Yoffe Yoffe has gone public with some parts of the ‘No Clouds’ controversy.

Eufy, the Anker brand that positions its security cameras as prioritizing “local storage” and “cloudless,” issued a statement In response to recent findings by security researchers and tech news sites. Eufy acknowledges it could do better but also leaves some issues unaddressed.

In a thread titled “Re: Re: recent security claims against eufy Security,” eufy_official writes to “Security Cutomers and Partners.” Eufy “takes a fresh approach to home security,” the company writes, and is designed to operate on premises and “where possible” to avoid cloud servers. Video capture, facial recognition, and identity biometrics are all managed on devices — “not the cloud.”

This recurrence comes after questions have been raised several times in the past weeks about Eufy’s cloud policies. A British security researcher discovered in late October that phone alerts sent from Eufy were Stored on a cloud server, and apparently unencrypted, with facial identification data included. Another company summed up the time quickly 2 years results on Eufy Securityindicating similar unencrypted file transfers.

At the time, Eufy acknowledged using cloud servers to store thumbnails, and that it would improve its setup language so customers who wanted mobile alerts would know that. The company did not address other claims from security analysts, including that live video streams could be accessed through VLC Media Player with the correct URL, whose encryption scheme was likely coercive.

A day later, technology site The Verge, working with a researcher, confirmed that a user who is not logged into an Eufy account can watch the camera stream, Given the correct URL. Getting this URL requires a serial number (encoded in Base64), a Unix timestamp, an apparently unvalidated token, and a four-digit hexadecimal value.

Eufy said afterwards that it “strongly disagrees with the accusations made against the company regarding the security of our products”. Last week, The Verge reported that The company has significantly changed many of its statements and “Promises” from its Privacy Policy page. ioffe statement in its forums arrived last night.

Eufy has stated that its security model is “never tried, and we expect challenges along the way”, but it remains committed to customers. The company acknowledges that “several allegations have been made” against its security, and the need for a response has frustrated customers. But the company wrote that it wanted to “gather all the facts before addressing these allegations publicly.”

Responses to these allegations include Eufy stating that it uses Amazon Web Services to redirect cloud notifications. The image was end-to-end encrypted and deleted shortly after it was sent, Eufy explains, but the company intends to better notify users and adjust its marketing.

Regarding watching the live stream, Eufy claims that “no user data was exposed, and the potential security flaws discussed online are purely speculative.” But Eufy adds that it has disabled viewing live broadcasts when not logged into the Eufy portal.

Eufy says the claim that it sends facial recognition data to the cloud is “incorrect”. All identity operations are handled on local machines, and users add known faces to their machines through a local network or encrypted peer-to-peer connections, Eufy claims. But Eufy notes that the Video Doorbell Dual previously used an “AWS secure server” to share that image with other cameras on the Eufy system; This feature has since been disabled.

The Verge, which has not received answers to further questions about Eufy’s security practices following its findings, He has some follow up questions, and they are noteworthy. They include why the company denies that the broadcast can be viewed remotely in the first place, the policies of the law enforcement request and whether the company really uses “ZXSecurity17Cam@” as an encryption key.

Researcher Paul Moore, who raised some of the early questions about Eufy’s practices, has not commented directly on Eufy since Posted on Twitter Nov 28 that he had a “lengthy discussion with the legal department (Eufy)”. Meanwhile, Moore investigated and found “domestic only” video doorbell systems significantly not local. Even one of them It appears to copy Eufy’s privacy policyword by word.

“By far, it’s much safer to use a doorbell that tells you it’s stored in the cloud — people honest enough to tell you generally use strong encryption,” Moore wrote about his efforts. Some of Eufy’s more ardent, privacy-minded customers might find themselves agreeing.

Listing image by Eufy