Eufy cameras secretly uploaded footage to cloud (updated)
The security cameras have to use the cloud to send you push notifications.
UPDATE 2/01/23 8:55 AM EST: In a series of emails to The Verge, Eufy states that its cameras’ footage was not end-to-end encrypted by default through the Eufy web portal, but that the encryption has now been fixed.
New updates are being pushed out, and the company will work with security experts to audit its practices. More updates below.
Eufy, an affordable security camera brand from Anker, is under fire for security concerns regarding uploaded footage.
The brand markets itself as a local security system where footage is stored locally, and not uploaded to the cloud. But a recent discovery challenges that entire premise.
Paul Moore is a security consultant. Last week, Moore discovered a significant flaw in how the Eufy Doorbell Dual Camera had been storing data.
Moore shared a video showing how the camera had been uploading and storing images of faces on the cloud. The camera did this despite Moore not signing up for a Eufy Cloud Storage account.
The flaw was later confirmed by other users and recreated by Android Central. The publication reached out to Eufy, and the company explained what exactly was happening that required these uploads.
Eufy says this particular flaw comes from push notifications. If a user opts to have push notifications from the app for motion detection, Eufy temporarily uploads the thumbnail to its servers before sending it out.
Moore had turned on the push notification setting for the Doorbell Dual Camera. Eufy’s default notification settings are text-only, and they don’t require the uploaded thumbnail.
Eufy plans on addressing the wording of its push notification setting to make it clear that it has to temporarily upload thumbnails. It also says it will change its marketing materials to better reflect its use of the cloud.
Eufy has found itself the center of controversy in the past. Users discovered a strange glitch in the cameras in early 2021 that allowed people to see into other users’ homes.
The company quickly addressed that problem, and nothing terrible seemingly came out of it. I would imagine it does the same this time, delivering on the changes it promised.
UPDATE 12/22/22 9:21 AM EST: Anker released a public explanation in a new blog post but disappointingly offers no apology and fails to address why anyone could view unencrypted streams from a camera advertised as being end-to-end encrypted.
In the blog post, they acknowledge the camera has a security flaw but doesn’t necessarily explain how it happened and why. Here’s what they had to say:
“First, no user data has been exposed, and the potential security flaws discussed online are speculative. However, we do agree there were some key areas for improvement. So we have made the following changes.
Today, users can still log in to our eufy.com Web portal to view live streams of their cameras. However, users can no longer view live streams (or share active links to these live streams with others) outside of eufy’s secure Web portal. Anyone wishing to view these links must first log in to the eufy.com Web portal.
We will continue to look for ways to enhance this feature”
Naturally, there are still a lot of unanswered questions, and eventually, Eufy needs to step up and address them. We’ve reached out to Eufy for comment and will offer any updates if we hear anything back.
Via The Verge
Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.
- GoPro’s new action cameras are perfect for social media videos
- Police in one city are using Ring Doorbells to monitor video livestreams
- Kangaroo’s new weatherproof security camera can go anywhere you need it
- Review: Akaso Brave 8 action camera