In late November, security experts found that eufy camera footage can be streamed through VLC—no authentication required. This is an awful vulnerability, especially for a camera brand that supposedly keeps everything off the cloud. Now, instead of facing this mess head-on, eufy is deleting some of its old promises.
As reported by The Verge‘s Sean Hollister, eufy deleted at least 10 promises from its “Privacy Commitment” page. This deletion happened sometime between December 8th and December 15th, as indicated by an archived version of the commitment page.
Here are five promises that were deleted from eufy’s website:
- “There is no online link available to any video.”
- “[Y]our recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
- “With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone.”
- “You need to use Eufy software and your account to decrypt the clips for viewing. No one else can access or read this data.”
- “All recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage. Data during transmission is encrypted.”
These now-deleted promises explain the benefits of local encrypted storage. And, of course, they mainly center around privacy—your data doesn’t leave your home, nobody else can see it, and so on.
Of course, none of these promises turned out to be true. You can stream unencrypted video from an eufy camera if you obtain its serial number, UNIX timestamp, and hex key. The process requires a lot of technical know-how, but nonetheless, it’s a critical vulnerability that could harm customers.
And we still have no idea what eufy thinks about this situation. Public statements from eufy and its parent company, Anker, either ignore or deny that the vulnerability exists. All we know is that, behind the scenes, eufy is quietly scrubbing these ironic promises from its website.
As we stated on December 2nd, eufy’s response to this vulnerability is completely unacceptable. The company should have admitted its mistake and provided some transparency for customers. Instead, it’s spent the last 15 days throwing a temper tantrum.
We’ve reached out to eufy for comment on this story. To be clear, we no longer recommend buying eufy cameras—not because of the vulnerability, but because of eufy’s alarming response. Old Review Geek articles that mention eufy cameras have been edited to reflect our stance.
Source: The Verge