Over the past several weeks, it’s come out that Eufy security cameras and video doorbells have been subject to some glaring security issues as well as directly betraying marketing claims for privacy. Tonight, the brand has finally publicly acknowledged these issues while still downplaying some key aspects of the story.
In a message posted to its community forums titled “To our eufy Security Customers and Partners,” the Anker brand makes a public acknowledgment of the various issues that have been found over the past several weeks.
This firstly includes Eufy reiterating that it uses the cloud, despite originally marketing otherwise, to send push notifications to users via Android and iOS. The company originally marketed its cameras as “local-only,” never disclosing that data would be sent to the cloud in any capacity. As mentioned in this new blog post, the Eufy Security app has since been updated to include that disclosure and stripped its website of such claims. Eufy explains:
As mentioned earlier, eufy Security is committed to reducing the use of the cloud in our security processes wherever possible. However, some processes today still require us to use our secure AWS server.
For example, in the case of security push notifications – when the user has chosen to include a thumbnail with that security notification – a small preview image of the security event is sent to our secure AWS server and then pushed to the user’s phone. This image is protected through end-to-end encryption and is deleted shortly after the push notification has been sent. This process also complies with all industry standards.
We have updated the eufy Security app with a more detailed explanation of the different push notification options and which options require using our secure AWS server. This will help our users make a more informed decision.
But beyond that, the blog post doesn’t really contain any form of apology or acknowledgment of the bigger issues. Eufy directly says that facial recognition and biometric processes are “completed locally” and “never processed in the cloud,” despite a security researcher finding otherwise.
There’s also no acknowledgment of multiple users and journalists having been able to view livestreams from Eufy cameras in VLC Media Player, which the company continues to deny is possible. As The Verge brings out, though, the post does directly say that “eufy [Security’s] Live View Feature on its Web-Portal Feature Has a Security Flaw” in bold lettering, which Eufy at no point actually says is false. The post only says that the company will “continue to look for ways to enhance this feature.”
Eufy also acknowledges that this post and responses to questions regarding this whole situation have come far too slowly. The company says that it knows “the need for more straightforward and timely communications on these issues.”
More on Eufy:
- Eufy caught lying about local-only security cameras with footage sent to cloud, accessible in unencrypted streams
- Eufy strips ‘local-only’ promises from its camera privacy commitment after being caught lying
- Eufy will add a disclosure to its app following security concerns but still denies glaring security holes
FTC: We use income earning auto affiliate links. More.
Comments