Eufy responds to allegations of insecure cameras, violation of privacy laws

SEATTLE – Following weeks of accusations of insecure data streams and mishandled user data, Anker brand eufy has given its response.

Original allegations surfaced in a Nov. 21 tweet from Information Security Consultant Paul Moore, who inquired with the company why its home security cameras were uploading faces in his local storage to its servers unencrypted, and further why he was able to stream from his camera without authentication.

.@EufyOfficial - Couple of Q's

Why is my "local storage" #doorbellDual storing every face, without encryption, to your servers?

Why can I stream my camera without #authentication?!

But crucially, is this really the AES key for my video footage? Please tell me it's not. pic.twitter.com/uV70koBjLk

— Paul Moore (@Paul_Reviews) November 21, 2022

The eufy Security app provides its operators with an option for push notifications to show only text, or text and a thumbnail captured by a camera. Furthermore, those photos are sent to the cloud when customers choose to have those notifications display the thumbnail, but the eufy Security app failed to disclose that information.

Security Systems News reached out to eufy for comment and clarification on the issue. A representative from the company replied, stating, “To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account. Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud. That lack of communication was an oversight on our part and we sincerely apologize for our error.”

Eufy wrote that it planned to improve its communication and that it would be revising the push notifications to detail that those with thumbnails will be stored in the cloud. The company also said it would be clearer in the use of the cloud in push notifications in consumer-facing marketing materials. At no point did the company appear to offer an alternative to the options or a patch in functionality.

Regarding the ability to stream from cameras via a third-party program (i.e. VLC), Eufy issued the following statement, “Today, around 1% of our total users access their account via our web portal. As per our design, prior to access any information, users have to log into their accounts. The URL links can only be obtained and shared by users themselves and will only be valid temporarily. It will be a personal activity if you obtain your own URL and share it with other people. Even so, we want to assure everyone that we have improved this point - even after users obtain the URL link by logging into their accounts, it cannot be played via a third party player or shared with others to play. Moreover, we've closed the port of browser developer mode, to avoid a similar process as Paul Moore demonstrated in his video.”

Ah well, the cat's out the bag now... so may as well tell you.

You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.

Please don't ask for a PoC - I can't release this one.

Heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX

— Paul Moore (@Paul_Reviews) November 25, 2022

Eufy concluded its response by saying, “Regarding our explanations above, we also recommend you to test these details from your side, then you can find out the real truth.”