
Yuffie
Anker’s smart home division, Eufy, offers a lengthy explanation and promises improvements after two months of discussions with critics on many aspects of the ‘cloudless’ security cameras that security researchers can access online. Did.
While multiple responses to The Verge have repeatedly pointed out that Eufy fails to address key aspects of its security model, Eufy notes that the video stream produced by the camera has access to security via the Eufy web portal. and states that it can be accessed in an unencrypted state. Marketing that suggested otherwise. Eufy also says he will invite his testers for penetration, commission reports from independent security researchers, create a bug bounty program, and reveal details of his security protocols.
By late November 2022, Eufy stood out among smart home security providers. For those who trust companies to provide video feeds and other home data, Eufy touted it as offering “no cloud or costs,” with encrypted feeds streamed to local storage only.
Then came the first of Yuffie’s harrowing revelations. Security consultant and researcher Paul Moore asked Euphie on Twitter about some of the contradictions he found. An image of him on his doorbell camera that appears to be tagged with facial recognition data was accessible via a public URL. Enabling his feed seemed to allow access without authentication from VLC Media Player (later confirmed by The Verge). Eufy didn’t fully explain how he issued a statement, essentially using his servers in the cloud to serve mobile notifications and promise to update languages. Moore remained silent after tweeting about a “long discussion” with Eufy’s legal team.
A few days later, another security researcher confirmed that Eufy users could stream by specifying a URL within their web portal. The URL encryption scheme also seemed inelegant. As the same researcher told Ars, only 65,535 combinations are needed for a brute force attack, and “computers can do this very fast.” Anker has since increased the number of random characters required to guess a URL stream and said he removed the ability for his player to play a user’s stream (even though he had a URL). .
Eufy issued a statement to The Verge, Ars, and other publications at the time, noting that it “resolutely” opposes “the accusations made against the company regarding the security of its products.” bottom. Following continued pressure from The Verge, Anker released a lengthy statement detailing past mistakes and future plans.
Among Anker/Eufy’s notable statements:
- That web portal currently prohibits users from entering “debug mode”.
- Video stream content is encrypted and cannot be accessed outside the portal.
- Currently, “only 0.1%” of daily users access the portal, but “there were some issues” that have been resolved.
- Eufy is pushing WebRTC to all security devices as an end-to-end encrypted stream protocol.
- Facial recognition images were uploaded to the cloud and helped replace/reset/add the doorbell with an existing set of images, but has been discontinued. Images sent to the cloud do not contain recognition data.
- All other videos use end-to-end encryption, except for “Web Portal Recent Problems”.
- “Leading and well-known security experts” create reports on Eufy’s systems.
- “Several new security consulting, certification, and penetration testing” firms are brought in for risk assessment.
- The “Eufy Security Bounty Program” is established.
- The company promises to “provide our community (and the media) with more timely updates.”