Eufy, the company behind a series of affordable security cameras I’ve previously suggested over the expensive stuff, is currently in a bit of hot water for its security practices. The company, owned by Anker, purports its products to be one of the few security devices that allow for locally-stored media and don’t need a cloud account to work efficiently. But over the turkey-eating holiday, a noted security researcher across the pond discovered a security hole in Eufy’s mobile app that threatens that whole premise.
Paul Moore relayed the issue in a tweeted screengrab. Moore had purchased the Eufy Doorbell Dual Camera for its promise of a local storage option, only to discover that the doorbell’s cameras had been storing thumbnails of faces on the cloud, along with identifiable user information, despite Moore not even having a Eufy Cloud Storage account.
After Moore tweeted the findings, another user found that the data uploaded to Eufy wasn’t even encrypted. Any uploaded clips could be easily played back on any desktop media player, which Moore later demonstrated. What’s more: thumbnails and clips were linked to their partner cameras, offering additional identifiable information to any digital snoopers sniffing around.
Android Central was able to recreate the issue on its own with a EufyCam 3. It then reached out to Eufy, which explained to the site why this issue was cropping up. If you choose to have a motion notification pushed out with an attached thumbnail, Eufy temporarily uploads that file to its AWS servers to send it out. Moore had enabled the option manually, which is how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text-only and don’t have the same issue, since there’s nothing to upload.
Though Eufy says its practices comply with Apple’s Push Notification Service terms of use and Google’s Firebase Cloud Message standards, it’s since patched some of the issues discovered by Moore. The company told Android Central that it would do the following to communicate to its users about how it’s storing data:
1. We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
2. We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
Unfortunately, this isn’t the first time Eufy has had an issue regarding security on its cameras. Last year, the company faced similar reports of “unwarranted access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to patching things up.
