Snippet: Anker Finally Comes Clean About Its Eufy Security Cameras ☇

You may recall the story about some very sloppy and possibly malicious practices shared by The Verge in December and linked here. There’s finally somewhat of a resolution to the story, as reported by Sean Hollister:

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.

But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

That’s not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it’s bringing in outside security and penetration testing companies to audit Eufy’s practices, is in talks with a “leading and well-known security expert” to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail.

Is some of this deflection and C-Y-A? Did the lawyers give it a once-over? Perhaps, but the company was candid about some measurable changes, which is more than many would do. I’m not fully sold on the resolution, but it’s a step in the right direction.