Anker Highlights What Not To Do When Your Crappy Security Standards Are Exposed | Techdirt
Anker Highlights What Not To Do When Your Crappy Security Standards Are Exposed
(Mis)Uses of Technology
from the bang-up-job,-everybody dept
Wed, Dec 21st 2022 05:32am - Karl Bode
A few weeks ago, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.
The researchers found that an attacker simply needed a device serial number to connect to a unique address at Eufy’s cloud servers using the free VLC Media Player. When approached by The Verge, Anker apparently thought the best approach was to simply lie and insist none of this was possible, despite repeated demonstrations that it was very possible:
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Two weeks later, The Verge circled back around to see if Anker had meaningfully addressed the flaw or answered the news outlet’s questions about how the flaw was possible.
It hadn’t. Instead, the company decided to purge its website of nearly all previous promises related to privacy, such as phrases like “we’re taking every step imaginable to ensure your data remains private, with you,” and “your recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
So basically Anker’s response to proven allegations of flimsy security was to lie and insist the flaw didn’t exist, then delete any references to its past promises on privacy, now proven false. Just some really inspiring work all around, and fairly representative of the “smart” device space in general.
(Mis)Uses of Technology
from the bang-up-job,-everybody dept
Wed, Dec 21st 2022 05:32am - Karl Bode
A few weeks ago, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.
The researchers found that an attacker simply needed a device serial number to connect to a unique address at Eufy’s cloud servers using the free VLC Media Player. When approached by The Verge, Anker apparently thought the best approach was to simply lie and insist none of this was possible, despite repeated demonstrations that it was very possible:
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Two weeks later, The Verge circled back around to see if Anker had meaningfully addressed the flaw or answered the news outlet’s questions about how the flaw was possible.
It hadn’t. Instead, the company decided to purge its website of nearly all previous promises related to privacy, such as phrases like “we’re taking every step imaginable to ensure your data remains private, with you,” and “your recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
So basically Anker’s response to proven allegations of flimsy security was to lie and insist the flaw didn’t exist, then delete any references to its past promises on privacy, now proven false. Just some really inspiring work all around, and fairly representative of the “smart” device space in general.
