Last year, a “software bug” at Anker-owned Eufy caused a hubbub when multiple owners of the company’s connected security cameras were able to access live feeds and saved video recordings from Eufy-branded cameras belonging to other people. Now, Eufy’s in similar hot water again. Security researcher Paul Moore recently unearthed a couple of serious security flaws in Eufy devices — including one that could allow people to access unencrypted, live video feeds from Eufy cameras without any kind of authentication.
Last week, Moore found that his Eufy Doorbell Dual — which he mentions buying based on Eufy’s privacy-focused marketing — was uploading video thumbnails and facial recognition data to the cloud, despite his never opting in to Eufy’s cloud services. Moore demonstrates that both images captured by his camera and his Eufy profile photo can be downloaded without authentication by navigating to an associated URL — but Eufy says the images are encrypted, and it seems Moore was only able to access them because he’d previously logged into his Eufy account in the same Incognito Chrome window.
Moore also found that a separate Eufy camera linked to a different account was able to identify his face with the same unique ID — implying that Eufy is not only storing facial recognition data in the cloud, but also sharing that back-end information between accounts.
Worst of all, Moore says he was able to view live footage from his camera over a web browser without any kind of authentication simply by navigating to the correct public-facing address. Understandably, Moore didn’t offer proof of this particular exploit, but says he’s been in contact with Eufy about it.
According to Moore, Eufy says images are stored on Amazon Web Services (AWS) servers only until a user dismisses an event notification in the Eufy security app, after which the images are deleted. In a separate YouTube video, Moore shows that the images are retained for some time after notifications are dismissed, though he wasn’t able to prove for how long.
Eufy’s since clarified that thumbnails are only uploaded to AWS if a user’s event notifications are set up to include thumbnails (by default, the notifications are text-only). The company told Android Central that it’ll take steps to make it clearer — or, indeed, at all evident — that including thumbnails in event notifications will cause those thumbnails to be stored on AWS for a time, even if a user hasn’t opted into cloud services. Eufy further says that its practices are in compliance with GDPR standards, as well as “Apple Push Notification service and Firebase Cloud Messaging standards.”
Per Android Central, Moore says Eufy is moving quickly on the issues he’s raised and that the methods he’d previously used to access his data in unorthodox ways no longer work. All the same, it’s a second major security snafu for Eufy in the span of two years — not a great look for a company that publicly prides itself on protecting user privacy.
