For a long time, Anker's Eufy sub-brand was one of our go-to security camera recommendations. The company then became embroiled in a security and privacy scandal, with supposedly end-to-end encrypted footage accessible via unencrypted web streams. The company long refused to acknowledge the problem, going so far as to claim that what researchers and journalists had clearly achieved was impossible. After a month of stonewalling, the company has finally provided more satisfactory answers, though we’d still be cautious about taking its word for it.

For context, security researcher Paul Moore discovered that it was possible to play live feeds from Eufy security cameras using an unencrypted link obtained from the Eufy web portal. While it appears that the link in question could only be accessed and copied when a user was logged in, this makes it clear that the feed is not end-to-end encrypted. That's what Eufy always claimed in its marketing materials, which have since been revised. The company claimed to have fixed the problem, but stressed that it never thought this was a big problem, saying that “the potential security flaws discussed online are speculative.”

There was also an issue with unencrypted thumbnails, although the unencrypted streams were by far the biggest problem. The company silently tweaked language on its website to remove some privacy-focused statements to address this.

After leaving its customers and the public hanging with these unsatisfactory answers and actions, the company has now responded to an inquiry from The Verge, going into much more detail about the incident and its security strategy going forward.

For one, video streams on Eufy’s web portal are now said to be end-to-end encrypted, as they have supposedly always been on the Eufy app, which the company says is how 99.9% of its users access their cameras anyway. The company is additionally updating its entire lineup with WebRTC, a natively encrypted video and audio transmission standard. At the same time, Eufy had to admit that its products are not end-to-end encrypted by default, which it longed claimed they were — otherwise, the unencrypted live feeds would not have been possible.

In addition, Eufy promises to publish an independent audit by a “leading and well-known security expert,” which is supposed to show that it has fixed all remaining issues. There will also be a bug bounty program, with Eufy promising to pay researchers who find more vulnerabilities in its products. The company further apologized for the lack of communication and plans to release more details about its security architecture in the near future.

The Verge has published Eufy's statements in full, so if you want to know exactly how the company is defending itself, we can only encourage you to read Eufy’s emails to the publication. In the meantime, we’re still cautious about recommending Eufy products. After all, it's taken the security-focused company far too long to properly communicate the problems that have been discovered, and we need to see the promised actions come to fruition before we can consider reevaluating our stance on Eufy products.