Anker finally comes clean about its Eufy security cameras

[ian.ict]

 

Summary

 From the Verge: Anker admits its always-encrypted cameras weren’t always encrypted — and promises to do better.

 

Quotes

Quote

Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal.

 

The company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default

 

My thoughts

Anker seems to finally acknowledge the error in their ways and is applying a fix for the issue.  There may still be room for improvement on the system but this is a significant improvement.

 

Sources

https://www.theverge.com/23573362/anker-eufy-security-camera-answers-encryption

 

Edit: Add James saying blackmail is cool.

 

[OddOod]

Promises are cheap, actions or GTFO

 

Also, there is direct contradiction to reports in the end statement

Quote

First, the purpose of sending a user image from the eufy App to our devices is to give the local facial recognition software a baseline to run its algorithm. All facial recognition processes are and have always been done locally on the user’s device. In the case of our Video Doorbell Dual, a copy of that set-up image was stored using end-to-end encryption on our secure cloud. 

 

[mradelet]

They promise to do better while still spreading misinformation. They claim the new system is end-to-end encrypted, but then go ahead and update the cameras to use WebRTC instead. While this does allow your phone or browser to connect directly to the camera, it means Eufy/Anker is still authenticating and authorizing your connection. It means the camera inherently trusts them. They can open a connection at any time and the camera will start the feed.

 

How can they claim they cannot access your camera, that your connection is end-to-end encrypted, but then also state in their NEW revised privacy policy that will give access to law enforcement? That would be impossible if the previous statements were true.

 

That said, WebRTC allows users to connect to their cameras securely without a VPN. A nice feature if people want to accept the privacy risks, but should be OPT-IN and not the only solution to view the cameras.

 

Remember that security and privacy are not the same thing.

[Takumidesh]

13 minutes ago, mradelet said:

that will give access to law enforcement?

only tangentially related, but I really hate this idea that just because consumers finally have the ability to have devices like security cameras of their own, there is some perceived obligation that law enforcement should get a cut of it.

 

I don't give the cops a copy of my key to my house, or my garage door opener, or the keys to my car and if it was presented that way there would be massive backlash.

[divito]

1 hour ago, Takumidesh said:

only tangentially related, but I really hate this idea that just because consumers finally have the ability to have devices like security cameras of their own, there is some perceived obligation that law enforcement should get a cut of it.

 

I don't give the cops a copy of my key to my house, or my garage door opener, or the keys to my car and if it was presented that way there would be massive backlash.

You do when you're presented with a warrant. This is no different than what is being described, or how the majority of online services handle things.

"9. Does eufy share video recordings with third parties, such as law enforcement?

 

When using local storage, eufy Security has no access to our users' video recordings.
If users select our optional cloud storage add-on, eufy Security never shares our user's video content without the user's written consent, or when necessary to comply with a valid legal order."

[Takumidesh]

5 minutes ago, divito said:

You do when you're presented with a warrant.

Not exactly. The police have to make an effort to enter your home.

They do not get the key to your house, you either let them in, or they come in with force.

 

While they still get in in the end, the critical difference is the barrier to entry, they have to justify the whole process and put the effort in to do it.

 

Additionally. If the police want my camera footage, they need to crack the encryption their selves, warrant or not, they may have the the right to attempt to crack it, but they don't have the keys to the castle.

[mradelet]

28 minutes ago, divito said:

You do when you're presented with a warrant. This is no different than what is being described, or how the majority of online services handle things.

"9. Does eufy share video recordings with third parties, such as law enforcement?

 

When using local storage, eufy Security has no access to our users' video recordings.
If users select our optional cloud storage add-on, eufy Security never shares our user's video content without the user's written consent, or when necessary to comply with a valid legal order."

Sure, but Eufy should not be able to fulfill the request. Similar to how a password manager cannot give away your passwords even with a warrant because they cannot access the data at all. In this case, Eufy is claiming your video is end-to-end encrypted, yet somehow can fulfill these requests to law enforcement. It should be impossible.

[Takumidesh]

5 minutes ago, mradelet said:

Sure, but Eufy should not be able to fulfill the request. Similar to how a password manager cannot give away your passwords even with a warrant because they cannot access the data at all.

also similar to how I am (In the United States at least) constitutionally protected from giving up the goose when it comes to information in my head. I cannot be compelled to decrypt a video file. (biometrics become iffy, but for passwords at least its pretty well established)

[divito]

54 minutes ago, mradelet said:

Sure, but Eufy should not be able to fulfill the request.

That's your opinion of how they should run. Not all online services encrypt user data.

 

56 minutes ago, mradelet said:

In this case, Eufy is claiming your video is end-to-end encrypted, yet somehow can fulfill these requests to law enforcement. It should be impossible.

They don't specifically say what they would provide law enforcement. Either their implementation considers them as the receiver, which gives them the ability to decrypt whatever is backed up to their cloud service. Or perhaps they only mean they're supplying the metadata to law enforcement.

Multiple companies have lied about end-to-end encryption in the past. Whether they simply don't do it, or have compromised end points, or they decrypt and re-encrypt on route to where it's going, end-to-end encryption is not some be-all and end-all.

[wanderingfool2]

3 hours ago, mradelet said:

How can they claim they cannot access your camera, that your connection is end-to-end encrypted, but then also state in their NEW revised privacy policy that will give access to law enforcement? That would be impossible if the previous statements were true.

Privacy policy does not equal ability to do something though.

 

Signal has language that they can hand over information on police request...that doesn't mean Signal can read your messages.  Haven't read the policy as well, but it could be in a way that they can help identify the owner (in the event the police needs to contact you to get the footage)

 

With that said, I'm not buying Anker's statements here, given that they have had other people view live feeds in the app...that means if they wanted to they could do it as well.  They have backtracked on their statements too often to be trusted with the statements they are saying now.

 

The bit that I'm curious of though is the "ZXSecurity17Cam@" answer.  For myself it seems like a "lets phrase it in a way so we can deflect it later as a misunderstanding", as the claim was that it's used for encryption on the locally stored data...but the way they phrased it it seems like they are talking about live streams.

 

20 minutes ago, divito said:

Multiple companies have lied about end-to-end encryption in the past

The whole thing is that the definition of E2EE really is too broad in the sense of how Anker could be using it.

 

Strictly speaking, they could establish the connection between the two devices to do the E2EE...but nothing prevents them from establishing a connection with their own device either.  So technically it could be E2EE, but it falls flat in terms of what people expect when they hear E2EE.

 

I suspect they can still access your video if they wanted to, just not able to legally access the cameras.

[mradelet]

1 hour ago, divito said:

That's your opinion of how they should run. Not all online services encrypt user data.

Maybe I worded it incorrectly, but it's not an opinion. They cannot share something they do not have access to. The policy directly states they CAN share "video content" (not metadata) with law enforcement, which means they have the keys. That is not "end-to-end" encryption at all.

 

Compare that to a password manager like 1Password that states "we can't share your data even if we wanted to"

[wanderingfool2]

4 minutes ago, mradelet said:

Maybe I worded it incorrectly, but it's not an opinion. They cannot share something they do not have access to. The policy directly states they CAN share "video content" (not metadata) with law enforcement, which means they have the keys. That is not "end-to-end" encryption at all.

 

Compare that to a password manager like 1Password that states "we can't share your data even if we wanted to"

There is a difference though in terms of having a policy in place the would "allow" them to do it vs actually being able to do it.

 

It's all going to come down to how pedantic one wants to be in regards to what e2ee is.  Strictly speaking they can let you establish an e2ee with the app and your camera system, which at that point yes it would very much be e2ee in that they can't eavesdrop on that particular traffic.  Where things get really murky though is that in theory they could just establish a connection between themselves and the camera system.  The fact they can do that though doesn't make it not e2ee...but at the same time, it's a massive red flag (and again, we know that they can given they had a server config issue that caused it to happen before to random users)

[mradelet]

1 hour ago, wanderingfool2 said:

It's all going to come down to how pedantic one wants to be in regards to what e2ee is.  Strictly speaking they can let you establish an e2ee with the app and your camera system, which at that point yes it would very much be e2ee in that they can't eavesdrop on that particular traffic.  Where things get really murky though is that in theory they could just establish a connection between themselves and the camera system.  The fact they can do that though doesn't make it not e2ee...but at the same time, it's a massive red flag (and again, we know that they can given they had a server config issue that caused it to happen before to random users)

Not sure where you get your definition, but I can't find any that are any different from wikipedia:

Quote

End-to-end encryption (E2EE) is a security method that keeps your chats and messages secure. The end-to-end encryption system of communication where only the users communicating can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, malicious actors, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation

Key point being that even the provider of your service can't access the content. E2EE means the keys are generated by your device and sent across securely to the other device. If your service provider attempts to create new keys, the old one becomes invalid and you would immediately know.

 

Anyway, that's all I have to say about this. I don't think us arguing about internet definitions is going to remove or assign blame to Eufy who started all this.

[wanderingfool2]

4 hours ago, mradelet said:

Not sure where you get your definition, but I can't find any that are any different from wikipedia:

Quote

End-to-end encryption (E2EE) is a security method that keeps your chats and messages secure. The end-to-end encryption system of communication where only the users communicating can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, malicious actors, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation

Key point being that even the provider of your service can't access the content. E2EE means the keys are generated by your device and sent across securely to the other device. If your service provider attempts to create new keys, the old one becomes invalid and you would immediately know.

That is the rough definition I was going by, and Eufy technically meets those requirements.

 

What I'm saying is that E2EE doesn't automatically mean security.  You have to trust the provider that's doing the key exchange, which in this case is Eufy.  What E2EE encryption does is allows you to enter into P2P connections without the risk of ISP's snooping.  A good way for Eufy to have implemented E2EE (which they didn't) would be using the user account password to encrypt the key exchange.

 

What I'm getting at though is that Eufy could still claim successfully they use E2EE...the issue is that they still have a way of accessing.

 

e.g.  A phone contacts Eufy servers, which then establishes a connection with the NVR.  Lets say hypothetically they are using an RSA style of key exchange (simplified).  The phone gets the NVR public key from the Eufy server and the Eufy server establishes a connection with the NVR to then initiate a P2P connection between the phone and NVR.  The phone sends it's public key (encrypted with the NVR public key) to the NVR

 

Notice how in this example it truly is an E2EE.  Since the communication between the Eufy server and clients were encrypted (using standard web security), the public key transmitted to the phone couldn't have been tampered with (Except by Eufy, but the next bit with P2P defeats that).  The phone sending it's public key to the NVR using the NVR public key but through a P2P connection now ensures that Eufy couldn't have tampered with the public key.

 

So yes, it very much is E2EE that is happening and you can't claim that Eufy doesn't use E2EE by a policy.

 

Now the bit where it gets dicey though is that Eufy can tell the NVR to establish a connection with any device (as was seen when their server malfunctioned).  This means that while connections are secured with E2EE they can still bypass the authentication to establish their own connection.

 

[BrandonTech.05]

Why'd it have to be anker... they've been cool for so long. This is just depressing.

[vertigo220]

21 hours ago, Takumidesh said:

but for passwords at least its pretty well established)

It's not. Court decisions have varied, and there's a push for the Supreme Court to weigh in because it's anything but well-established.

 

17 hours ago, mradelet said:

Not sure where you get your definition, but I can't find any that are any different from wikipedia:

Key point being that even the provider of your service can't access the content. E2EE means the keys are generated by your device and sent across securely to the other device. If your service provider attempts to create new keys, the old one becomes invalid and you would immediately know.

 

Anyway, that's all I have to say about this. I don't think us arguing about internet definitions is going to remove or assign blame to Eufy who started all this.

The difference is in E2EE vs zero-knowledge, which are in fact different despite the fact they're often used interchangeably.

[Takumidesh]

6 minutes ago, vertigo220 said:

It's not. Court decisions have varied, and there's a push for the Supreme Court to weigh in because it's anything but well-established.

Well there is one absolutely crucial difference in that, physically, they cannot make it happen.

and while court rulings may differ on a state level, the obvious ethical response to it is clear, it is an obvious 5th ammendment violation (again in the US) to be compelled to generate a document (such as encryption keys)

https://law.stackexchange.com/q/1523 (for some further analysis on cases)

 

The concept hasn't been challenged in the supreme court yet, but there is more supporting precedent for fifth amendment protections then not.

The most commonly referenced detractor is In re Boucher, which has a very particular quirk in that, the court had determined that there was sufficient evidence (the agents testimony). Effectively they already had possession of the decrypted computer and it was only powered down later, losing access.

The judge held that it was a foregone conclusion that the content exists since it had already been seen by the customs agents, Boucher's encryption password "adds little or nothing to the sum total of the Government's information about the existence and location of files that may contain incriminating information.

 

However even in that case, He was compelled to present the data, not the key. If the data is unknown, e.g. with camera footage that has not been previously given to the police) this is an important detail, because the data cannot be compelled if the court does not know about its existence.

 

But in general yes, there hasn't been a supreme court ruling on it (like that even matters with the modern supreme court )

 

 

 

[vertigo220]

20 minutes ago, Takumidesh said:

Well there is one absolutely crucial difference in that, physically, they cannot make it happen.

No, but if ordered by a court and you refuse, they can hold you in contempt and, IIRC, you can sit in jail for months/years just based on that, basically until you agree to unlock it. Can't remember where, but pretty sure I read something recently about that happening. So the problem with this is you just never know, as it's going to be up to the courts in the jurisdiction in which you're arrested and/or your device(s) is/are seized.

 

And I'm definitely not a lawyer, so I don't understand all the legalese and reasoning behind some decisions, but from what I gather, they argue that for one reason or another it simply doesn't fall under the 5th Amendment protections. Basically, shifting things so that doesn't apply anymore. I can't say one way or another since I haven't taken the time to analyze and try to understand those various decisions, but given how the US "justice system" works, it wouldn't surprise me at all if these arguments are complete BS as a means to circumvent people's rights, as opposed to truly reasonable and valid arguments. I mean, just look at the F..b..l's complete disregard for the laws they're supposed to enforce, and the N--$__@ repeatedly lying about spying on American citizens, and the constant corruption in the F l $ @ courts (and yes, I wrote them the way I did to avoid flagging, call me paranoid). The government, the justice system being a component of that, only care about power and enforcing the law, even if that means breaking it themselves and trampling people's rights. 

[Takumidesh]

5 minutes ago, vertigo220 said:

you can sit in jail for months/years just based on that,

depending on the crime that may be the better option >.>

[Uttamattamakin]

13 hours ago, wanderingfool2 said:

What I'm saying is that E2EE doesn't automatically mean security.  You have to trust the provider that's doing the key exchange, which in this case is Eufy.  What E2EE encryption does is allows you to enter into P2P connections without the risk of ISP's snooping.  A good way for Eufy to have implemented E2EE (which they didn't) would be using the user account password to encrypt the key exchange. ....

THIS.  This this this so much this.  When you are using a service, an app, that connects to other servers you have to somewhat trust the service to not read your information.  Unless you audit the source code for the app and compile it yourself, and audit the servers or can audit them in a way that allows you to verify that trust you can't trust it.  

Apps, or cameras like this or anything are encrypted against any Tonya Dick or Harry ... they are not protected against eavesdropping by well funded groups or state actors.  In that case you have to ask do you have anything such a well funded or state level actor would want? 

13 hours ago, wanderingfool2 said:

...

Agree with all of this. 

 

The moral of this story is if you want true security with these sort of cameras you need to have the hardware to host the servers locally, and run open source software that you audit on the servers.   If you want messaging that is secure likewise open source and audited for backdoors.  Better yet go old school.  There is one and only one perfectly secret way to communicate. 
 

 

 

The problem with it is that you can only use the code key to send one message.  Then NEVER use it again and NEVER use the same code key/page on the pad twice.   That is terrible for internet security since there would be no secure way to exchange the codebook/pad/pages in the first place electronically.  So one would need to use some more typical public key encryption just once to exchange these secrets.    

Clearly though if you are in need of that much secrecy you are literally James Bond and should have some better methods than this.   I'm sure most people don't have secrets that dire. 

[Uttamattamakin]

7 minutes ago, vertigo220 said:

the N--$__@ repeatedly lying about spying on American citizens

I'll admit I had to read that one a couple of times.    Thought that was something else...

7 minutes ago, vertigo220 said:

, and the constant corruption in the F l $ @ courts (and yes, I wrote them the way I did to avoid flagging, call me paranoid). The government, the justice system being a component of that, only care about power and enforcing the law, even if that means breaking it themselves and trampling people's rights. 

Don't worry I'll mention Tor, Tails, Whonix and Qubes.  I am sure the NSA both knows and uses them, or things like them for security and also monitors everyone who does mention them on the clearnet.  

There is good reason to be warry of anything that is marketed as being secure enough to keep your info away from state actors.  Any such product will become a target for those very same actors.  

https://www.androidpolice.com/2021/07/08/watch-out-for-these-fbi-honeypot-phones-if-you-like-to-do-crimes/

 

 

Quote

Vice got their hands on one of these "Anom" phones, presumably one of the ones that wasn't caught up in the international arrest stings earlier this year. They purchased it from a user who'd bought the phone secondhand online, only to do a little digging and be slightly terrified when they realized they were in possession of a device specifically designed to ensnare and capture criminals. Vice contacted the buyer, bought the phone, and poked around to satiate the curiosity of nosy normals.

Which in a lot of places means you told a joke about the president. 

[vertigo220]

5 minutes ago, Takumidesh said:

depending on the crime that may be the better option >.>

Possibly. It depends on just how long they can hold you, which I'm not sure about. If they can hold you for the same duration as a guilty finding, then not really. But I have no idea on this. Also, you may be completely innocent of the crime they're accusing you of, but have something else to hide, so you could end up sitting in jail for a crime you didn't commit in order to prevent them from going on a fishing expedition that may end up incriminating you for something else. Or not even a crime, but just info you'd rather not be public. Ultimately, people need to stop passing the buck and refusing to do their jobs so we can have a final say on this. Either the supreme court needs to stop passing on cases that really need to be heard, or Congress needs to legislate and put an end to the indecision.

 

8 minutes ago, Uttamattamakin said:

Don't worry I'll mention Tor, Tails, Whonix and Qubes.  I am sure the NSA both knows and uses them, or things like them for security and also monitors everyone who does mention them on the clearnet.

NSA joins the discussion

[wanderingfool2]

22 minutes ago, Uttamattamakin said:

THIS.  This this this so much this.  When you are using a service, an app, that connects to other servers you have to somewhat trust the service to not read your information.  Unless you audit the source code for the app and compile it yourself, and audit the servers or can audit them in a way that allows you to verify that trust you can't trust it.  

Apps, or cameras like this or anything are encrypted against any Tonya Dick or Harry ... they are not protected against eavesdropping by well funded groups or state actors.  In that case you have to ask do you have anything such a well funded or state level actor would want? 

 

Agree with all of this. 

 

The moral of this story is if you want true security with these sort of cameras you need to have the hardware to host the servers locally, and run open source software that you audit on the servers.   If you want messaging that is secure likewise open source and audited for backdoors.  Better yet go old school.  There is one and only one perfectly secret way to communicate. 

For a security camera you actually wouldn't need to do a full self hosting option, and you don't need to necessarily have an audit of the external servers as well.  I mean everything is talking about the risk factors.

 

The key about security cameras is that they have the opportunity to completely bypass the MITM type of attack, as both devices can know a shared secret (without companies like Eufy or ISP's being able to tell).  It's the password to your account, or have some other password that never is sent to the servers (just used to encrypt).  The simple act of doing that would mean Eufy wouldn't be able to have a server error that allowed access to other people's camera because the connection would be easily rejected.

 

At that stage really all you would need to know is what type of encryption they used (like AES 256).  While it wouldn't "guarantee" that the app couldn't be compromised, that is less of an issue in that people would look to see what was being sent.  The risk factors really wouldn't be there.  What makes the way Eufy is doing things is that they have allowed the establishing connections without the "master password" so to speak.