Anker’s Eufy Allows Access to Unencrypted Videos, Plans Overhaul

After two months of arguing with critics about how many aspects of its “cloudless”security cameras can be accessed online by security researchers, Anker’s smart home division, Eufy, has provided a detailed explanation and promises to do better.

In multiple responses to The Verge, which has repeatedly accused Eufy of failing to address key aspects of its security model, Eufy has explicitly stated that video streams produced by its cameras can be accessed unencrypted through Eufy’s web portal, despite messaging and marketing that assumed the opposite. Eufy also said it will bring in penetration testers, commission an independent security researcher report, create a bug bounty program, and fine-tune its security protocols.

Until the end of November 2022, Eufy was prominent among smart home security providers. For those willing to entrust video streams and other home data to any company, Eufy bills itself as a No Cloud or Cost offering with encrypted streams transferred to local storage only.

Then came the first of Yufi’s woeful revelations. Security consultant and researcher Paul Moore asked Yufi on Twitter about several inconsistencies he found. Images from his doorbell camera, seemingly tagged with facial recognition data, were made available at public URLs. The feeds from the camera, when activated, appeared to be accessible without authentication from VLC Media Player (this was later confirmed by The Verge). Eufy issued a statement saying that, in fact, it did not fully explain how it used cloud servers to provide mobile notifications and promised to update its language. Moore went silent after tweeting about a “lengthy discussion”with Yufi’s legal team.

A few days later, another security researcher confirmed that, given a URL inside the Eufy user’s web portal, it could be streamed. The URL encryption scheme also seemed not sophisticated enough; as the same researcher told Ars, it only took 65,535 combinations to brute force, “which a computer can do fairly quickly.”Anker later increased the number of random characters needed to guess URL streams and claimed that he made it impossible for media players to play the user’s streams even if they had a URL.

At the time, Eufy issued a statement to The Verge, Ars and other publications, noting that it “strongly”disagrees with “the allegations made against the company regarding the safety of our products.”Following continued pressure from The Verge, Anker released a lengthy statement detailing his past mistakes and plans for the future.

Notable statements by Anker/Yufie include: