Eufy, a smart home devices company owned by the Chinese brand Anker Innovations, has responded to some parts of the claims made by security researchers that it uses cloud services. The company had long said it prioritizes “local storage” and does not use cloud storage.
Over the past few weeks, Eufy's cloud policies have come under scrutiny. In late October, a British researcher discovered that phone alerts sent from Eufy were stored on an unencrypted cloud server. The unencrypted data included facial identification data. Another security firm said that two years of research on Eufy security showed similar unencrypted data transfers.
At the time, Eufy acknowledged it uses cloud servers to store thumbnail images, promising it would let customers receiving mobile alerts know about it. However, the company did not address other concerns that were raised by security analysts, including that live camera feeds could be accessed via VLC Media Player, provided someone had the correct URL, whose encryption can be brute-forced.
Earlier this week, the company issued a statement on its forum acknowledging some of the concerns raised by the security analysts. The thread titled “Re: Recent security claims against Eufy Security,” addressed to “Security Customers and Partners,” said that the company is “taking a new approach to home security.”
It said home security is designed to “whenever possible,” operate locally to avoid cloud servers. It added that facial recognition, identity biometrics, and video footage are managed locally on devices, “not the cloud.”
The company went on to claim its security model has “never been attempted, and we expect challenges along the way,” adding that it remains committed to customers. Eufy acknowledged “Several claims have been made” against its security, and the lack of a response has frustrated customers. The statement added that the company wanted to “gather all the facts before publicly addressing these claims.”
Eufy said that it uses Amazon Web Services to forward cloud notifications and that the image is end-to-end encrypted and deleted shortly after. It added that it would better notify customers about that.
Addressing the claim about live camera feeds, Eufy said, “no user data has been exposed, and the potential security flaws discussed online are speculative.” However, it added that it has disabled viewing of live feeds when a user is not logged into a Eufy portal.
Eufy said that the claim that facial recognition data is stored on cloud servers is “not true.” But, it did acknowledge that its Video Doorbell Dual previously used “our secure AWS server,” but the feature has been disabled.
Researcher Paul Moore, who raised concerns about Eufy's security in a November 28 Twitter thread, said: “Thus far, it's safer to use a doorbell which tells you it's stored in the cloud – as the ones honest enough to tell you generally use solid crypto.”
Eufy is yet to address some follow-up questions by The Verge, like why it initially denied remote access to live feeds as possible, what encryption key the company was really using, and its policies on law enforcement requests.