Anker Highlights What Not To Do When Your Crappy Security Standards Are Exposed
from the bang-up-job,-everybody dept
A few weeks ago, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.
The researchers found that an attacker simply needed a device serial number to connect to a unique address at Eufy’s cloud servers using the free VLC Media Player. When approached by The Verge, Anker apparently thought the best approach was to simply lie and insist none of this was possible, despite repeated demonstrations that it was very possible:
When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.
Two weeks later, The Verge circled back around to see if Anker had meaningfully addressed the flaw or answered the news outlet’s questions about how the flaw was possible.
It hadn’t. Instead, the company decided to purge its website of nearly all previous promises related to privacy, such as phrases like “we’re taking every step imaginable to ensure your data remains private, with you,” and “your recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
So basically Anker’s response to proven allegations of flimsy security was to lie and insist the flaw didn’t exist, then delete any references to its past promises on privacy, now proven false. Just some really inspiring work all around, and fairly representative of the “smart” device space in general.
Filed Under: cameras, consumers, encryption, privacy, security
Companies: anker
Comments on “Anker Highlights What Not To Do When Your Crappy Security Standards Are Exposed”
Anker? Obviously they need a W in front of their name…
Re:
Do you mean the pulitzer prize winning journalist Wayne Kerr, who is not hesitant to report on the hard issues?
Good journalism has not gone away. We need more journalists like Wayne Kerr.
mmm… I love the smell of product-fraud lawsuits in the morning!
'I said stop looking behind the curtain!'
If they were looking for less attention I struggle to think of a worse way to do that then desperately trying to bury any promises of how secure their product is shortly after it was exposed as being so trivial to exploit.
As it stand I’m thinking this is going to end up being a case of ‘the coverup is worse than the crime’ as if they’d just admitted that their product wasn’t as secure as advertised but made clear by word and deed they were going to do what they could to fix it people likely would have been understanding and willing to give them the benefit of the doubt. By doubling down and going from outright denials to whitewashing their own statements they just leave people with the impression that they cannot be trusted and will brush problems under the rug rather than fix them.
Re:
Case in point. I use anker chargers extensively as a brand I could rely upon to provide what is advertised. I’m not buying Anker in the future, because I can’t trust the product to match the rated output. They’ve undermined any trust id developed that they were acting in good faith.
Most disturbing aspect...
This whole incident brings into serious doubt the ability of their WHOLE executive suite. This horrible response was not the choice of a single mid-level manager. It would require vetting by multiple VPs, across multiple departments, and probably the CEO.
AND THEY ALL AGREED TO IT.
Seems familiar
Reminds me of an old boss of mine: “If you have it in writing, I rescind it. If you don’t, I never said it.”
I feel like a lot of companies just look at “Hey, we’re using https to communicate to our server” and think, “Well, good enough.” But using existing libraries to do secure http calls is simple these days. It doesn’t mean you don’t have to worry about where else that data might be leaked to.
New post last night from the Verge about his –
“Anker’s Eufy breaks its silence on security cam security”.
https://www.theverge.com/2022/12/20/23519772/anker-eufy-security-camera-statement-december-19-2022
Re:
It is a pretty standard response from any company. They should have responded before, stating they are researching these claims and will get back with an update.
https://www.theverge.com/2022/12/20/23519772/anker-eufy-security-camera-statement-december-19-2022
https://mapquestdirections.io
You can force your bank to investigate it by report fraud.
Military grade means as much to encryption as military means to music.
Re:
It’s true. “Military-grade encryption” is code for “something isn’t right here”. The military uses the same encryption as everyone else because they want to maximize the number of researchers looking for vulnerabilities. A vendor claiming “military-grade encryption” is like claiming that a brand of water is better because it’s “military-grade water”.
Re:
Adding Military prefix to anything will make it much better, for example Military Cuisine or how about the old Military Intelligence. Oxymorons the lot.
Military-grade encryption
Since there’s no military standard for encryption, I guess “No encryption” still counts as military-grade
“You’re holding it wrong.”