Eufy publicly acknowledges some parts of its “No clouds” controversy

Graphic showing home with multiple Eufy proucts, reading:
Enlarge / Eufy’s security arm has publicly addressed some of the most important claims about the company’s local-focused systems, but those who bought into the “no clouds” claims may not be fully assured.

reader comments
74 with 0 posters participating

Eufy, the Anker brand that positioned its security cameras as prioritizing “local storage” and “No clouds,” has issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits it could do better but also leaves some issues unaddressed.

In a thread titled “Re: Recent security claims against eufy Security,” “eufy_official” writes to its “Security Cutomers and Partners.” Eufy is “taking a new approach to home security,” the company writes, designed to operate locally and “wherever possible” to avoid cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices—”Not the cloud.”

This reiteration comes after questions have been raised a few times in the past weeks about Eufy’s cloud policies. A British security researcher found in late October that phone alerts sent from Eufy were stored on a cloud server, seemingly unencrypted, with face identification data included. Another firm at that time quickly summarized two years of findings on Eufy security, noting similar unencrypted file transfers.

At that time, Eufy acknowledged using cloud servers to store thumbnail images, and that it would improve its setup language so customers who wanted mobile alerts knew this. The company didn’t address other claims from security analysts, including that live video streams could be accessed through VLC Media Player with the right URL, one whose encryption scheme could potentially be brute-forced.

One day later, tech site The Verge, working with a researcher, confirmed that a user not logged into a Eufy account could watch a camera’s stream, given the right URL. Getting that URL required a serial number (encoded in Base64), a Unix timestamp, a seemingly non-validated token, and four-digit hex value.

Eufy said then it “adamantly disagrees with the accusations levied against the company concerning the security of our products.” Last week, The Verge reported that the company notably changed many of its statements and “promises” from its privacy policy page. Eufy’s statement on its own forums arrived last night.

has some follow-up questions, and they’re notable. They include why the company denied that viewing a remote stream was possible in the first place, its law enforcement request policies, and whether the company was really using “ZXSecurity17Cam@” as an encryption key.

Researcher Paul Moore, who raised some of the earliest questions about Eufy’s practices, has yet to comment directly on Eufy since he posted on Twitter on November 28 that he had “a lengthy discussion with (Eufy’s) legal department.” Moore has, in the meantime, taken to investigating other “local-only” video doorbell systems and found them notably non-local. One of them even seemed to copy Eufy’s privacy policy, word for word.

Thus far, it’s safer to use a doorbell which tells you it’s stored in the cloud—as the ones honest enough to tell you generally use solid crypto,” Moore wrote about his efforts. Some of Eufy’s most enthusiastic, privacy-minded customers may find themselves agreeing.

Listing image by Eufy