Eufy cameras uploaded unencrypted footage to the cloud

November 29, 2022 FA8Dd 0 Comments

A photo of the Eufy SoloCam on a rooftop — The Eufy SoloCam E40.

Eufy, the company behind a series of affordable security cameras I already suggested on the expensive stuff, is currently in a bit of hot water for its security practices. The company, owned by Anker, claims its products are one of the few security devices that can store media locally and don’t need a cloud account to work effectively. But while on turkey vacation, a well-known security researcher across the pond discovered a security flaw in Eufy’s mobile app that threatens that whole premise.

Paul Moore relayed the question in a screenshot tweeted. Moore had bought the Eufy Doorbell dual camera for its promise of a local storage option, only to find that the doorbell cameras had stored thumbnails of faces in the cloud, along with identifiable user information, although Moore didn’t. doesn’t even have a Eufy Cloud Storage account. .

After Moore tweeted the results, another user found that data uploaded to Eufy was not even encrypted. All downloaded clips can be easily played on any desktop media player, which Moore later demonstrated. Plus: thumbnails and clips were linked to their partner cameras, offering additional identifiable information to any digital snifflers.

Android Central was able to recreate the problem on his own with a EufyCam 3. He then contacted Eufy, who explained to the site why this problem was occurring. If you choose to send a motion notification with a tile attached, Eufy temporarily uploads this file to its AWS servers to send. Moore had enabled the option manually, which is how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text-only and don’t have the same issue, as there’s nothing to download.

Although Eufy says its practices comply with Apple’s Push Notification Service Terms of Service and Google’s Firebase Cloud Message Standards, it has since fixed some of the issues Moore discovered. The company told Android Central that it would do the following to communicate to its users about how it stores data:

1. We’re revising the push notification options language in the eufy Security app to make it clear that thumbnail push notifications require preview images that will be temporarily stored in the cloud.

2. We will be clearer about using the cloud for push notifications in our consumer marketing materials.

Unfortunately, this isn’t the first time Eufy has encountered a security issue on its cameras. Last year, the company has faced similar reports of “unwarranted access” to random camera feeds, though the company quickly addressed the issue once it was discovered. Eufy is no stranger to patching things up.