The popular Eufy-branded Anker security cameras seem to be sending some data to the cloud even when cloud storage is disabled and only local storage settings are enabled. The information comes from security consultant Paul Moore, who posted a video outlining the issue last week.
According to Moore, he bought an Eufy Doorbell Dual, which was supposed to be the device that stored the video footage on the device. . He discovered that Eufy uploads thumbnails of faces and user information to its cloud service when cloud features are not enabled.
Moore demonstrates unauthorized upload to the cloud by allowing his camera to take a picture and turning off the Eufy HomeBase. The website can still access content via cloud integration, although it has not subscribed to the cloud service, and it remains accessible even when the footage is removed from the Eufy app. It's important to note that Eufy does not appear to upload full video streaming to the cloud automatically, but takes snapshots of videos as thumbnails.
Thumbnails are used in the Eufy app to enable video streaming from the Eufy base station, allowing users to Eufy watch your videos away from home and also send enhanced notifications. The problem is that the thumbnails are automatically uploaded to the cloud even when the cloud features are not active, and Eufy seems to use facial recognition on upload as well. Some users have experienced unauthorized uploads to the cloud because Eufy advertises a local service and is popular with those who want a more private camera solution. “No clouds, no costs,” Eufy's website says.
Moore suggests that Eufy can also link facial recognition data collected from two separate cameras and two separate apps to users, all of which without the knowledge of camera owners.
Other Eufy users responded to Moore's tweet and saw the same thing. is happening, and there is also a dedicated thread on Reddit on the subject. Moore tested the Eufy doorbell camera, but other Eufy cameras seem to work the same way. As Moore shows, images can be accessed using simple URLs after logging in, which is a potential security risk for interested parties. Eufy removed the background call that shows saved images after Moore's tweet, but did not remove the footage.
Moore received a response from Eufy in which Eufy confirmed that it was uploading event lists and thumbnails to AWS, but said that data cannot be “leaked to the public” because the URL is restricted, time-limited, and requires an account to be logged in.
There is also another problem that Moore pointed out, assuming that streams Eufy's cameras can be viewed live using an app like VLC, but little information about the exploit is currently available. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.
Well now the cats are getting out of the bag… so I can tell you. You can stream remotely and watch live @EufyOfficial cams using VLC. No authentication, no encryption. Please don't ask for a PoC – I can't publish it. Attention @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX — Paul Moore (@Paul_Reviews), November 25, 2022
We reached out to Anker for more comments on the Eufy issue and will update this article if we hear back. Moore said he had contacted Yufi's legal department and would give them time to “investigate and take appropriate action” before he commented further.
(Thank you Derek!)
Tag: Anker [ 40 comments ]