Anker has identified some serious security flaws in one of its security camera products that could allow unauthorized third parties to view the camera’s live feed.It also confirmed that it has been sending mobile push notifications with faces to user endpoints via the cloud (opens in a new tab).
Security researcher Paul Moore recently discovered that the (Anker-owned) Eufy Doorbell Dual camera’s feed can be accessed via a web browser simply by knowing the correct URL, no password required.
Camera videos encrypted with AES-128 use a simple key that can be cracked with relative ease, Moore said at the time, adding that the app was uploading thumbnails to the cloud and sending them as notifications to people’s mobile app, and the camera uploads facial recognition data unencrypted to its AWS cloud.
Acknowledging researcher reports
Now, in a blog post (opens in a new tab) Titled “To our eufy security customers and partners,” the company has addressed the claims, confirming some but denying others.
As for accessing the camera feed – the researchers were right. “There was a security breach in the Live View feature on eufy Security’s web portal feature,” the company said, before adding that no user data was compromised. “Discussions of potential security vulnerabilities online are speculative,” the blog wrote.
Still, the company made some changes and now only allows people to watch the live stream over the web after logging into the eufy.com 3 portal. “Users can no longer watch live streams (or share links to those live events with others) outside of eufy’s secure portal,” it said.
Anker also confirmed the use of the cloud to send mobile push notifications to users. While it says the feature “complies with all industry standards,” it does make some tweaks — it updates the eufy security app with a more detailed explanation of the different push notification options, and revises the eufy.com 3 , which should be published “later this week.”
“Going forward, this will be an important area of improvement for our marketing and communications teams and will be added to our website, privacy policy and other marketing materials,” the blog explains.
Finally, it addresses concerns that the cameras are sending facial recognition data to the cloud, and briefly says “that’s not true.”
“This is a key differentiator for eufy Security – all facial recognition and biometrics processes are done locally on the user’s device. This information is never processed in the cloud.”
The company has been slammed by security researchers and the media for its miscommunication — which is what it aims to fix with this update:
“Going forward, we will need to better balance our need to obtain ‘all the facts’ with our obligation to keep our clients informed more quickly,” it said.
