Eufy acknowledges that not all camera streams were encrypted and promises to get better

By admin On Feb 1, 2023

Spread the love

Anchor brand eufy acknowledges that streams from eufy cameras to eufy’s Web portal were not end-to-end encrypted, even though the company claimed they were months ago. According to the company, these streams are now encrypted.

At the end of last year, the live stream from a eufy camera to the Web portal, with which the streams can be viewed via the web browser, turned out to be unencrypted. Users could therefore open the link to a camera in VLC, for example. Eufy’s parent company Anker said at the time against The Verge that this was not possible.

In a new statement to the same medium admits eufy that those streams weren’t encrypted after all. The streams to the Security App were always encrypted, but those for the Web portal were not. This Web portal can be accessed via the browser and requires a login.

Eufy says these Web portal streams were not encrypted because the live streams were only added to Web portal later after users requested them. Initially, this portal was only intended to view cloud storage and subscriptions. This portal was therefore not designed for end-to-end encryption, according to Anker’s head of communications Eric Villines. Villines acknowledges this was a mistake and says all streams are now end-to-end encrypted. Devices will also use WebRTC for this encryption; the HomeBase 3 and eufyCam 3 already do this.

The company is also getting into the Video Doorbell Dual, which stored camera thumbnails in eufy’s cloud storage. With this, too, eufy broke its own promises, because the company promised that users could choose to store data only locally. However, the Video Doorbell Dual also stored thumbnails in the cloud, even if users had chosen to store videos only locally.

Anker claims this happened before facial recognition. The idea was that if users replaced that camera doorbell, eufy could use those thumbnails to reset facial recognition. Eufy acknowledges that this feature went against the “local storage promise” and has therefore been removed. Anker emphasizes that facial recognition data was not stored with those thumbnails.

In response to these two incidents, eufy is announcing several new measures. For example, the company wants to hire new security consultants and eufy wants to do more with certifications and pen tests. In addition, the brand wants to have an independent report carried out by a security company and there must be a bug bounty program. Eufy also promises to create a site with which the company wants to better explain which data is stored where and the company wants to communicate better with the community and the media.