Anker has confirmed that one of its security camera products has serious security flaws that allow unauthorized third parties to view live feeds from the camera. It also confirmed that it sends mobile push notifications with people's faces via the cloud to user endpoints (opens in a new tab).
Security researcher Paul Moore recently discovered that the stream from the Eufy Doorbell Dual camera (owned by Anker) could be accessed through a web browser simply by knowing the correct URL, without a password.
Camera videos encrypted with AES-128 use a simple key that can be cracked relatively easily, Moore said at the time, adding that the app uploads thumbnails to the cloud before sending them to mobile apps as notifications, and that the camera was uploading facial recognition data to its AWS cloud in the clear.
Confirmation of investigators' reports
Now, in a blog post (opens in a new tab) titled "To our eufy customers and security partners," the company has responded to those claims, confirming some of them but denying others.
As for access to the camera feed, the researcher was right. "eufy Security's live view feature in its web portal functionality presents a security vulnerability," the company said, before adding that no user data was exposed. "Potential security vulnerabilities discussed online are speculative," the blog post read.
However, the company has made some changes, now allowing users to view live streams over the web only if they log into the eufy.com 3 web portal. "Users can no longer view live streams (or share active links to those live streams with others) outside of eufy's secure web portal," he said.
Anker also confirmed the use of the cloud to send mobile notifications to users. Although he said the feature "complies with all industry standards," he made a few changes: he updated the eufy Security app with a more detailed explanation of the different push notification options, and he revised his privacy statement at eufy.com 3 , which it is expected to be released "later this week".
"Going forward, this will be a major area of improvement for our marketing and communications teams and will be added to our website, privacy policies, and other marketing materials," the blog explains.
Finally, he addressed concerns that the camera is sending facial recognition data to the cloud, briefly stating "That's not true."
“This is a key differentiator for eufy Security: all facial and biometric recognition processes are done locally on the user's device. This information is never processed in the cloud.
The company has been criticized by security researchers and the media for lack of communication, something it also intended to address with this update:
"Going forward, we will have to better balance our need to get 'all the facts' with our obligation to keep our customers informed faster," he said.