Eufy publicly acknowledges some parts of its “No clouds” controversy

By | December 21, 2022
Graphic showing home with multiple Eufy proucts, reading:
Enlarge / Eufy’s security arm has publicly addressed some of the most important claims about the company’s local-focused systems, but those who bought into the “no clouds” claims may not be fully assured.

Eufy, the Anker brand that positioned its security cameras as prioritizing “local storage” and “No clouds,” has issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits it could do better but also leaves some issues unaddressed.

In a thread titled “Re: Recent security claims against eufy Security,” “eufy_official” writes to its “Security Cutomers and Partners.” Eufy is “taking a new approach to home security,” the company writes, designed to operate locally and “wherever possible” to avoid cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices—”Not the cloud.”

This reiteration comes after questions have been raised a few times in the past weeks about Eufy’s cloud policies. A British security researcher found in late October that phone alerts sent from Eufy were stored on a cloud server, seemingly unencrypted, with face identification data included. Another firm at that time quickly summarized two years of findings on Eufy security, noting similar unencrypted file transfers.

At that time, Eufy acknowledged using cloud servers to store thumbnail images, and that it would improve its setup language so customers who wanted mobile alerts knew this. The company didn’t address other claims from security analysts, including that live video streams could be accessed through VLC Media Player with the right URL, one whose encryption scheme could potentially be brute-forced.

One day later, tech site The Verge, working with a researcher, confirmed that a user not logged into a Eufy account could watch a camera’s stream, given the right URL. Getting that URL required a serial number (encoded in Base64), a Unix timestamp, a seemingly non-validated token, and four-digit hex value.

Eufy said then it “adamantly disagrees with the accusations levied against the company concerning the security of our products.” Last week, The Verge reported that the company notably changed many of its statements and “promises” from its privacy policy page. Eufy’s statement on its own forums arrived last night.

Eufy states its security model has “never been attempted, and we expect challenges along the way,” but that it remains committed to customers. The company acknowledges that “Several claims have been made” against its security, and the need for a response has frustrated customers. But, the company writes, it wanted to “gather all the facts before publicly addressing these claims.”

The responses to those claims include Eufy noting that it uses Amazon Web Services to forward cloud notifications. The image is end-to-end encrypted and deleted shortly after sending, Eufy states, but the company intends to better notify users and adjust its marketing.

As to viewing live feeds, Eufy claims that “no user data has been exposed, and the potential security flaws discussed online are speculative.” But Eufy adds it has disabled the viewing of livestreams when not logged into a Eufy portal.

Eufy states that the claim it is sending facial recognition data to the cloud is “not true.” All identity processes are handled on local hardware, and users add recognized faces to their devices through either local network or peer-to-peer encrypted connections, Eufy claims. But Eufy notes that its Video Doorbell Dual previously used “our secure AWS server” to share that image to other cameras on a Eufy system; that feature has since been disabled.

The Verge, which had not received answers to further questions about Eufy’s security practices after its findings, has some follow-up questions, and they’re notable. They include why the company denied that viewing a remote stream was possible in the first place, its law enforcement request policies, and whether the company was really using “ZXSecurity17Cam@” as an encryption key.

Researcher Paul Moore, who raised some of the earliest questions about Eufy’s practices, has yet to comment directly on Eufy since he posted on Twitter on November 28 that he had “a lengthy discussion with (Eufy’s) legal department.” Moore has, in the meantime, taken to investigating other “local-only” video doorbell systems and found them notably non-local. One of them even seemed to copy Eufy’s privacy policy, word for word.

Thus far, it’s safer to use a doorbell which tells you it’s stored in the cloud—as the ones honest enough to tell you generally use solid crypto,” Moore wrote about his efforts. Some of Eufy’s most enthusiastic, privacy-minded customers may find themselves agreeing.

Listing image by Eufy