Should you Trust Anker's Eufy Cameras?

Maybe, maybe not, but Anker has not fully answered valid question.

Anker offers cameras under the Eufy brand. Eufy cameras promise that "all recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage." Aka end-to-end encrypted. The company cites ISO27001 and ISO27701 certification from the British Standards Institute for Information Security Management and Privacy information Management.

So it was surprising when security researcher Paul Moore claimed the cameras stored faces without encryption and streamed video without authentication. Moore's statement was followed by SEC Consult publishing a summary of two years of research showing that thumbnails of recorded Euphy images were transferred to an AWS instance. Eufy responded by saying the thumbnails were restricted by account logins and that the URLs for the thumbnails expired after 24 hours. It clarified to Ars Technica that the thumbnails are only sent off device for mobile push notification purposes and are serve-side encrypted. Eufy has updated its setup language to make clear that if a user choose image-based notifications-- which you don't have to, you can choose to just text-- that those images would need to leave the local drive and be briefly hosted in the cloud. OK that kind of makes sense.

But Moore also claimed he found he could remotely start and monitor Eufy cameras through VLC without authentication or encryption. He said he couldn't release a proof-of-concept, but another security researcher called wasabi had also posted about the problem and worked with the Verge to demonstrate the vulnerability.

The Verge says there were two ways to get the URL you would need in order to monitor a camera. The first way was to log in with a username and password and then follow an undisclosed technique to get the URL that would show a camera's stream. Eufy has since made that technique not work. And you had to be logged in to get it anyway. However, the URL included the camera's serial number in base 64, a Unix timestamp, a token and a four-digit random hex. It's possible for someone to recreate that URL. They would need the serial number of the camera somehow and brute force the HEX number. The Verge said it did not appear that the token was validated so anything would work there. Thankfully Eufy serial numbers are long, complex and non-sequential, so not easily guessed. It would probably take some social engineering to get it. The Verge also said it only worked on a camera that was already awake.

Anker denies there is a problem. It told the Verge and Ars Technica that it is not possible to start and monitor a stream and watch live footage from a Eufy camera without a third party player like VLC. And it told Ars Technica that it disagrees with the accusations and encourages customers to contact customer support if they have concerns. Still, Android Central has removed all its recommendations for Eufy cameras.

What I think