Anker Tries To Bullshit The Verge About Security Problems In Its Eufy ‘Smart’ Camera
from the I-always-feel-like-somebody's-watching-me. dept
Anker, the popular maker of device chargers and the Eufy smart camera line, proudly proclaims on its website that user data will be stored locally, “never leaves the safety of your home,” footage only gets transmitted with “end-to-end” military-grade encryption, and that the company will only send that footage “straight to your phone.”
Yeah, about that.
Security researcher Paul Moore and a hacker named Wasabi have discovered that few if any of those claims are true, and that it’s possible to stream video from a Eufy camera, from across the country, with no encryption at all simply by connecting to a unique address at Eufy’s cloud servers using the free VLC Media Player.
Both clearly demonstrated the problem on Twitter, but, when contacted by The Verge, Anker tried to claim that what the security researchers had clearly, repeatedly demonstrated wasn’t possible:
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Except it’s not only possible, it’s been repeatedly proven (though there’s no evidence yet of this having been exploited in the wild and it only works on cameras that are in an awakened state). Users really only need a camera’s serial number, which they can obtain from the box or sometimes guess. An attacker could also exploit and access cameras he donated to Good Will or other thrift stores.
The discovery comes after a decade of “smart” hardware device makers having a fairly abysmal track record on security and privacy despite websites that routinely claim the opposite. From TVs that fail to encrypt your home conversations to refrigerators that leak your email credentials, the sector is rife with problems that somehow still don’t get the kind of scrutiny they deserve.
Moore claims Anker’s problems go deeper, claiming that Eufy had violated numerous additional security promises, including uploading camera thumbnail images, including captured users’ faces to the cloud without permission and failing to delete stored, private consumer data.
Despite Anker being a Chinese-based company, you won’t hear any of the same national security hyperventilation over these kinds of issues routinely found in this and other Chinese-made “smart” home technologies. Those kinds of freak outs are, apparently, singularly reserved for social media services like TikTok, and only if such complaints can get you on television.
Filed Under: chinese, encryption, eufy, privacy, security, streaming, video
Companies: anker
Comments on “Anker Tries To Bullshit The Verge About Security Problems In Its Eufy ‘Smart’ Camera”
'Pay no attention to the security hole behind the curtain!'
If the company’s response had been to say that as far as they were aware the researchers’ findings shouldn’t have been possible and they’re looking into finding out how it was done and patching the hole that might have been believable, responding by insisting that what they did wasn’t possible despite the evidence to the contrary just comes across as ‘fake news’ gaslighting which just serves to add weight to the researchers’ claims.
Security professional: “Cool – show me how you did that – there may be other similar holes that we need to fix”
Security Theatre: “The security of our users is our highest priority …”
(I simplify, but the core is true)
Anything that uses the phrase “military grade” is bullshit.
Re:
Doesn’t military grade mean expensive and unreliable?
Re: Re:
I think “military grade” has become a general catch-all marketing phrase in the same way that Kamikoto knives each have a “lifetime guarantee”.
Re:
What do they call it in the military?
Re: Re:
milspec
Re:
Well, “tactical encryption” just sounds weird.
"Oh, you checked the 'cloud access' button??"
I feel like there’s another article coming soon where Anker/Eufy realizes there’s a checkbox hidden on the 3rd tab of some admin settings page that’s got an innocuous title like, “Enable access from the cloud?” … and it defaults to sending all your data, unencrypted to the Eufy servers.
Retitled
This Ian a security issue. It’s a privacy issue.
Viewers can not delete recordings from an owners device. The material remains stored.