Anker customers learned this week that their security and privacy have been compromised when their home videos could be accessed and even controlled by strangers due to a server upgrade that introduced a glitch.
China-based Anker is the maker of Eufy home security cameras. This week, an internal server bug allowed strangers to view, pan, and zoom in on other peoples’ Eufy video feeds for approximately one day. The bug allowed all users to perform these actions on other users’ streams.
The vulnerability occurred during a planned server upgrade on Monday. By mistake, Eufy users were connected with video streams of other accounts from around the world, according to a report on The Record blog.
Anker quickly patched the bug; however, it persisted throughout the day, and many users noticed that they were spied on and posted their concerns across online platforms, including the Eufy user forum, Reddit and Twitter.
“Guys and gals, if you have any Eufy cams indoors or out please check your accounts and or shut the cameras down for the time being,” according to a post on Eufy user forum. “There are numerous reports of a security breach where other users are gaining control over others’ cameras and can see them as well as talk and control them. Please shut it down.”
One Reddit user reported:
“I have no idea what happened but out of nowhere I was given a completely different feed of someone else’s doorbell and security cameras,”
Besides viewing private video feeds, users could also control their cameras to pan and zoom in at will, and see account data such as name, home location, and other private details.
Anker acknowledged the glitch which was discovered 40 minutes after it first occurred and fixed the issue about an hour later.
Still, its customers complained that Anker didn’t act fast enough to let people know about the glitch.
“I specifically purchased Eufy cameras because of your positive privacy practices,” software developers and founder of Quantum Fire Labs Daniel Lemky, tweeted. “But we need transparency right now. Don’t wait until you’ve solved the problem. If there is a security breach, we need to know as soon as you know.”
ABC news producer and reporter Andrea Nierhoff complained about the bug, too:
“Can confirm I too have been able to access live- and prerecorded-streams of someone else’s cameras for the past few hours, though this has since corrected itself,” she tweeted. “Scary!”
The glitch is a fresh reminder that the security of connected cameras is inadequate which has already caused headaches for a long list of companies including Amazon, Google, and ADT.
