We live in a connected world, so for the most part, it should come as no surprise that our data is being shared across networks, and some of our personal data is being harvested by companies and apps that we use every day. But when a company promises that it will never store personal data, and it happens to do so, that's a whole other story. It becomes even worse when someone other than the company shares the news, bringing the company's integrity into question.

Unfortunately, Eufy customers were faced with this same nightmare towards the end of November when it was revealed the company was in fact storing images from its cameras on remote servers. Since the explosive report by Paul Moore, a security researcher, multiple outlets have tried getting a hold of Eufy for an explanation. Instead of communicating with the public, it began updating its website, rewriting and updating some of its privacy policies. This, of course, raised some eyebrows and additional red flags about the company.

A few weeks removed from the incident, Eufy has now issued a statement on the subject, which it posted to its website. The company explains that the things it is doing are unique and since that is the case, there are "expected challenges" that will arise. It acknowledges that there have been several reports about its products and that it has been doing its own research. While the company understands that urgency is key, it needed to get “all the facts” in order to better inform its customers.

"Eufy Security Uses the Cloud to Send Users Mobile Push Notifications"

Eufy states that some of its processes require the use of the cloud like push notifications, which include a small thumbnail preview image. The company states that when this action occurs, the data is end-to-end encrypted and that it gets deleted shortly afterward. While this is a reasonable statement, this isn't how the company presented its products initially, which is where the problem lies. Rather than take responsibility for misleading its customers, it goes on to say that this process "complies with all industry standards."

The company has now apparently updated its app, giving users a more clear explanation of how its service works and outlining different kinds of push notifications with local and cloud options. The company will also issue an updated Privacy Statement on its website, which is forthcoming and will also be available throughout its website and products. Of course, none of this, at this point, really explains what happened and why. Furthermore, the company doesn't apologize to users who may feel that Eufy's advertising was misleading.

"Eufy Security's Live View Feature on its Web-Portal Feature Has a Security Flaw"

Thankfully, halfway down the post, the company finally has an admission about its products — but doesn't really give any clear details as to why its streams could be accessed without authentication.

First, no user data has been exposed, and the potential security flaws discussed online are speculative. However, we do agree there were some key areas for improvement. So we have made the following changes.

Today, users can still log in to our eufy.com 1 Web portal to view live streams of their cameras. However, users can no longer view live streams (or share active links to these live streams with others) outside of eufy’s secure Web portal. Anyone wishing to view these links must first log in to the eufy.com 1 Web portal.

We will continue to look for ways to enhance this feature.

It's hard to tell just how much of an effect this incident has had on the company. While it's fairly widespread in the tech community, it's unknown whether this problem has compromised its integrity with consumers. Although there are some websites that are suggesting Eufy can't be trusted, there are others that are gladly promoting Eufy products. If one thing is for sure, Eufy is on definitely on notice, and there are going to be a lot more people looking for holes in its security going forward.


Source: Eufy

Via: The Verge