Eufy’s Promise of Secure Video Was A Lie

Anker, whose sub-brand Eufy, has built a ton of goodwill in the decade-plus it's been in business. They've created many sub-brands with Eufy being one for the home and consisting of cameras. They've promised zero-subscription, zero-cloud, encrypted video since Day 1. Imagine my surprise when news broke that data is going to the cloud. Oh, and video streams aren't encrypted at all. Sean Hollister at The Verge has more.

This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud. 

There is some good news: there’s no proof yet that this has been exploited in the wild, and the way we initially obtained the address required logging in with a username and password before Eufy’s website will cough up the encryption-free stream. (We’re not sharing the exact technique here.) 

Also, it seems like it only works on cameras that are awake. We had to wait until our camera’s owner pressed a button before the VLC stream came to life.

The Verge

This all came to light when security researcher Paul Moore started poking around his outdoor security cameras in his browser and saw requests going to the cloud. Even worse was when he deleted data from the app, the URLs within the browser data continued to work.

While Eufy has worked hard to convince many (including me) that their products are secure, this is a major violation of trust. Even worse is their lying answers and subsequent radio silence about this as Hollister keeps asking them questions about this.

On December 1st there was an update to his article indicating Eufy is changing things up behind the scenes (you can read the details at the end of the article). While I hope this is something they will explain and come clean about, I am really disappointed in how they've built this house of cards and have burned all the goodwill they've rightfully earned after so many years.

Yesterday there was a bigger update, specifically some disclosures about what the app will do. Maria Diaz at ZDNet reported on this

As of Monday, an update has been rolled out to the Eufy Security app to add a statement disclosing that thumbnail images will be uploaded to the company's cloud servers. ZDNET asked for comment but have yet to hear if the company will address the issue of people being able to view the camera feeds using VLC player and a URL, no authentication required.

ZDNet

This is also why any cameras a person buys should always face outward and never inside a home. Because if they're hacked, the worst someone will see is your lawn.

Before You Go...

TimeMachiner is my one-person project I run in my off time when I'm not working my day job in IT. If you enjoy my work, consider leaving a tip or becoming a member. Your support is appreciated and goes a long way to keep my work going.