Anker, the popular maker of device chargers and the Eufy smart camera line, proudly proclaims on its website that user data will be stored locally, “never leaves the safety of your home,” footage only gets transmitted with “end-to-end” military-grade encryption, and that the company will only send that footage “straight to your phone.”
Yeah, about that.
Security researcher Paul Moore and a hacker named Wasabi have discovered that few if any of those claims are true, and that it’s possible to stream video from a Eufy camera, from across the country, with no encryption at all simply by connecting to a unique address at Eufy’s cloud servers using the free VLC Media Player.
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Except it’s not only possible, it’s been repeatedly proven (though there’s no evidence yet of this having been exploited in the wild and it only works on cameras that are in an awakened state). Users really only need a camera’s serial number, which they can obtain from the box or sometimes guess. An attacker could also exploit and access cameras he donated to Good Will or other thrift stores.
The discovery comes after a decade of “smart” hardware device makers having a fairly abysmal track record on security and privacy despite websites that routinely claim the opposite. From TVs that fail to encrypt your home conversations to refrigerators that leak your email credentials, the sector is rife with problems that somehow still don’t get the kind of scrutiny they deserve.
Moore claims Anker’s problems go deeper, claiming that Eufy had violated numerous additional security promises, including uploading camera thumbnail images, including captured users’ faces to the cloud without permission and failing to delete stored, private consumer data.
Despite Anker being a Chinese-based company, you won’t hear any of the same national security hyperventilation over these kinds of issues routinely found in this and other Chinese-made “smart” home technologies. Those kinds of freak outs are, apparently, singularly reserved for social media services like TikTok, and only if such complaints can get you on television.