Anker has confirmed that one of its security camera products had serious security vulnerabilities that allowed unauthorized third parties to view live camera feeds. It also confirmed that it sends mobile push notifications with people’s faces through the cloud to users’ endpoints (opens in a new tab).
Security researcher Paul Moore recently discovered that the Eufy Doorbell Dual camera feed (owned by Anker) can be accessed via a web browser simply by knowing the correct URL, no password required.
Camera videos encrypted with AES-128 use a simple key that is relatively easy to crack, Moore said at the time, adding that the app uploaded thumbnails to the cloud before sending them to people’s mobile apps as notifications, and that the camera sent facial recognition data to your AWS cloud without encryption.
Confirming researcher reports
Now in A blog post (opens in a new tab) titled “To Our Eufy Security Customers and Partners,” the company addressed these claims, confirming some of them but denying others.
When it comes to access to the image from the camera – the researcher was right. “Eufy Security’s live view feature on its web portal has a security vulnerability,” the company said, adding that no user information had been disclosed. “Potential vulnerabilities discussed on the Internet are speculations,” the blog reads.
Despite this, the company has made some changes, now allowing people to watch live streams online only by logging into the eufy.com web portal 3. “Users can no longer watch live streams (or share active links to these live streams with others) outside of eufy’s secure online portal.
Anker also confirmed the use of the cloud to send users push notifications to mobile devices. While it claims the feature is “compliant with all industry standards”, it has made a few tweaks – it has updated the eufy Security app with a more detailed explanation of the different push notification options and improved its privacy statement on eufy.com 3 which should be published “yet this week”.
Finally, he addressed concerns that the camera was sending facial recognition data to the cloud, briefly stating: “That’s not true.”
“This is a key differentiator of eufy Security – all facial recognition and biometrics processes are performed locally on the user’s device. This information is never processed in the cloud.”
The company was criticized by security researchers and the media for poor communication – something it also aimed to address in this update:
“Going forward, we will need to better balance our need to get ‘all the facts’ with our obligation to inform our customers faster,” it said.