What do you need to know
- Security researcher Paul Moore discovered several security flaws in Eufy’s cameras.
- User images and facial recognition data are being uploaded to the cloud without user consent, and live camera feeds can be accessed without any authentication.
- Moore says some of the issues have already been fixed, but he can’t verify that the cloud data is being deleted correctly. Moore, a UK resident, has taken legal action against Eufy over a potential GDPR violation.
- Eufy support has confirmed some of the issues and has issued an official statement on the matter, saying that an update to the app will offer clarified language.
November 29th update at 11:32 am: Added Paul Moore’s answer to Android Central.
November 29th 3:30 pm update: Eufy has issued a statement explaining what is going on, which can be seen below in Eufy’s explanation section.
Based on Eufy’s statement below, many of the issues Mr. Moore found won’t appear as long as users don’t enable thumbnails for camera notifications. It is these thumbnails that are being sent to the cloud for push notification purposes. No actual video footage is being uploaded to Eufy’s AWS cloud.
For years, Eufy Security has prided itself on its mantra of protecting user privacy, particularly by only storing videos and other relevant data locally. But a security researcher is calling this into question, citing evidence showing that some Eufy cameras are sending photos, facial recognition images and other private data to their cloud servers without user consent.
ONE series of tweets (opens in new tab) by information security consultant Paul Moore appears to show a Eufy Doorbell Dual camera uploading facial recognition data to Eufy’s AWS cloud without encryption. Moore shows that this data is being stored along with a specific username and other identifiable information. What’s more, Moore says this data is held on Eufy’s Amazon-based servers, even when footage has been “deleted” from the Eufy app.
Furthermore, Moore claims that the videos from the cameras can be streamed through a web browser by entering the correct URL and that no authentication information needs to be present to view said videos. Moore shows evidence that videos from Eufy cameras that are encrypted with AES 128 encryption are only done with a simple key rather than a proper random string. In the example, Moore’s videos were stored with “[email protected]” as the encryption key, something that would be easily deciphered by anyone who really wanted his footage.
Moore reached out to Eufy support and they corroborate the evidence, citing that these uploads occur to help with notifications and other data. Support doesn’t seem to have provided a valid reason why user-identifiable data should also be appended to thumbnails, which could open up a huge security hole for others to find your data with the right tools.
Moore says that Eufy has already fixed some of the issues, making it impossible to check the status of data stored in the cloud, and has issued the following statement:
“Unfortunately (or fortunately, no matter how you look at it), Eufy already removed the network call and heavily encrypted others to make it almost impossible to detect, so my previous PoCs no longer work. You can call the specific endpoint manually using the payloads shown, which may still return a result.”
Android Central is in discussion with Eufy and Paul Moore and will continue to update this article as the situation develops. Read below for Eufy’s official statement and explanation, and further on if you want to learn more about what Moore did in his research into Eufy’s potential security issues.
Eufy’s explanation
Eufy told Android Central that its “products, services and processes are fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.”
GDPR certification requires companies to provide proof of security and data management to the EU. Acquiring a certification is not a stamp and needs approval from an appropriate government body and is regulated by the ICO.
By default, camera notifications are set to text only and do not generate or load a thumbnail of any kind. In the case of Mr. Moore, he enabled the option to display thumbnails along with the notification. Here’s what it looks like in the app.
Eufy says these thumbnails are temporarily uploaded to their AWS servers and then bundled into the notification for a user’s device. This logic checks as notifications are handled server-side, and normally a text-only notification from Eufy’s servers would not include any kind of image data unless otherwise specified.
Eufy says its push notification practices are “in compliance with the Apple Push Notification service and Firebase Cloud Messaging standards” and self-deleting, but it didn’t specify a timeframe by which this should occur.
Furthermore, Eufy says that “thumbnails utilize server-side encryption” and should not be visible to users who are not logged in. with which he previously authenticated.
Eufy says that “While our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud. It was an oversight on our part and we sincerely apologize for our error.”
Eufy says it is making the following changes to improve communication on the matter:
- We are revising the language of the push notifications option in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
- We will be more clear about using the cloud for push notifications in our consumer-facing marketing materials.
I sent Eufy several follow-up questions asking about other issues found in Paul Moore’s proof of concept below and will update the article once they are answered.
Paul Moore’s proof of concept
Eufy sells two main types of cameras: cameras that connect directly to your home’s Wi-Fi network, and cameras that only connect to a Eufy HomeBase via a local wireless connection.
The Eufy HomeBase are designed to store Eufy camera footage locally via a hard drive within the unit. But even if you have a HomeBase in your house, buying a SoloCam or doorbell that connects directly to Wi-Fi will store your video data in the Eufy camera itself instead of the HomeBase.
In Paul Moore’s case, he was using a Eufy Doorbell Dual that connects directly to Wi-Fi and bypasses a HomeBase. Here’s his first video on the subject, posted on November 23, 2022.
In the video, Moore shows how Eufy is loading the captured camera image and facial recognition image. Furthermore, it shows that the facial recognition image is stored along with several bits of metadata, two of which include your username (owner_ID), another user ID, and the saved and stored ID for your face (AI_Face_ID).
What makes matters worse is that Moore uses another camera to trigger a motion event and then looks at the data transferred to Eufy’s servers in the AWS cloud. Moore says he used a different camera, different username, and even a different HomeBase to “store” the footage locally, but Eufy was able to tag and link the Face ID to his photo.
This proves that Eufy is storing this facial recognition data in its cloud and furthermore is allowing the cameras to readily identify the stored faces even if they don’t belong to the people in those images. To support this claim, Moore recorded another video of him deleting the clips and proving that the footage is still located on Eufy’s AWS servers.
Additionally, Moore says he was able to stream live footage from his doorbell camera without any authentication, but he hasn’t provided public proof of concept due to the potential misuse of the tactic if it was made public. He notified Eufy directly and has since taken legal action to ensure Eufy complies.
At the moment, this looks pretty bad for Eufy. The company, for years, lagged behind only keeping user data locally and never uploading it to the cloud. while Eufy also has cloud services, no data should be uploaded to the cloud unless a user specifically allows such practice.
Furthermore, storing user IDs and other personally identifiable data next to a photo of a person’s face is indeed a major security breach. While Eufy has fixed the ability to easily find the URLs and other data uploaded to the cloud, there is currently no way to verify whether or not Eufy continues to store this data in the cloud without user consent.