Anker-owned Eufy is speaking up following last month’s revelations that its supposedly local-only security cameras were using the cloud without properly notifying users.
After weeks of silence, Eufy admitted in a lengthy post on its community forum that it “must be more clear about which of our processes are done locally and which require using our secure AWS server,” and that it must deliver “more straightforward and timely communications” to its users.
“Moving forward, we will need to better balance our need to get ‘all the facts’ with our obligation to keep our customers more quickly informed,” Eufy said.
Eufy also admitted that a “live view” feature on its web portal has a “security flaw,” which it patched by blocking the ability of users to view or share live streams from their Eufy cams without first logging into the Eufy web portal.
The brand denied that the flaw had exposed any user data, while promising to “continue to look for ways to enhance this feature.”
But Eufy didn’t directly address the explosive reports from The Verge and others that they had managed to stream unencrypted video footage from Eufy security cams using the VLC media player, except to note that “potential security flaws discussed online are speculative.”
Meanwhile, Eufy acknowledged that it should be “more clear” about any data that goes to the cloud–specifically, when opt-in push notifications to phones send preview images to Eufy’s Amazon-powered web server.
Eufy said those preview images are “protected by end-to-end encryption” and “deleted shortly after” the initial push notification, but that revised language in the Eufy app disclosing the AWS cloud usage “isn’t enough.”
“Moving forward, this will be a significant area of improvement for our marketing and communication teams and will be added to our website, privacy policies, and other marketing materials,” Eufy said in the statement, which ends without a full-on apology.
We’ve reached out to Anker for comment.
The Eufy brouhaha erupted late last month after a security researcher claimed he could access a thumbnail of a video event recording from his Eufy Doorbell Dual, as well as pictures of faces that were recognized in the clip, on Eufy’s AWS servers, even though he had disabled the doorbell’s cloud access.
The Verge verified the researcher’s claims while also revealing that it managed to “stream video from a Eufy camera, from the other side of the country, with no encryption at all.”
Soon after the reports came to light, Eufy quietly altered its Privacy Commitment web page, nixing roughly 10 security promises while clarifying a number of others and adding disclosures about Eufy’s use of AWS cloud storage.