Hacker News new | past | comments | ask | show | jobs | submit login
Anker finally comes clean about its Eufy security cameras (theverge.com)
41 points by EwanToo on Feb 1, 2023 | hide | past | favorite | 2 comments



Everything they have specified is a negative - a negative in privacy, a negative in encryption, a negative in software design. The problem wasn't lack of obfuscation in their web portal - it was that the web portal, despite having plenty of options for secure transit, chose to punch an unencrypted hole and make it available to anyone who asked. The problem is not that you could find a camera's private url, but that there was no token exchange to verify your access, and that once you connected to that URL the video coming across was unencrypted.

It is possible to have sufficiently secure URL schemes that you could still pop into VLC, possibly ignoring some security warnings about unverified peers, and that you could still be confident that no-one was evesdropping on. They've mentioned adding tools to prevent you from finding those URLs, but not to secure your connection to them.

What a backwards, misunderstood apology. The problem was not that they were using standard and interoperable software. It's that they didn't bother to add the security features they promised, and as such, probably haven't still - They've just made it harder to check if they have.


Pure damage control, but the damage is done.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: