Last November, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.
The researchers found that an attacker simply needed a device serial number to connect to a unique address at Eufy’s cloud servers using the free VLC Media Player, giving them access to purportedly private video feeds. When approached by The Verge, Anker apparently thought the best approach was to simply lie and insist none of this was possible, despite repeated demonstrations that it was very possible:
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Not only that, Anker apparently thought it would be a good idea to purge its website of all of its past promises related to privacy, thinking this would somehow cause folks to forget they’d misled their customers on proper end to end encryption. It didn’t.
It took several months, but The Verge kept pressing Anker to come clean, and only this week did the company finally decide to do so:
In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.
But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.
I don’t know why anybody in tech PR in 2023 would think the best response to a privacy scandal is to lie, pretend nothing happened, and then purge your company’s website of past promises. Perhaps that works in some industries, but when you’re selling products to techies with very specific security promises attached, it’s just idiotic, and kudos to The Verge for relentlessly calling Anker out for it.
Source: It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure | Techdirt
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft