Anker admits lack of encryption on Eufy security cameras
Anker got itself in a big debacle over its Eufy security cameras which were caught uploading footage from users’ cameras to the cloud without their consent as uncovered by information security consultant Paul Moore back in November. The bigger problem was that the uploaded user content from Eufy cameras was accessible via media players such as VLC for others to watch. Anker claimed its cameras used end-to-end encryption with all content being stored locally and only sent to devices on the user’s home network.
After months of uncertainty, Anker finally admitted that its Eufy cameras weren’t encrypted as initially claimed and that the company is working to fix the issue. In a series of emails to The Verge, Anker’s Global Communications chief Eric Villines explains the company is currently updating every Eufy camera to use the WebRTC API to fully encrypt video footage via AES and RSA algorithms.
Today, based on industry feedback and out of an abundance of caution, the eufy Security Web portal now prohibits users from entering debug mode, and the code has been hardened and obfuscated. In addition, the video stream content is encrypted, which means that these video streams can no longer be played on third-party media players such as VLC.
Today, all videos (live and recorded) shared between the user’s device to the eufy Security Web portal or the eufy Security App utilize end-to-end encryption, which is implemented using AES and RSA algorithms. - Eric Villines, Head of Global Communications at Anker
Anker claims that the problem is under control and that all stream requests from now on will be end-to-end encrypted. In addition, Anker issued a public apology for its lack of transparency and has hired independent security audit companies to help improve Eufy’s products and practices.