A graphic showing a home with multiple Eufy products reads:
To enlarge / Eufy’s security arm has publicly addressed some of the most important claims about the company’s on-premises-centric systems, but those who take the “no cloud” claims can’t be quite sure.

Euphy

Eufy, an Anker brand that positions security cameras as “local storage” and “no cloud.” issued a statement in response to recent findings by security researchers and technology news sites. Eufy admits it could do better, but leaves some issues unresolved.

In a post titled “Re: Recent security allegations against Eufy Security,” “eufy_official” writes to “Security Customers and Partners.” Eufy “takes a new approach to home security,” the company writes, designed to run locally and “wherever possible” to avoid cloud servers. Video footage, facial recognition and identity biometrics are managed on devices – “Not the Cloud”.

This reiteration comes after questions have been raised several times in recent weeks about Eufy’s cloud policies. A British security researcher discovered phone alerts sent from Eufy in late October It is stored on a cloud server that appears to be unencrypted, including facial recognition data. At that time, another firm quickly concluded Two years of Eufy safety findingsrecords similar unencrypted file transfers.

At the time, Eufy admitted that it uses cloud servers to store thumbnails and that it would improve its installation language and let customers who want mobile alerts know it. The company did not address other claims by security analysts, including the ability to access live video streams through VLC Media Player with the correct URL, an encryption scheme that could potentially be brute-forced.

A day later, The Verge, a tech site working with a researcher, confirmed that a user who was not logged into the Eufy account view camera stream, the correct URL is provided. Retrieving this URL requires a serial number (Base64 encoded), a Unix timestamp, an unauthenticated token, and a four-digit hex value.

Eufy went on to say that it “strongly disagrees with the allegations made against the company regarding the safety of our products.” This was reported by The Verge last week the company has significantly changed many of its statements and makes “promises” from its privacy policy page. Eufy’s statement on their forums arrived last night.

Eufy says its security model has “never been tested and expects challenges down the road” but remains committed to customers. The company admits that “several claims have been made” against its security, and the need for a response has frustrated customers. But the company wrote that it wanted to “gather all the facts before making these claims public.”

Among the responses to these claims, Eufy noted that it uses Amazon Web Services to forward cloud notifications. Eufy says the image is end-to-end encrypted and deleted shortly after it’s sent, but the company plans to better notify users and adjust its marketing.

Regarding viewing live streams, Eufy claims that “no user information has been exposed and potential security flaws discussed online are speculative.” However, Eufy adds that it has stopped viewing live streams unless logged into the Eufy portal.

Eufy says its claim that it sends facial recognition data to the cloud is “not true.” Eufy claims that all authentication processes are handled on the local hardware, and users add recognized faces to their devices via local network or peer-to-peer encrypted connections. But Eufy notes that its Video Doorbell Dual previously used “our secure AWS server” to share that image with other cameras in the Eufy system; this feature has since been disabled.

The Verge, which did not receive a response to further questions about Eufy’s security practices following the findings, there are some additional questions, and they are noteworthy. These include why the company denies that remote viewing is possible, law enforcement’s inquiry policy, and whether the company actually uses “ZXSecurity17Cam@” as its encryption key.

Paul Moore, the researcher who raised some of the earliest questions about Eufy’s experiments, has not commented directly on Eufy. posted on Twitter on November 28 that he “had a lengthy discussion with (Eufy’s) legal department.” Moore, meanwhile, began researching other “local only” video doorbell systems and found them. especially non-native. Even one of them Copying Eufy’s privacy policyverbatim.

So far, it’s safer to use a doorbell that says it’s stored in the cloud, because those who are honest enough generally say it uses solid cryptocurrency,” Moore said. wrote about his efforts. Some of Eufy’s most enthusiastic, privacy-conscious customers might agree.

List image by Eufy

Leave a Reply

Your email address will not be published. Required fields are marked *