Anker finally explains the security shortcomings of its Eufy cameras. The Verge managed to outwit the company after giving it an ultimatum: the manufacturer finally admitted that its cameras were not end-to-end encrypted since they can produce video streams viewable from anywhere. These facts were revealed last December when a researcher has realised that the supposedly encrypted stream from his camera was in fact accessible remotely via a traditional media player like VLC.
According to a spokesperson, the issue was related to Eufy’s web portal. This provides access to streams, but was not created with end-to-end encryption in mind (unlike the app). It was therefore protected by a simple username/password combo. ” It wasn’t enough », apologizes the brand.
The problem is now said to be largely fixed: all video stream requests from Eufy’s web portal are now end-to-end encrypted, and the company says it’s in the process of updating every camera to use the Default WebRTC encrypted API. Contrary to whata piece of code published on GitHub suggested, Eufy claims that stream encryption keys are dynamic and not standardized: they are therefore not easily guessed.
The company promises to do better and apologizes for its controversial communication. It must be said that Eufy remained silent for a while before distiling some information a little off the mark, which undoubtedly made him lose the confidence of many customers. From now on, the company says it wants to call on external companies to audit its security practices and explains that it is in discussion with a leading security expert to produce an independent report. An official bug squashing program is in the works, as is a site detailing its security practices.