If not, why did that appear in your code labeled as an encryption key and appear in a GitHub repo from 2019?

No. All our video streams are encrypted with a dynamic key instead of a fixed key. The “ZXSecurity17Cam@” was a setting parameter for developing and testing in a very old software version, which was abandoned years ago. We have removed this code to alleviate any misunderstanding.

Beyond potentially tapping into an unencrypted stream, are there any other things that Eufy’s servers can remotely tell a camera to do? 

No. The only way to manage local device features such as locking and unlocking a door, turning on floodlights, etc, is through the user’s eufy Security app.

Do Eufy cameras locally and natively encrypt live video as it is recorded and streamed, or do they only encrypt the subsequent recordings / files?

When a user accesses a live stream from one of their cameras, this video footage isn’t being recorded. It is simply being live streamed directly from the user’s device to their eufy Security App or to eufy’s secure Web portal. Today, this is all done using end-to-end encryption.

Additionally, every eufy Security camera records, stores, and encrypts videos locally – either directly on the camera or on a HomeBase device. This has always been the case since our first eufyCam was launched.

Which P2P service is used to end-to-end encrypt connections between the eufy app and a user’s device?

We use a patented, third-party P2P technology, heavily optimized for eufy Security’s products.

Do any other parts of Eufy’s service rely on unencrypted streams, such as Eufy’s desktop web portal?  

No. Outside of the recent issue with the Web portal, which has been addressed, all our video streaming processes (both live and recorded) are designed to use end-to-end encryption.

Are there any Eufy camera models that do not transmit unencrypted streams?  

I am not sure I understand this question. But as noted above ALL cameras when sending live or recorded video feeds to either the eufy Security app or eufy Web portal use end-to-end encryption.

Will Eufy completely disable the transmission of unencrypted streams? When? If not, why not?  

Answered above. Outside of the recent issue with the Web portal, which has been addressed, all our video streaming processes (both live and recorded) are designed to use end-to-end encryption. 

Beyond the thumbnails and the unencrypted streams, are there any other private data or identifying elements that Eufy’s cameras allow access to via the cloud?

eufy Security devices do not share videos, user images or biometric details (fingerprints, facial recognition details) with the cloud. All of this is processed, stored, and encrypted locally on the user’s device. 

There are several normal processes that require the use of the cloud such as account setup, push notifications, initial device setup, device OTA, etc. We will be launching a microsite soon with infographics to better explain all our key processes - and which are done locally, and which require the use of the cloud.

Eufy says it cannot access users’ video recordings. What about livestreams from its cameras?

eufy Security has no access to the user’s live streams or recorded videos.

Does Eufy share other information with law enforcement beyond recordings, such as access to a user’s account and / or their livestreams? 

eufy doesn’t have access to the user’s live video streams or locally stored videos. It would be up to the user to share these details with law enforcement officials. 

eufy Security’s mission is to protect, not just our customer’s property, but also their privacy. And we believe the best way to protect our customers ‘ privacy is to make sure these details are kept in their possession and in their control.

Has Anker retained any independent security firms to conduct an audit of its practices following these disclosures?

First, there have been no data leaks, nor did we violate GDPR or other data protection laws.

However, security is an ever-evolving field, and we want to ensure that we do everything in our power to protect our consumers’ privacy. To that end, we are actively working on several different strategies:

In addition to what we already have in place, we will be bringing on several new security consulting, certification, and penetration testing companies shortly to conduct a comprehensive security risk assessment of our products and eliminate potential risks.

We are also in discussions with a leading and well-known security expert so that they can produce an independent report about our current security and privacy systems and practices.

We are setting up a “eufy Security bounty program” to create a better and more collaborative system for security researchers to help us discover any vulnerabilities in our eufy Security system. 

We have officially engaged PWC and TrustARC to conduct a comprehensive security assessment of our products. This is exciting, and we will provide more details on this when they become available.

Lastly, at the beginning of next month, we will launch a microsite to better explain how our processes work, to provide clearer explanations on which are done locally, and which currently require the use of our secure cloud.

We promise to provide more timely updates in our community (and to the media!) to keep consumers better informed on any updates to these strategies.

Which security consultants and experts are signing on, assuming some of those deals have been signed yet?

We are still in negotiations and will provide these details very soon.

When does Eufy intend to launch the bounty program?

We are still in chats with several outside vendors and will provide details soon. This is a major priority for us as we want to create a more formal process to encourage industry feedback and collaboration.

Will Anker be offering refunds to those customers who bought cameras based on Eufy’s privacy commitment? 

We handle all our customer service in-house, and those teams are well trained to approach every issue on a case-by-case basis. Obviously, we will do whatever is in our power to make things right and keep our customers happy.

To be clear, Anker / Eufy is not apologizing for transmitting unencrypted streams?

In my opinion, I believe we’ve begun to acknowledge the issues and promised to do better. However, an apology should come with more details on what happened and the corrective steps we’ve done to make sure this doesn’t happen again.

Over the last several weeks, the team has been working to fix issues, improve our internal processes and bring in more independent oversight.

We will be issuing an update to the our users in early February, to discuss many of the things we’ve touched on in this email exchange; provide some updates on the other larger scale initiatives we will be doing; and also launch our new micro-site to better explain which processes are done locally, and which are done in the cloud. 

At that time, and with all this details laid out more transparently, we can provide a more thoughtful apology. And an apology that is better backed up by a real plan.

In addition to these answers, Anker claims that it didn’t intentionally delete those privacy promises from its website:

Regarding our privacy policy, while we were working to re-write this a few weeks ago and be clearer about which processes used the cloud and which did not, someone jumped the gun and pushed a redacted version. I can assure you this wasn’t done for any nefarious reasons, but simply a series of unfortunate events that ultimately compounded our entire communication processes. 

Eufy actually updated and strengthened that privacy commitment page again since our original story, though it still isn’t worded quite as strongly as the original version.