Skip to Content

Anker Eufy Security Controversy – Anker finally responds to unencrypted feeds

Anker Eufy Security Controversy – Anker finally responds to unencrypted feeds

I originally posted about the security concerns with Anker Eufy back on the 15th of December. I delayed posting about it because I was in the middle of reviewing Eufy 4G LTE Starlight Camera, and I had hoped they would fix the issue by the time I wrote about it.

A few days after I made the original post on the 19th of December, Anker provided a basic explanation and said the issue was fixed, and I updated the post below.

More recently, the Verge has got a more detailed answer to the problem. Anker has admitted that it was possible to access unencrypted feeds, but the reply had a certain arrogance to it.

One thing worth noting in the new reply, Anker state: “only 0.1 percent of our current daily users use the secure Web portal feature at eufy.com.” but back in December, they said: “around 1% of our total users access their account via our web portal.”

That's not a lot of users, but it is still a tenfold difference in what they have reported.

As I have highlighted in my original post, I think the biggest issue people have is the way Anker has handled the problem. The damage to their reputation is going to linger. I'm still using the cameras so it obviously doesn't bother me that much.

What has been fixed

  • Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted.
  • Every single Eufy camera will be updated to use WebRTC, which is encrypted by default.
  • Homebase3 and eufyCam3/3C devices released in October 2022 already use WebRTC for end-to-end encrypted communication when using the Web portal to access live streams in a browser.
  • if a user selects to use eufy Security’s optional cloud storage add-on, this operation is end-to-end encrypted.
  • Maintenance of cloud servers complies with the requirements of ISO27701 and ISO27001 standards.

Original Post

I am due to write a review of the Eufy 4G LTE Starlight Camera, and I recently reviewed the superb EufyCam 3C. I started writing the review and had a long section discussing the recent privacy and security concerns that have been revealed about Eufy recently.

I had hoped Eufy would provide a full fix and apology by the time I wrote my review, but at the time of writing, a full explanation or fix has not been provided.

The two mains problems that have arisen appear to be:

  • The thumbnail previews you get need to be uploaded to AWS servers it is possible to access this URLs directly. The main issue with this one is that Eufy has always claimed that nothing is uploaded to any server.
  • More seriously, there have been claims that it is possible to remotely access the live feed of the camera without authentication.

Thumbnail Previews Uploaded to Amazon Servers

Eufy has partially addressed the first problem. They are not stopping the image uploads because it turns out that they need to do this to provide those feature-rich notifications.

Now, when you select the feature-rich notifications, you get warned that this data will get uploaded.

Remote viewing of the camera feed via VLC, likely using RTSP

Anker Eufy RTSP feed - Anker Eufy Security Controversy – Anker finally responds to unencrypted feeds
I have previously written about the RTSP feeds on the Eufy 2C

Originally, Anker appeared to avoid the issues related to the remote viewing of the feeds. The risk of this security flaw being exploited appeared to be quite low but it was still quite concerning.

It has been alleged that you can gain access to an encryption-free camera stream just by knowing the unique address at Eufy's cloud servers.

It is difficult to exploit this because you would need to know the Eufy username and password so that you can log into the website and gain access to the encryption-free stream.

The address of this stream is supposed to be based on camera's serial number encoded in Base64. So, a random hacker is unlikely to guess it.

Even if you know all that information, the stream URL will only work when the camera is activated. I am 90% sure it is just the RTSP feed that you used to be able to set up with cameras like the Anker Eufycam 2C.

That's not exactly ideal, but being able to stream content from security cameras remotely is something that's quite common. You don't even need VLC with Eufy, if you have the username and password (which you'd need to get the stream URL) then you can remotely wake up and view the camera feed.  

Anker has now provided some explanation and confirmed:

Today, around 1% of our total users access their account via our web portal. As per our design, prior to access any information, users have to log into their accounts. The URL links can only be obtained and shared by users themselves and will only be valid temporarily. It will be a personal activity if you obtain your own URL and share it with other people. Even so, we want to assure everyone that we have improved this point – even after users obtain the URL link by logging into their accounts, it cannot be played via a third party player or shared with others to play. Moreover, we’ve closed the port of browser developer mode, to avoid a similar process as Paul Moore demonstrated in his video.

Why is 2FA not enforced for Eufylife?

You can enable 2FA via your account settings, and this is email/SMS. If you have had a Eufy account for a while, there is a good chance you didn't notice or enable it. Unlike the other security brands, Eufy does not force 2FA.

Considering these security issues and the fact it largely requires the person to gain access to either your camera or account, I'd strongly suggest enabling 2FA.

Back in 2019, there was a much-publicised privacy concern with Ring due to the fact it was possible to log into an account and view the stream remotely without any additional authentication. This PR nightmare led to Ring, Arlo and Blink all to quickly implement 2FA. Unfortunately, it seems Eufy missed the memo.

It's all about the dishonesty

The lack of 2FA enforcement is a concern for me, and I suspect Eufy will implement this in the near future.

I am not as worried about the other bits, I doubt they will have any security risk for me. However, the consumers have been rightly pointing out that Eufy has been dishonest with its marketing claims. They stated none of this was possible, nothing ever goes online. This seems to be where a lot of the backlash comes from.

I am not getting rid of my Eufy cameras

Likely apathy on my part, but I am keeping my cameras. I know I shouldn't be this complacent, but in the grand scheme of things, Eufy uploading thumbnails of the postman delivery yet another Amazon package isn't really that bad when compared to all the data mining and privacy invasion we have from Amazon, Google, Apple and others.

Conclusion

I wrote this because I couldn't, in good conscience, review the Eufy 4G LTE Starlight Camera without addressing the problem.

I will reference this post in my future reviews (at least until all the issues are resolved), and it is up to you, the buyer, to decide if it is an issue.

As I said, there have been privacy issues with Ring and by proxy, Arlo, Blink and others. Unless you roll out your own CCTV system and wall it off from the Internet, this is a problem that's always going to raise its head. You need to evaluate the risks vs benefits of these easy-to-implement surveillance solutions.

For me, I have never used indoor cameras, they weird me out, and this just reaffirms that belief.

[Original Post: 15th of December 2022]

[Updated Post: 2nd of February 2023] Added new information confirming the security issues have been fixed.