More Lies: Anker’s Eufy Pants on Fire — ‘No Cloud’ Cams Send to Cloud
Eufy home security cameras and doorbells are insecure. They send your photos to the cloud with minimal protection and serve up video across the internet with useless encryption.
As if that wasn’t bad enough, they do this despite Anker’s loud marketing promise that they absolutely won’t. And they do it despite the follow-on PR denial it’s happening. All this is according to a British researcher with just a web browser in Inspect mode.
It does appear to be a Chinese plan to build a facial recognition database of Americans. In today’s SB Blogwatch, we rip them off our front doors.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How Alex Stamos got into security.
Euf***ed Up
What’s the craic? Ben Schoon reports—“Eufy caught lying about ‘local-only’ security cameras with footage sent to cloud”:
“Yikes”
Anker’s Eufy brand claims to keep data local … explicitly saying “no one has access to your data but you.” … The claim is far from true, with footage not only going to the cloud, but remaining visible even after it was supposed to be deleted.
…
The security hole was first discovered on Eufy’s Doorbell Dual camera [which] was uploading facial recognition data from the camera to Eufy’s cloud servers with identifiable information attached. … The evidence is quite clear at this point, and it’s a massive security failure on top of direct lies to customers.
…
Yikes.
Yikes indeed. Sean Hollister burns with righteous indignation—“Anker’s Eufy lied to us”:
“Caught in some big lies”
Anker has built a remarkable reputation for quality. … Eufy’s commitment to privacy is remarkable: it promises your data … “never leaves the safety of your home,” [and] that its footage only gets transmitted with “end-to-end” military-grade encryption.
…
Imagine our surprise to learn you can stream video from a Eufy camera, from the other side of the country, with no encryption at all. … When we asked Anker point-blank to confirm or deny that … the company falsely [told me] it wasn’t even possible.
…
This week, we repeatedly watched live footage from two of our own Eufy cameras using … VLC media player, from across the United States. … Now that Anker has been caught in some big lies, it’s going to be hard to trust whatever the company says next.
Horse’s mouth? Paul Moore—@Paul_Reviews:
You have some serious questions to answer @EufyOfficial. Here is irrefutable proof that my supposedly “private”, “stored locally”, “transmitted only to you” doorbell is streaming to the cloud – without cloud storage enabled.
…
@EufyOfficial finally admitted uploading pictures, faces and names to the cloud without permission. They claim they’re only used for notifications [and] are “deleted immediately when you delete it [or] close the account.” Both a lie.
…
Just had a lengthy discussion with @EufyOfficial’s legal department. It’s appropriate at this stage to give them time to investigate and take appropriate action.
To be clear, the problem is multi-faceted. As NWade splains:
The issue isn’t just that the cloud is involved in push notifications. … The issue is that:
- Eufy cameras can be remotely viewed without authentication, …
- Images and associated user information is exposed on publicly-accessible servers, …
- Encryption keys are exposed in unsecured API calls, and …
- User data does not seem to be deleted off the publicly-accessible systems after notifications are delivered—or indeed even after the account is deactivated/deleted!
Presumably there’s a don’t use the cloud option, right? Wrong, says u/MashedTotties:
The camera is sending your data to the cloud even if you do not sign up to use the cloud. They are doing this when they explicitly tell people they aren’t. And the way they are doing it is insecure.
…
They have been specifically targeting privacy conscious consumers with false advertising and reassurances that they are respecting your privacy when they are actually being shady about it. … And now I have screw holes in my ****ing doors—a constant reminder of how much I was duped by Anker.
What’s going on? eclectro makes a case:
When will we learn??? Anker is headquartered in China. … The CCP is collecting information on the American people. Likely to advance its spying operations when needed. They are likely collecting this information for possible use in the future.
…
Recently it was found that the Chinese had the complete information stored in their database of election poll workers (see Konnech Inc.) in the US. It also had all the information about their family members. Including social security numbers, driver license numbers, and all the passwords they used. … Who doesn’t re-use a password? I rest my case.
Stop it, Yr Blues. You’re scaring me:
They were caught. Imagine the ones that aren’t.
What now? I guess wor339 speaks for many:
I think this is the final nail in the coffin for my use of Eufy products. Between last year’s breach, the sudden suspicious surge of 5 star reviews for their previously unpopular app (they have bought reviews obviously) and failure to fix geofencing—I give up.
Meanwhile, mrobins feels vindicated—yet again:
Every time I start wondering if I’m too dogmatic about avoiding smart home products …
And Finally:
What led to former Facebook CSO’s security career?
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Jametlene Reskp (via Unsplash; leveled and cropped)
