Researcher discovers serious security flaws in Eufy cameras — again
Last year, a “software bug” at Anker-owned Eufy caused a hubbub when multiple owners of the company’s connected security cameraswere able to access live feeds and saved video recordingsfrom Eufy-branded cameras belonging to other people. Now, Eufy’s in similar hot water again. Security researcher Paul Moore recently unearthed a couple of serious security flaws in Eufy devices — including one that could allow people to access unencrypted, live video feeds from Eufy cameras without any kind of authentication.
Last week, Moore found that his Eufy Doorbell Dual — which he mentions buying based on Eufy’s privacy-focused marketing — was uploading video thumbnails and facial recognition data to the cloud, despite his never opting in to Eufy’s cloud services. Moore demonstrates that both images captured by his camera and his Eufy profile photo can be downloaded without authentication by navigating to an associated URL — but Eufy says the images are encrypted, and it seems Moore was only able to access them because he’d previously logged into his Eufy account in the same Incognito Chrome window.
Moore also found that a separate Eufy camera linked to a different account was able to identify his face with the same unique ID — implying that Eufy is not only storing facial recognition data in the cloud, but also sharing that back-end information between accounts.
Worst of all, Moore says he was able to view live footage from his camera over a web browser without any kind of authentication simply by navigating to the correct public-facing address. Understandably, Moore didn’t offer proof of this particular exploit, but says he’s been in contact with Eufy about it.
According to Moore, Eufy says images are stored on Amazon Web Services (AWS) servers only until a user dismisses an event notification in the Eufy security app, after which the images are deleted. Ina separate YouTube video, Moore shows that the images are retained for some time after notifications are dismissed, though he wasn’t able to prove for how long.
Eufy’s since clarified that thumbnails are only uploaded to AWS if a user’s event notifications are set up to include thumbnails (by default, the notifications are text-only). The company toldAndroid Centralthat it’ll take steps to make it clearer — or, indeed, at all evident — that including thumbnails in event notifications will cause those thumbnails to be stored on AWS for a time, even if a user hasn’t opted into cloud services. Eufy further says that its practices are in compliance with GDPR standards, as well as “Apple Push Notification service and Firebase Cloud Messaging standards.”
Per Android Central, Moore says Eufy is moving quickly on the issues he’s raised and that the methods he’d previously used to access his data in unorthodox ways no longer work. All the same, it’s the second major security snafu for Eufy in the span of two years — not a great look for a company that publicly prides itself on protecting user privacy.
UPDATE: 2022/12/02 09:15 EST BY RAJESH PANDEY
Eufy denies any security issues
Eufy hasissued a statementon the security lapse, saying it “adamantly disagree with the accusations levied against the company concerning the security of our products.” The company claims it regularly reviews and tests the security features of its devices and takes the necessary steps to fix any exploit that is detected.
The response from the company does not address other security issues that were first reported, including being able to play the video feed directly over VLC.
Carriers get the upper hand
Pixel 10 Pro XL charges faster wirelessly
Things get red hot for Magenta
No more excuses
Breaking language barriers, one feed at a time
Storage upgrades have never been so important
