Anker's Eufy security cameras have made headlines in recent days because they sometimes upload data to the cloud even though no cloud services are activated and the user has not explicitly consented to this upload . Eufy explains how this could happen.
Upload of preview images without consent
Security Advisor Paul Moore revealed that even with cloud storage disabled, his Eufy Doorbell Dual automatically uploads a thumbnail of his face from face recognition and a still image of the camera image to the cloud whenever an event is detected by the camera. He demonstrated that the data did not originate from his local camera by disconnecting his Eufy HomeBase from the Internet before logging into the Eufy online interface. Nevertheless, the website was able to access the two data mentioned from the camera via a cloud connection. Even if the last event is deleted in the Eufy app and is no longer accessible to the user himself, the thumbnail of his face and the still image could still be accessed via the website. However, this requires that he logs into his Eufy account.
However, the automatic cloud upload without the knowledge and consent of the user is not only inadmissible, but also does not fit with Eufy's statement that no cloud needs to be used for operation and no costs are incurred. Other users have since confirmed the upload of these images and the ability to access them through their own user account on the Eufy website.
The thumbnails that are accessible are used for notifications the user's smartphone and remote access. Paul Moore demonstrates his discovery in a video.
He also assumes that it is possible for Eufy to merge facial recognition from two different cameras and from two different apps.
Statement of Eufy
ComputerBase has requested a comment from Anker, the text of which is included at the end of this announcement. Eufy or Anker does not deny the cloud upload of the data in it, but explains that it always takes place when the user has activated push notifications with a preview image. The upload takes place in the Amazon Web Services (AWS) cloud and the data is not publicly accessible, but only by the user himself, according to Anker. In addition, the data should only be stored for a short time, with no specific period of time being mentioned. However, according to Anker, the fact that a cloud upload takes place when the push notifications with a preview image are activated was not communicated clearly enough, for which we apologize.
Direct access to stream without login
However, Paul Moore soon pointed out another problem with the Eufy cameras, which Anker has not yet addressed. Accordingly, the playback software VLC can be used to directly access the stream of a camera without authentication being necessary. However, he does not reveal any details, which does not make the facts entirely clear. According to user reports, access should also be possible from outside your own network. Access within one's own network, on the other hand, would not be unusual, since many providers make an RTSP stream (Real-Time Streaming Protocol) of the live image accessible, which is then the intention. With eufy, recordings can also be stored on a NAS, for example, and the manufacturer himself has published instructions for this. However, according to the most recent reports, external access only requires knowing the serial number of the camera to access the stream and does not require authentication.
Ah well, the cats out the bag now… so may as well tell you.
< br>You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.Please don't ask for a PoC – I can't release this one.
Heads up @TechLinkedYT @LinusTech https://t .co/sU3FyRaELX
— Paul Moore (@Paul_Reviews) November 25, 2022
Statement by Eufy on thumbnail push notifications in the eufy security app
eufy Security is designed as a local home security system. All video material is stored locally and encrypted on the user's device. eufy Security's facial recognition technology is also processed and stored locally on the device. Our products, services and processes are fully compliant with applicable General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.
In order to provide users with the push notifications for their mobile devices, some of our security solutions can display small preview images (so-called thumbnails) of videos, which are briefly and securely hosted on an Amazon Web Services (AWS) based cloud server. These thumbnails use server-side encryption and are set to be automatically deleted. They comply with all Apple Push Notification Services (iOS app) and Firebase Cloud Messaging (Android app) standards. Only after users have securely logged in to their eufy Security account can they access or share these thumbnails.
Although our eufy security app offers users the option to choose between text and thumbnail-based push notifications right from the start, we did not make it clear enough that when selecting thumbnail notifications, the thumbnails are temporarily stored in the cloud hosted.
This lack of communication was an oversight on our part and we sincerely apologize for the error.
We will improve our communications, including through the following measures:
1. We're revamping the wording of the push notification options in the eufy Security app to clearly state that push notifications with thumbnails require small preview images that are temporarily stored in the cloud.
2. We will be more prominent in our consumer marketing materials using the cloud for push notifications.
eufy Security is fully committed to protecting the privacy and data of its users and thanks the security community for bringing this issue to our attention.