A security researcher has discovered that Anker's Eufy security cameras send user images and information to the cloud without the owners' consent — even if the user doesn't pay for a cloud subscription.
Security consultant Paul Moore discovered that his Eufy Doorbell Dual was uploading data to the cloud, despite the fact he'd disabled cloud functionality. Moore uploaded a short video to YouTube to highlight what he'd found.
In the video, Moore shows how even after turning off the Eufy HomeBase, the Eufy website can still access an image he uploaded despite not signing up for the cloud service. Furthermore, the image is still accessible even after Moore removes it from the Eufy app.
Interestingly, it doesn't appear that Eufy is uploading the video as video, but rather as a series of thumbnails.
Eufy also appears to be using facial recognition on the uploads. Moore surmises that Eufy could link the facial recognition data collected from multiple cameras and apps to users — without the user's knowledge or consent.
After the disclosure, Eufy contacted Moore to confirm that it uploads events and thumbnails to Amazon Web Services. However, the company says the data cannot be leaked as the URL is only available for a short period of time and requires an account login.
A final issue Moore notes is that Eufy camera streams could be watched live using an app like VLC, though he didn't provide information on how this is possible. In addition, worryingly enough, Moore notes that the streams aren't encrypted and can be accessed without authentication.
Ah well, the cats out the bag now... so may as well tell you.
— Paul Moore (@Paul_Reviews) November 25, 2022
You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.
Please don't ask for a PoC - I can't release this one.
Heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX
Since his initial post, Moore posted that he'd "had a lengthy discussion with Eufy's legal department." He also stated that it would be "appropriate at this stage to give them time to investigate and take appropriate action," and that he could not comment further.
This isn't the first time Eufy has come under fire for security lapses. Most notably, in May of 2021, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of what they were expecting to see from their own cameras, and settings could be changed by those granted bogus access.
8 Comments
A few days ago on the AI story called "Here are all the devices getting Matter Support" i said that the Eufy camera was insecure even when using HomeKit Secure Video, let alone when using HomeKit. Despite the people who argued against me, I guess this story supports my fears about Eufy.
Here was part of my claim:
Where do I go to claim my reward?
Yeah, this was obvious because their cams would still send you notifications via their app about movement and certain objects being detected — likely sending images up to AWS and they were using AWS Rekognition.
VLC lets you specify a URL that defines a video feed; I'd always wondered what that was for. Never made the mental connection to video surveillance, but it is obvious now.