Eufy publicly acknowledges some parts of its “Cloudless” controversy.

Eufy publicly acknowledges some parts of its “Cloudless” controversy.

Thank you for reading this post, don't forget to subscribe!

Zoom in / Eufy’s security department has publicly addressed some of the most important claims about the company’s locally focused systems, but those who bought into the “cloud-free” claims may not be entirely sure.


Eufy, the Anker brand that positions its security cameras as a “local storage” and “cloud-free” priority, issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits it could do better, but it also leaves some issues unaddressed.

In a thread titled “Re: Recent security claims against eufy Security”, “eufy_official” wrote to its “Security Cutomers and Partners”. Eufy “takes a new approach to home security,” the company wrote, designed to work locally and “where possible” avoid cloud servers. Video, facial recognition and biometric identity data are managed on devices – “not in the cloud”.

This reiteration comes after questions have been raised about Eufy’s cloud policies several times in recent weeks. A British security researcher found in late October that the phone signals sent by Eufy were stored on a cloud server, seemingly unencrypted, with personal identification data included. Another company at the time quickly summarized two years of Eufy security findingsnoting such unencrypted file transfers.

At the time, Eufy acknowledged that it uses cloud servers to store thumbnails and that it will improve its setup language so that customers who want mobile alerts know this. The company ignored other claims by security analysts, including that live video streams could be accessed through VLC Media Player with the right URL, whose encryption scheme could potentially be brute-forced.

A day later, tech site The Verge, working with a researcher, confirmed that a user who was not logged into a Eufy account could watch a camera stream, with the correct URL. Obtaining this URL requires a serial number (Base64 encoded), a Unix timestamp, an apparently unvalidated token, and a four-digit hex value.

At the time, Eufy said it “strongly disagrees with the allegations leveled against the company regarding the security of our products.” Last week, The Verge reported this the company significantly changed many of its statements and “promises” from the privacy policy page. of Eufy statement in their own forums arrived last night.

Eufy says its security model “has never been tried and we expect challenges along the way,” but remains committed to customers. The company admits that “several claims have been made” against its security and the need to respond has frustrated customers. But, the company wrote, it wanted to “gather all the facts before publicly addressing these allegations.”

Responses to these claims include Eufy noting that it uses Amazon Web Services to forward cloud notifications. The image is end-to-end encrypted and deleted shortly after sending, Eufy says, but the company intends to better notify users and adjust its marketing.

As for watching live feeds, Eufy claims that “no user data has been disclosed and potential security gaps discussed online are speculative.” But Eufy adds that it has disabled viewing of live streams when you are not logged into a Eufy portal.

Eufy says the claim that it sends facial recognition data to the cloud is “not true.” All identification processes are handled by local hardware, and users add recognized faces to their devices via local network or peer-to-peer encrypted connections, Eufy claims. But Eufy notes that its Video Doorbell Dual previously used “our secure AWS server” to share that image with other cameras in a Eufy system; this feature has since been disabled.

The Verge, which did not receive answers to further questions about Eufy’s security practices after its findings, there are some follow-up questions, and they are remarkable. These include why the company denied remote streaming was possible in the first place, its policies on law enforcement requests, and whether the company actually uses “[email protected]” as an encryption key.

Researcher Paul Moore, who raised some of the earliest questions about Eufy’s practices, has yet to comment directly on Eufy because he posted on Twitter on November 28 that he had “a lengthy discussion with (Eufy)’s legal department.” Meanwhile, Moore set out to investigate other “local only” video doorbell systems and found them in particular non-native. Even one of them appears to copy Eufy’s privacy policyword by word.

For now, it’s safer to use a bell that tells you it’s stored in the cloud – as those that are honest enough to tell you are usually using solid cryptocurrency,” Moore writes about his efforts. Some of Eufy’s most enthusiastic, privacy-conscious customers might agree.

Listing image from Eufy

#Eufy #publicly #acknowledges #parts #Cloudless #controversy

Related Articles

Back to top button