Anker Tries To Bullshit The Verge About Security Problems In Its Eufy Smart Camera Techdirt
p
MisUses of Technology
ppAnker the popular maker of device chargers and the Eufy smart camera line proudly proclaims on its website that user data will be stored locally never leaves the safety of your home footage only gets transmitted with endtoend militarygrade encryption and that the company will only send that footage straight to your phoneppYeah about that ppSecurity researcher Paul Moore and a hacker named Wasabi have discovered that few if any of those claims are true and that its possible to stream video from a Eufy camera from across the country with no encryption at all simply by connecting to a unique address at Eufys cloud servers using the free VLC Media PlayerppBoth clearly demonstrated the problem on Twitter but when contacted by The Verge Anker tried to claim that what the security researchers had clearly repeatedly demonstrated wasnt possibleppWhen we asked Anker pointblank to confirm or deny that the company categorically denied it I can confirm that it is not possible to start a stream and watch live footage using a thirdparty player such as VLC Brett White a senior PR manager at Anker told me via emailppExcept its not only possible its been repeatedly proven though theres no evidence yet of this having been exploited in the wild and it only works on cameras that are in an awakened state Users really only need a cameras serial number which they can obtain from the box or sometimes guess An attacker could also exploit and access cameras he donated to Good Will or other thrift stores ppThe discovery comes after a decade of smart hardware device makers having a fairly abysmal track record on security and privacy despite websites that routinely claim the opposite From TVs that fail to encrypt your home conversations to refrigerators that leak your email credentials the sector is rife with problems that somehow still dont get the kind of scrutiny they deserve ppMoore claims Ankers problems go deeper claiming that Eufy had violated numerous additional security promises including uploading camera thumbnail images including captured users faces to the cloud without permission and failing to delete stored private consumer datappDespite Anker being a Chinesebased company you wont hear any of the same national security hyperventilation over these kinds of issues routinely found in this and other Chinesemade smart home technologies Those kinds of freak outs are apparently singularly reserved for social media services like TikTok and only if such complaints can get you on television pp
Filed Under chinese encryption eufy privacy security streaming video
Companies anker
ppIf the companys response had been to say that as far as they were aware the researchers findings shouldnt have been possible and theyre looking into finding out how it was done and patching the hole that might have been believable responding by insisting that what they did wasnt possible despite the evidence to the contrary just comes across as fake news gaslighting which just serves to add weight to the researchers claimsppSecurity professional Cool show me how you did that there may be other similar holes that we need to fixppSecurity Theatre The security of our users is our highest priority ppI simplify but the core is trueppAnything that uses the phrase military grade is bullshitppDoesnt military grade mean expensive and unreliableppI think military grade has become a general catchall marketing phrase in the same way that Kamikoto knives each have a lifetime guaranteeppWhat do they call it in the militaryppmilspecppWell tactical encryption just sounds weirdppI feel like theres another article coming soon where AnkerEufy realizes theres a checkbox hidden on the 3rd tab of some admin settings page thats got an innocuous title like Enable access from the cloud and it defaults to sending all your data unencrypted to the Eufy serversppThis Ian a security issue Its a privacy issueppViewers can not delete recordings from an owners device The material remains storedppYour email address will not be published Required fields are marked ppHave a Techdirt Account Sign in now Want one Register hereppName ppEmail ppSubscribe to the Techdirt Daily newsletterppURL ppSubject ppComment ppTechdirt community members with Techdirt Credits can spotlight a comment as either the First Word or Last Word on a particular comment thread Credits can be purchased at the Techdirt Insider Shop pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppA weekly news podcast fromMike Masnick Ben WhitelawppRead the latest postspp
Read All
pp
Become an Insider pppp
This feature is only available to registered users
You can register here or sign in to use it p
MisUses of Technology
ppAnker the popular maker of device chargers and the Eufy smart camera line proudly proclaims on its website that user data will be stored locally never leaves the safety of your home footage only gets transmitted with endtoend militarygrade encryption and that the company will only send that footage straight to your phoneppYeah about that ppSecurity researcher Paul Moore and a hacker named Wasabi have discovered that few if any of those claims are true and that its possible to stream video from a Eufy camera from across the country with no encryption at all simply by connecting to a unique address at Eufys cloud servers using the free VLC Media PlayerppBoth clearly demonstrated the problem on Twitter but when contacted by The Verge Anker tried to claim that what the security researchers had clearly repeatedly demonstrated wasnt possibleppWhen we asked Anker pointblank to confirm or deny that the company categorically denied it I can confirm that it is not possible to start a stream and watch live footage using a thirdparty player such as VLC Brett White a senior PR manager at Anker told me via emailppExcept its not only possible its been repeatedly proven though theres no evidence yet of this having been exploited in the wild and it only works on cameras that are in an awakened state Users really only need a cameras serial number which they can obtain from the box or sometimes guess An attacker could also exploit and access cameras he donated to Good Will or other thrift stores ppThe discovery comes after a decade of smart hardware device makers having a fairly abysmal track record on security and privacy despite websites that routinely claim the opposite From TVs that fail to encrypt your home conversations to refrigerators that leak your email credentials the sector is rife with problems that somehow still dont get the kind of scrutiny they deserve ppMoore claims Ankers problems go deeper claiming that Eufy had violated numerous additional security promises including uploading camera thumbnail images including captured users faces to the cloud without permission and failing to delete stored private consumer datappDespite Anker being a Chinesebased company you wont hear any of the same national security hyperventilation over these kinds of issues routinely found in this and other Chinesemade smart home technologies Those kinds of freak outs are apparently singularly reserved for social media services like TikTok and only if such complaints can get you on television pp
Filed Under chinese encryption eufy privacy security streaming video
Companies anker
ppIf the companys response had been to say that as far as they were aware the researchers findings shouldnt have been possible and theyre looking into finding out how it was done and patching the hole that might have been believable responding by insisting that what they did wasnt possible despite the evidence to the contrary just comes across as fake news gaslighting which just serves to add weight to the researchers claimsppSecurity professional Cool show me how you did that there may be other similar holes that we need to fixppSecurity Theatre The security of our users is our highest priority ppI simplify but the core is trueppAnything that uses the phrase military grade is bullshitppDoesnt military grade mean expensive and unreliableppI think military grade has become a general catchall marketing phrase in the same way that Kamikoto knives each have a lifetime guaranteeppWhat do they call it in the militaryppmilspecppWell tactical encryption just sounds weirdppI feel like theres another article coming soon where AnkerEufy realizes theres a checkbox hidden on the 3rd tab of some admin settings page thats got an innocuous title like Enable access from the cloud and it defaults to sending all your data unencrypted to the Eufy serversppThis Ian a security issue Its a privacy issueppViewers can not delete recordings from an owners device The material remains storedppYour email address will not be published Required fields are marked ppHave a Techdirt Account Sign in now Want one Register hereppName ppEmail ppSubscribe to the Techdirt Daily newsletterppURL ppSubject ppComment ppTechdirt community members with Techdirt Credits can spotlight a comment as either the First Word or Last Word on a particular comment thread Credits can be purchased at the Techdirt Insider Shop pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppA weekly news podcast fromMike Masnick Ben WhitelawppRead the latest postspp
Read All
pp
Become an Insider pppp
This feature is only available to registered users
You can register here or sign in to use it p
