In a wave of blistering scrutiny, researchers and journalists have both accused security camera makers at Eufy of lying to users that their video streams were end-to-end encrypted, even though users were easily able to access the streams using simple browser tools and a desktop media player.
After over two months of back and forth, Eufy and Anker, the device maker’s parent company, fully admitted to The Verge on Tuesday that its Eufy security cameras had indeed been sending non end-to-end encrypted video streams to Eufy’s web portal.
The original security issue was first noticed by security researcher Paul Moore, who noticed Eufy cameras were streaming recorded video to a cloud server on the site’s web portal, even though cloud storage wasn’t enabled. That data sent to the cloud remained unencrypted, and users could use web browser devtools to play back those clips on many simple desktop media players like VLC.
It was a bad look, especially since Eufy’s biggest claim to fame was its privacy protections, that its video was supposed to be stored locally, and any footage sent to devices like a users’ phone or the web portal are supposed to get there using end-to-end encryption.
Gizmodo has reached out to Eufy for comment and a full statement, though The Verge has included a full list of answers to its media request in its report.
Eric Villines, Eufy’s global head of communications, said live video was previously only encrypted when the security system received a user request to live stream video. The web portal used by the company previously “was not designed to support P2P encryption for viewing live streams.” Instead, the only protection was a user login.
“This wasn’t enough, and it’s been fixed,” Villines wrote. The company rep also said that the web portal now prohibits users from entering debug mode, and the code has been “hardened and obfuscated.” The video stream content is now supposedly encrypted as well.
Anker told The Verge that Eufy has already updated its site so that every video stream request is end-to-end encrypted. In addition, Anker said it would start employing WebRTC, an open source streaming protocol which is natively encrypted, for its cameras whenever they send information. The company said it will continue using a third-party P2P model to encrypt data between the Eufy app and users’ devices.
Still, Anker tried to minimise just how deep its security hole was. In the full statement shown by The Verge, the company said “there have been no data leaks, nor did we violate GDPR or other data protection laws.” The company reiterated it does not have access to users’ live streams or videos, and if any law enforcement requests access to that video, it would have to go through the individual user.
It’s still TBD whether all these changes will actually fix the problem of video possibly being viewed on the site in a non-encrypted manner. Anker promised it would create a website dedicated to showing how its encryption process works. The company is bringing in auditors PricewaterhouseCoopers and TrustARC to audit its security. It also said it is in talks with an outside “security expert” auditor to look at Eufy’s security, according to the full statement shown in The Verge’s report.