Disappointing to see this from Anker. Hopefully in the future Anker does better.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Anker Admits Eufy Cameras Did Not Offer End-to-End Encryption as Promised, Pledges to Do Better
- Thread starter MacRumors
- Start date
- Sort by reaction score
You forgot the /s.
It was a very long and uncomfortable silence before they finally decided to publicly acknowledge this.
I am glad you mentioned this, only way it will be fixed/improved is by pointing out these issues. I will bet you $5 that next 3 years Apple has these issues ironed out (assuming people like you log proper reports to let them know, which Im sure some do). Home kit is very much a long play, Apple is thinking 10-20 years into the future, one day it will be great, you are currently the guinea pig. My opinion anyways.
While true, it does not excuse the poor workmanship and ethics that is way to common these days.
"Its not my fault, I didnt know" - says person who should've known.
I was pretty upset about this for a while. But 1) I’m too far in with a ton of eufy devices, and 2) it’s likely that nearly all home security has an extent of privacy risk.
But I will no longer have their cameras in my home.
But I will no longer have their cameras in my home.
Annoyingly it doesn't work with their 4K cameras which I upgraded to, would be nice for Apple to allow camera resolutions over 1080p for a start. HomeKit works very well but it's lagging behind 3rd party apps in terms of features.
You have to be damaged to sue. Or rather, you have to articulate alleged damages. If a user or group of users can show that their video stream was intercepted and viewed by an unauthorized person as a result of Anker's actions, AND show that such unauthorized use harmed them (e.g. physical, financial, emotional harm), then they could bring a suit (or class action) and sue for damages. I doubt there would be enough individuals in that category (if there are any at all) to certify a class.
That’s obviously incorrect. If they claim something about their product and it’s knowingly incorrect, then it’s false advertising.
You don’t have to wait for a car accident to sue a manufacturer for selling you a car with fake brakes.
I hope you’re right and yes, I do report these things through apple.com/feedback.
The whole thing seems a little blown up, to me. Did anyone read this part?
It doesn’t seem like something that can be exploited automatically.
That doesn’t seem to make sense, in light of the above.
I have a decent knowledge of software security and at first, I thought the same: “yeah it’s not great security but it’s still an incredibly long string to guess the URL so it’s not like you just tack on the user ID and theres the feed. There would be substantial brute-force required to guess these strings and I’d hope Eufy would have implemented some sort of IP-banning based on a few bad guesses.”
Then I read more and found out they were not randomizing the URLs properly and using a re-creatable algorithm with the same salt for every user. In fact it might have even been reversible. At that point it’s no longer “amateur security”, it’s “no security at all.”
Unfortunately those people in need of extra privacy are buying these products instead of Google spyware, like lawyers, activists, or journalists. So even a small user base being affected and targeted is a huge deal.
I think you’ve missed the point. You didn’t have to use the subscription service to access the feeds. You only had to work out their algorithm for generating the URLs and the salt - the salt which became public because they had it written in plain text somewhere AND it was used for all URLs.
I’m not sure if anyone actually reverse-engineered the algorithm yet but it’s certainly possible. Knowing how lazy Eufy are, it was probably not much more than md5.
Not really, I use Eufy and have no problem doing so, or I can use Google, or Ring, or Apple, and so on, each one has security concerns that have been publicly reported on, including Apple. Only with Eufy it’s all local, storied locally, a thumbnail of a car sent to the cloud so it can be punched to your phone doesn’t really breach security…
Im actually thinking of upgrading to their latest new AI system, again all done locally.
Yes that was bad, but as most people don’t use their subscription service it didn’t affect a huge number, most people use Eufy or others due to the local storage. Was it bad, yes, does it deserve the tsunami of Western culture playing the blame game on them? No.
With my example of Apple, all you needed to do was own an Apple product and have Siri enabled, nothing more. Big difference IMO.
Last edited:
Exactly, it’s a hole that you had to actively search for to find and then do some work to exploit! It’s not like any Joe Bloggs could go onto their website put a serial number in and gain access to video feeds. As it was being made out to be in the media.
Last edited:
Homekit is a product criminally overlooked by Apple.
The West seems to have a huge problem, we have had endless products made in China for years, because it’s cheap and employee rights are generally ignored which allows for more profit, now, all of a sudden, the West is accusing China of spying on you literally from every product they make, cables to fridges, TV’s to watches, it’s ludicrous.
If greed wasn’t something the West chases daily, there wouldn’t be any issues. People say buy something else, ok, what isn’t made in China that costs the equivalent? And has the same features, and can promise reliability and security on all aspects?
There's a couple of differences. Most notably, Siri isn't 24-hour surveillance. Most of the time, it's an actual command given to Siri. The chance that an unintentional activation contains something sensitive is way lower than a stranger being able to wait for something sensitive. And then, it's accessible to employees of some company, which presumably doesn't make it easy for employees to keep or share these recordings, let alone simply posting a link for everyone to "enjoy". And finally, video is not audio. A few seconds of an audio recording of you having sex cannot do remotely as much harm as a long video of the same act.
But most of all, Apple never promised that Siri was local, never implemented a fake privacy switch that didn't work, nor incompetently failed to protect your data from the entire internet.
What Apple did was bad. They should have been transparent about the manual data processing. And even though other companies certainly do the same, they deserve all the negativity they got, because they're being held to a high standard, as they should given their privacy-focused marketing.
But what Anker did, through either malice or incompetence, should pretty much rule them out for anything other than charges and cables (which are pretty great, TBH).