Eufy cameras are sending unencrypted footage to the cloud

By | November 30, 2022

A photo of the Eufy SoloCam on a roof

The Eufy SoloCam E40.
Photograph🇧🇷 Florence Ion / Gizmodo

Eufy, the company behind a range of affordable security cameras I previously suggested about the expensive stuff, it’s currently in some hot water for its security practices. The company, which is owned by Anker, claims its products are one of the few security devices that allow for locally stored media and do not need a cloud account to work efficiently. But during the turkey holiday, a noted security researcher across the pond uncovered a security flaw in Eufy’s mobile app that threatens this entire premise.

Paul Moore relayed the question in a tweeted screenshot🇧🇷 Moore purchased the Eufy Doorbell Dual Camera for its promise of a local storage option, only to discover that the doorbell cameras were storing thumbnails of faces in the cloud, along with user-identifiable information, despite Moore not even having an account. Eufy Cloud Storage. 🇧🇷

After Moore tweeted the findings, another user discovered that the data uploaded to Eufy wasn’t even encrypted. Any uploaded clip can be easily played in any desktop media player, which Moore later demonstrated🇧🇷 What’s more: thumbnails and clips have been linked to its partners’ cameras, offering additional identifiable information for any digital snoops.

AndroidCentral was able to recreate the issue on its own with a EufyCam 3. It then turned to Eufy who explained to the site why this issue was arising. If you choose to send a motion notification with a thumbnail attached, Eufy temporarily uploads this file to its AWS servers to send it. Moore enabled the option manually, and that’s how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text only and don’t have the same issue as there’s nothing to load.

While Eufy says its practices comply with Apple’s push notification service terms of use and Google’s Firebase cloud messaging standards, it has since fixed some of the issues Moore discovered. The company told Android Central that it would do the following to communicate with its users about how it’s storing data:

1. We are revising the language of the push notifications option in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.

2. We will be more clear about using the cloud for push notifications in our consumer-facing marketing materials.

Unfortunately, this isn’t the first time Eufy has had issues with the security of its cameras. Last year, the company faced similar reports of “improper access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to fixing things.

Leave a Reply

Your email address will not be published. Required fields are marked *