Anker has admitted that a security camera device it manufactured had critical security issues that could be exploited by attackers to watch private video feeds. Furthermore, it verified that it has been sending out cloud-based mobile push alerts including user photos.
Paul Moore, a security researcher, recently revealed that anybody with access to the correct URL for the (Anker-owned) Eufy Doorbell Dual camera’s stream may view it in real time using a web browser.
Moore stated at the time that AES-128 encryption used by cameras is easily cracked, adding that the app was uploading thumbnails to the cloud before sending them to users’ mobile applications as alerts and that the camera was transmitting unencrypted face recognition data to Amazon Web Services’ cloud.
Results from studies that confirm previous findings
Recently, the company has responded to these allegations in a blog post titled “To our eufy Security Customers and Partners,” where it confirms some of the assertions and refutes others.
The researcher was correct in his assumption that access to the camera stream would be possible. The firm acknowledged a security hole, writing, “eufy Security’s Live View Feature on its Web-Portal Feature Has a Security Flaw,” but assured customers that their information was safe. The site asserts that “possible security issues described online are theoretical.”
However, the firm has made certain adjustments, such as requiring users to sign up for an account on eufy.com 3 before they can watch live feeds online. Users “cannot access live broadcasts (or distribute live-streaming URLs) outside of eufy’s protected Web interface,” it said.
Anker has also confirmed that cloud technology is being leveraged to facilitate the delivery of push alerts to mobile devices. The company has updated the eufy Security app to provide a more thorough explanation of the various push notification options, and it has revised its Privacy Statement on eufy.com 3, which will be published “later this week.” Despite the fact that the feature “complies with all industry standards,” the company has made a few adjustments.
The concerns that the camera is uploading face recognition data to the cloud were also addressed, with a brief statement to the effect of “This is not true.”
One of eufy Security’s selling points is that all biometric and face recognition work is done locally on the user’s device, eliminating the need for a centralised server. The cloud is not used to process this data.
The corporation hoped to make amends for its lack of communication, which had been criticised by both security researchers and the media.
Moving ahead, “we will need to better balance our desire to collect “all the facts” with our commitment to keep our consumers more rapidly informed,” it said.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover