Another week, another report of tech products having terrible problems with security and privacy. This time, it’s Anker’s Eufy brand of connected cameras, but next week it will be something different. No wait, it’s already something different in the same week since app signing keys from Android phone makers have been “leaked” out.
Looks like all your stuff is flawed and just waiting to become unsafe to use.
Seriously. there is not a connected device or application ever made that does not have potential security or privacy flaws built in, just waiting for someone to find and exploit them. The people who design and build devices, as well as the people who write the code that powers them are not magical. They are very smart people who work very hard to make sure as many potential bugs and flaws are caught before a product gets released, but they are still people so bugs and flaws will find a way.
This isn’t the real cause for concern, though. Since everything under the sun is exploitable in some form, what’s important is what happens after those flaws are found. Good companies recognize their responsibility and act accordingly.
The Note 7 affair
There hasn’t been a product with issues that has more words spent on it than the Samsung Galaxy Note 7. While not a software flaw (probably) it had a major problem that most of us know about because we heard about it everywhere — the battery was prone to exploding and catching fire. Far more often than other phones.
I always use the Note 7 as the test case when considering if a company is doing the right thing with a problematic product. We can assume that nobody at Samsung knew there was a problem that could make for the fiery crash of the Galaxy Note 7 before it went on sale. In the end, it was obvious, though.
Samsung’s journey to doing the right thing is interesting now that it’s all over. At first, the company didn’t admit any fault. It sent people to help investigate, asked for defective products to look over, and let PR handle the problem. While Samsung never actually pointed the finger at anyone else and said you’re doing something wrong — the online Samsung commenter army took care of that part — it kind of felt like they were leaning that way and were about to say “You’re holding it wrong.”
Eventually, though, Samsung owned up to the problem and recalled the phones. It then re-released them with the exact same issue, which made it seem like they didn’t actually address anything. In the end, the Galaxy Note 7 was taken off the market, Samsung offered credit to people towards a new phone, and the company invested in a brand new program to improve battery safety for all mobile devices.
Whenever it comes up, I like to remind people that Samsung finally did the right thing and more, but it took a while to get there. That hemming and hawing, while important to global sales and profits, harmed Samsung’s reputation.
Did you know that hundreds of iPhone batteries catch fire every year? The same goes for almost any brand or product that uses small-cell lithium batteries. And products that use big lithium batteries. If a high enough percentage of devices caught fire, another company would be in the same situation as Samsung was with the Note 7 — and it would look at how Samsung handled it to know how, and how not, to proceed.
How not to do it
“We adamantly disagree with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions.”
That’s Eufy’s response to the latest issue surrounding consumer-grade surveillance cameras. In case you didn’t know, it’s been shown by actual examples that Eufy stores facial images alongside personally identifying data in the cloud without permission. Additionally, it’s fairly trivial to watch a live stream from any Eufy camera through an exploit very similar to others that have always plagued consumer cameras. Oof.
Notice the company isn’t denying there is a problem here — it’s only “adamantly disagreeing” that there are security issues. This produces the same result yet gives the company an out when (not if) it has to own up to there being problems.
It also makes the company look like hot garbage. I, as well as countless people with just a tiny bit of computer savvy, know that there is an issue and could reproduce it without too much hassle. The Verge did just that to double-prove (that’s a word now) it.
Are we to believe that Eufy doesn’t think storing user data on remote servers without permission, or being able to watch a stream from a camera someone else owns, is not a valid concern? Because that’s what I’m reading here.
Ah well, the cats out the bag now… so may as well tell you.You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.Please don’t ask for a PoC – I can’t release this one.Heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELXNovember 25, 2022
To be clear — the second issue is not as much of a problem to the company as the first. Like I mentioned above, these kinds of flaws exist and eventually someone will find a way to exploit them and Eufy isn’t alone in this regard. The company could identify what’s wrong, fix it, send out a firmware update to all affected devices, and be called out for doing the right thing. Instead, this.
The other issue, where facial recognition data and images is sent and retained, is another can of worms. That’s either a coding mistake or a reason to have Eufy cameras banned. I really, really hope it’s just a coding mistake.
The best way is through bug bounties
The biggest and most critical flaws, whether they be in the hardware space or in software, affect Apple, Google, and Microsoft. That’s because these three companies control almost all the software on the smartest consumer devices — phones, tablets, wearables, and computers.
When a flaw comes to light, the big three can’t afford to sit back and procrastinate because potentially, billions of users are at risk and there would be pretty severe financial repercussions. Hey, whatever it takes to make tech companies look out for our best interests, right?
One thing these three companies use is a bug bounty program. That means they will pay you for finding flaws in their products.
People who find critical flaws have two choices — report them so they can be fixed before they become a problem, or sell them to the highest bidder on “the dark web” — a loose term for the part of the internet that you access in a different way through different software. You probably would not like a lot of what you find if you Google how to access it, so consider yourself warned.
Anyhow, there are “websites” where people who have a way to hack every Chromebook (just an example) can sell the method to someone who wants to bid on it. Or the person who finds it can just tell Google and get paid.
One of these things might be more lucrative than the other, but it’s also very illegal and not a guarantee that you’ll be able to sell it. The other is free cash from Google for having some fun hacking. Bug bounty programs are effective, which is why other companies like Samsung and Meta have them, too.
So what can I do?
There is nothing you can do to find a product that will never have a serious security flaw. Nada. Zero. Zilch. That unicorn doesn’t exist.
What you should do is just do a wee bit of research before you add something to your Amazon cart. Google can tell you about a company’s history when it comes to security breaches, and more importantly, how the company handled them if they popped up. If you aren’t sure that a company did the right thing, scroll down the results until you see a security researcher offering their loud-ass opinion about it. You’ll find one, or a thousand.
I can recommend you buy a Samsung product. The same goes for Apple, Google, Microsoft, OnePlus, Nvidia, AMD, Intel, and every other company that had some product issues but sorted them out the right way.
I’ll also recommend some products from companies that won’t handle an issue the right way in the future because it just hasn’t happened yet. In both cases, I will always recommend you look and say what other people recommend.
Be informed and try to shop smart. Hold companies accountable for the things they’ve done poorly and reward companies for the things they have done right. It’s really all we can do.