It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure
from the let's-just-pretend-this-never-happened dept
Last November, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.
The researchers found that an attacker simply needed a device serial number to connect to a unique address at Eufy’s cloud servers using the free VLC Media Player, giving them access to purportedly private video feeds. When approached by The Verge, Anker apparently thought the best approach was to simply lie and insist none of this was possible, despite repeated demonstrations that it was very possible:
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Not only that, Anker apparently thought it would be a good idea to purge its website of all of its past promises related to privacy, thinking this would somehow cause folks to forget they’d misled their customers on proper end to end encryption. It didn’t.
It took several months, but The Verge kept pressing Anker to come clean, and only this week did the company finally decide to do so:
In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.
But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.
I don’t know why anybody in tech PR in 2023 would think the best response to a privacy scandal is to lie, pretend nothing happened, and then purge your company’s website of past promises. Perhaps that works in some industries, but when you’re selling products to techies with very specific security promises attached, it’s just idiotic, and kudos to The Verge for relentlessly calling Anker out for it.
Filed Under: cameras, encryption, eufy, privacy, security, smart home, video, video surveillance
Companies: anker
Comments on “It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure”
Too little too late?
The problem I see them facing is that since they’ve shown that they will lie to their customers about their products why should anyone trust them when they say that now it’s secure?
It would have been one thing if when faced with security researches pointing to holes in the product security they owned it and took immediate steps to address the problem but by lying and claiming that the emperor most certainly did have clothes until months later it’s a little hard to trust any claims about security they make now even if those claims are accurate.
At this point the only thing I trust them with is power banks.
What else were they lying about?
It’s a shame. I’ve owned several Anker products (cables, speakers, headphones, etc.), and quite liked them. But now, who knows what else they’re blatantly lying about? Can’t trust them anymore.
You ask why companies lie and obfuscate when exposed. It’s because lying works. They’ve already lied, and if when they double down the press fades that’ll be the end of the problem and they just go on to keep selling more stuff. Anybody who’s really paying attention and has the technical ability to check things out themselves was a write off the moment it went public. Sure, the press might stick around, but if you’ve already lied more lies aren’t any more damning really. At this point they’ve decided that the cost of the press sticking around is less than just admitting it and moving on.
Fundamentally, the idea that the ‘market’ will punish companies for anything rests in the assumption of perfect symmetry of information among market actors. This is the spherical cow in a vacuum of economic thought, but for some reason it’s gotten taken seriously as an actual way to make policy or understand the world.
Re: perfect symmetry my arse
Sounds good bud but that’s bollocks. It needs enough of the market to know for it to have an impact on the bottom line.
Did chatgpt think that for you?
It’s just 1 reputation, what could it cost? $10?
Did the company think its name started with a W?
Military Grade
“the company advertised its Eufy cameras as having “end-to-end” military-grade encryption”
Having been in the military, I think this statement is actually quite possibly true.
Most things labeled “military-grade” tend to be built to minimum specs by the cheapest contractor that also happens to be related to the sister of the officer signing the requisition form.
what is explained by this article is very helpful for our company and we will share all our workers … and I thank you very much for the explanation of the article.
http://www.theodorestapletonlaw.com/