April 17, 2024

Anker admits Eufy security cameras were not natively encrypted

6 min read


Eufy camera with speak no evil emoji


Eufy Safety has remained generally silent considering that protection flaws were being uncovered in its system, which created a lot of customers understandably unsatisfied and several commenced wondering if they could even believe in Eufy protection cameras. But now, that is transformed.

This week Anker Electronics has finally acknowledged that, of course, Eufy Stability cameras did create video clip streams for the internet portal, with no encryption, in accordance to The Verge. Anker is Eufy’s dad or mum organization. 

Also: The greatest security cameras

In the slide of 2022, the sensible dwelling units manufacturer was caught uploading consumer information to cloud servers without the need of consent

On top of that, buyers claimed that another person could use a link from Eufy’s net portal to see the camera’s livestream making use of a media participant, in this scenario VLC. 

Anker suggests that is no more time the circumstance.

“Right now, all films (live and recorded) shared amongst the user’s product to the Eufy Safety Website portal or the Eufy Protection App employ conclusion-to-conclude encryption, which is carried out employing AES and RSA algorithms,” claimed Anker’s international head of communications, Eric Villines, who responded to The Verge’s inquiries following weeks of the organization remaining silent regarding these challenges.

As significantly as what gets uploaded to the cloud, Eufy has built obvious disclaimers on the cell application detailing that some knowledge will have to be uploaded to cloud servers when consumers transform on attributes like video previews for drive notifications.

From my point of watch, the challenge is not uploading screenshots to the cloud, as most clever security cameras do the same. The problem is that Eufy was informed that this was going on and however led consumers to believe that the opposite. 

Critique: EufyCam 3 and HomeBase 3: Why I am not receiving rid of these cameras still

For as lengthy as it can be been offering safety cameras and the HomeBase, Eufy had also been boasting that all your information is kept fully local. There’s no need to have to fret, all the things will be protected and sound appropriate in your HomeBase’s constructed-in storage generate, or any HDD or SSD you pick out to add to it if you have the newest edition.

In its emails to The Verge, Anker apologized to shoppers for the absence of response and is voicing a dedication to undertaking a much better work in the potential. A single of the means it truly is undertaking so is by doing the job with an unbiased corporation to perform protection and penetration tests in an work to audit Eufy’s system and techniques. 

EufyCam 3 and HomeBase 3 on a shelf

The pictured EufyCam 3 and HomeBase 3 already use WebRTC.

Maria Diaz/ZDNET

The aim is to “carry out a extensive protection possibility assessment of our items and eradicate probable dangers,” Villines discussed.

The business is also committing to making certain that all online video stream requests from Eufy’s net portal will be conclude-to-conclude encrypted and is updating all Eufy cameras to use WebRTC, which the HomeBase 3 and EufyCam 3/3C by now use. In accordance to Anker, only about .1% of recent every day people use the net portal.

The firmware updates to the remaining Eufy cameras commenced rolling out final 7 days. 

Also: Eufy Edge Protection System palms-on: The most highly developed stability cameras but?

Customers of the Eufy Safety mobile app can rest certain that their footage and camera feeds were now conclude-to-conclude encrypted, and this was done locally both on the digicam or HomeBase, in accordance to Anker. 

The Eufy Security web portal, which involves users to log in right before accessing, was not initially made with finish-to-stop encryption, which Villines admits it ought to have been from the beginning. It is the only movie streaming method that did not use encryption.

Heading ahead, the corporation has set in position new protocols and strategies for characteristics that could be designed in the upcoming, making certain that all facts going from users’ gadgets to the Eufy Safety cellular app or net portal ought to use end-to-finish encryption.

“There are a number of typical processes that demand the use of the cloud such as account set up, drive notifications, initial unit set up, device OTA, etc.,” Villines stated. 

Screenshot of Eufy's "Proof of Privacy" on its website

Screenshot of Eufy’s “Evidence of Privateness” on its website at the time of the incident that has because been edited.

Screenshot by Maria Diaz/Eufy Protection

Eufy also denies that it ever despatched facial recognition information to the cloud, but it does mention an update was carried out for the Video clip Doorbell Twin, which was the only 1 that applied AWS cloud servers to ship an first facial recognition impression to other cameras, but now takes advantage of LAN/P2P system to do so. ZDNET even now has not read back from Anker about any of these problems. 

The company is also arranging on launching a microsite with information on which of its key procedures are carried out domestically and which call for the use of the cloud, and is promising to give “far more well timed updates in our local community (and to the media!) to keep buyers far better knowledgeable on any updates to these techniques,” with a person of all those updates coming in early February.

So, can you have confidence in Eufy security cameras?

Just about every so often, we listen to about cybersecurity flaws and information leaks from companies that have obtained consumer trust — this isn’t new. Each time it happens it looks men and women with views type into three general teams: one that thinks it can be all overblown, just one that are not able to imagine people are not more outraged, and a person that continues to be neutral. 

Commonly, I consider to stay in the neutral subject. I try to consider the bad with the superior, and to understand how tricky it is to construct a fully impermeable system and then toss it into a hurricane and hope for the ideal. All through the previous few weeks, however, I’ve shifted concerning all three positions.

Owning a number of Eufy devices all in excess of my residence, I consider the organization has a very long way to go to get back consumer rely on, and even though these new procedures look promising, it’s going to take time for that to materialize.

Regarding an apology, Villines explained, “An apology ought to come with far more aspects on what transpired and the corrective actions we’ve carried out to make absolutely sure this isn’t going to transpire once again,” and I feel which is one particular point we can all concur on.


Supply backlink Anker, a global leader in charging technology, on Thursday confirmed that its Eufy security camera systems were not natively encrypted, exposing the video feeds of many unsuspecting customers to potential compromise.

In a statement, Anker said that the security cameras were shipped with a “very weak web server that did not encrypt video data.” The company said that it had launched an “urgent investigation” into the matter and would be rolling out a firmware update to provide users with “increased security and enhanced encryption.”

Security researcher Steve Povolny first discovered the vulnerability and reported it to Anker in October of 2018. He has said that the issue may have exposed thousands of security camera systems to be potentially accessed or manipulated by malicious actors.

Anker’s statement said that the company is taking steps to address the concerns raised by the security flaw. These include a more comprehensive security audit across their products which includes bringing in independent third-party security professionals to review security measures.

“The security of our products and customer data is tremendously important to Anker and we apologize for the concern this has caused amongst our userbase,” the statement read.

The company also emphasized that its customers’ data was in no immediate risk, and that no data had been accessed or compromised as a result of the issue.

Anker said that it was committed to providing customers with both a secure and reliable product and experience. They said that the update would provide users with the level of security and encryption “have come to expect from Anker products.”