Security researcher says Eufy has a big security problem
What you need to know
- Security researcher Paul Moore has discovered several security flaws in Eufy’s cameras.
- User images and facial recognition data are being sent to the cloud without user consent, and live camera feeds can purportedly be accessed without any authentication.
- Moore says some of the issues have since been patched but cannot verify that cloud data is being properly deleted. Moore, a U.K. resident, has taken legal action against Eufy because of a possible breach of GDPR.
- Eufy support has confirmed some of the issues and issued an official statement on the matter saying an app update will offer clarified language.
Update Nov 29 11:32 am: Added Paul Moore’s response to Android Central.
Update Nov 29 3:30 pm: Eufy issued a statement explaining what’s going on which can be seen below in Eufy’s explanation section.
Based on Eufy’s statement below, many of the issues Mr. Moore encountered will not appear so long as users don’t enable thumbnails for camera notifications. It’s these thumbnails that are being sent to the cloud for push notification purposes. No actual video footage is being sent to Eufy’s AWS cloud.
For years, Eufy Security has prided itself on its mantra of protecting user privacy, primarily by only storing videos and other relevant data locally. But a security researcher is calling this into question, citing evidence that shows some Eufy cameras are uploading photos, facial recognition imagery, and other private data to its cloud servers without user consent.
A series of Tweets (opens in new tab) from information security consultant Paul Moore seems to show a Eufy Doorbell Dual camera uploading facial recognition data to Eufy’s AWS cloud without encryption. Moore shows that this data is being stored alongside a specific username and other identifiable information. Adding to that, Moore says that this data is kept on Eufy’s Amazon-based servers even when the footage has been “deleted” from the Eufy app.
Furthermore, Moore alleges that videos from cameras can be streamed via a web browser by inputting the right URL and that no authentication information needs to be present to view said videos. Moore shows evidence that videos from Eufy cameras that are encrypted…