Has Eufy Stepped Up Their Privacy Game?

Eufy Security, a brand of consumer tech company Anker Innovations, is a big name in consumer home security cameras and their products can be found in many big brand stores all over the world. They’ve had a few minor missteps in terms of their security design in the past, despite making a big promise about being a privacy-first company. But, in November 2022 things came truly unstuck with major security flaws being uncovered by private security Paul Moore and confirmed by other hackers and several major tech publications.

The issues that came to light demolished Eufy’s claims of being secure, and the company’s ham-handed attempts at damage control made things that much worse by appearing to be a devious and deliberate design choice that they were trying to cover up. These issues included the ability to use a URL to stream any Eufy camera from any video player given its serial number, and the undisclosed uploads of snapshots used to set up facial recognition to a cloud server.

Naturally, those of us in the tech industry were disappointed in both the seriousness of these issues, and the responses from Eufy deflecting, making excuses, and outright denying these things were possible, all while people all over the internet were reproducing the exact same things. Tech publication The Verge, to their credit, took on Eufy and relentlessly hammered them for real answers. Finally, Eufy got their PR act together and came clean, and proposed a plan of action to fix things. I thought it would be interesting to see how Eufy is tracking against these pledges.

Eufy’s Action Plan

1. Enable end-to-end encryption on all traffic to the web portal.

2. Debug mode to be disabled on the web portal to prevent harvesting the camera URLs.

3. Convert all Eufy cameras to use WebRTC with default en-to-end encryption.

4. Stop sending facial recognition images to the cloud, each device will need to set these up separately.

5. Create a microsite to better explain their processes.

6. Engage new security consulting partners to conduct a comprehensive risk assessment and TrustARC certification.

7. Engage a security expert to produce an independent report on current state.

8. Set up a bug bounty program to aid security researchers in finding issues.

What has Eufy done?

The fixes to the web portal were already reported by hackers around the time of these promises, although the obfuscation of the code meant what was actually done could not be confirmed. This does however address the availability of the URLs for scraping, so I guess that’s a win.

As for implementing WebRTC, it does seem to have occurred. Checking the firmware updates in my own Eufy account, I don’t see any mention of it, but there are a number of updates around early 2023 for ‘bug fixes’ that may have incorporated this. Looking at open-source integration solutions for Eufy cameras, they do indeed appear to require WebRTC now, which suggests this has been completed. (Learn more about how WebRTC fits into video streaming)

Eufy now has a page dedicated to tracking their improvement journey, although it’s not really a microsite, just another page on the eufy.com domain. This indicates the protocol updates were complete by January 15th, 2023.

Thumbnail images, which need to be sent to the cloud in order to be included in notifications, were disabled by default. I’ve confirmed that in my own app. That options page has also been updated to explain fully that these images will be sent to the cloud if enabled, so it’s now a clear user preference.

A bug bounty program was supposedly estlablished on April 19th, 2023. I went ahead and check with HackerOne, the chosen partner, an there is indeed a program in effect which is fully visible here. This also indicates that Eufy is meeting their response targets as defined by HackerOne.

Eufy claims they engaged security consultant Ralph Echemendia to perform that independent report on their current state and practices. Ralph is quite well known as ‘The Ethical Hacker’, so this was fairly easy to confirm. Ralph posted to LinkedIn that he had been commissioned by Eufy and that they had successfully met his standards.

Finally, Eufy claims to have completed and attained a TRUSTe Privacy Certification on the 10th of January 2024 which meets the TrustARC Privacy and Data Governance framework standards. I haven’t been able to verify this other than confirming the TRUSTe Certified Privacy badge is now on the Eufy home page. This is usually the only evidence we can get publicly. TrustARC doesn’t provide a list of clients of certificate holders that I can find.

My Conclusion

After some pretty serious missteps and, frankly, a comedy of errors on the part of the support teams when this initially broke, Eufy has clearly made good faith efforts to clean up their security design and internal processes to both address the issues at hand, and to prevent issues occurring in the future.

My gut feel from the outset was that Eufy wasn’t up to anything malicious and, based on their previous security trip ups, they simply had process and competency issues around their security implementation. Security design is hard, modern software systems are complex and so many things can go wrong, even the biggest tech majors are constantly working to close obscure loopholes in their systems.

That’s not an excuse, of course. Those challenges don’t make any difference to customers who are relying on things to work as intended. Eufy was rightly called out for some serious oversights that should absolutely have been handled better at the time, but it does appear that all of their promises to change course have now been implemented. We’ll need to keep an eye on things going forward, but that applies to all of these consumer tech companies, especially those making camera products that pose grave privacy implications for anyone using them.

Eufy being such a big player is actually a good thing. With so many products out there, there are many more qualified eyes looking for problems than with smaller brands. The bug bounty program goes a long way to helping incentivize researchers to do that looking, and to report things to Eufy to get fixed quickly. As a result, it’s far more likely that nothing like this happens again.