Anker has confirmed that one of its security camera products had some serious security flaws that allowed unauthorized third parties to view the camera live feeds. It also confirmed that it’s been sending mobile push notifications with people’s faces via the cloud to user endpoints (opens in new tab).
Security researcher Paul Moore recently discovered that the (Anker-owned) Eufy Doorbell Dual camera’s feed could be accessed via a web browser by simply knowing the right URL, with no password was required.
Camera videos encrypted with AES-128 are using a simple key that can be broken with relative ease, Moore said at the time, adding that the app was uploading thumbnails to the cloud, before sending them to people’s mobile apps as notifications, and that the camera was uploading facial recognition data to its AWS cloud without encryption.
Confirming researcher reports
Now, in a blog post (opens in new tab) titled “To our eufy Security Customers and Partners”, the company has addressed these claims, confirming some of them, but denying others.
As for accessing the camera feed – the researcher was right. “eufy Security ‘s Live View Feature on its Web-Portal Feature Has a Security Flaw,” the company said, before adding that no user data had been exposed. “Potential security flaws discussed online are speculative,” the blog reads.
Still, the company has made some changes, now only allowing people to view live streams via the web if they sign in to the eufy.com 3 Web portal. “Users can no longer view live streams (or share active links to those live streams with others) outside of eufy’s secure Web portal,” it said.
Anker also confirmed using the cloud to send users mobile push notifications. While it said the feature “complies with all industry standards” it did make a few tweaks – it updated the eufy Security app with a more detailed explanation of the different push notification options, and revised its Privacy Statement on eufy.com 3, which should be published “later this week”.
“Moving forward, this will be a significant area of improvement for our marketing and communication teams and will be added to our website, privacy policies, and other marketing materials,” the blog explains.
Finally, it addressed the worries that the camera is sending facial recognition data to the cloud, shortly stating “This is not true.”
“This is a key differentiator for eufy Security – all facial recognition and biometric processes are completed locally on the user’s device. This information is never processed in the cloud.”
The company has been slammed by security researchers and the media for poor communication – something it also aimed to address with this update:
“Moving forward, we will need to better balance our need to get “all the facts” with our obligation to keep our customers more quickly informed,” it said.