Eufy cameras upload unencrypted footage to the cloud

Image of an Eufy SoloCam on a rooftop

Eufy SoloCam E40 Camera.
picture: Florence Ion/Gizmodo

Eufy, the company behind a series of affordable security cameras I have suggested previously On the expensive stuff, he’s currently in a bit of hot water for his security practices. The company, which is owned by Anker, claims that its products are one of the few security devices that allow locally stored media and do not require a cloud account to work efficiently. But during the turkey-eating holiday, a well-known security researcher across the pond said Discover A security vulnerability in the Eufy mobile app threatens this entire premise.

Paul Moore moved the case in a chirp on screen. Moore bought the Eufy Doorbell Dual Camera for the promise of a local storage option, only to discover that the doorbell cameras were storing thumbnails of faces on the cloud, along with identifiable user information, even though Moore doesn’t even have an Eufy Cloud Storage account.

After Moore tweeted the results, another user I found that the data uploaded to Eufy was not even encrypted. Any uploaded clips could easily be played on any desktop media player, which Moore later did prover. What’s more: Thumbnails and clips were linked to their partner’s cameras, providing additional, identifiable information to any eavesdropping digital snooper.

AndroidCentral He was able to reproduce the problem on his own using EufyCam 3. He then reached out to Eufy, who explained to the site why this issue appeared. If you choose to have the motion notification push with an attached thumbnail, Eufy temporarily uploads this file to the AWS servers for transmission. Moore enabled the option manually, which is how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text-only and don’t have the same issue, as there’s nothing to load.

Although Eufy says its practices comply with Apple’s Push Notification Service Terms of Use and Google Firebase Cloud Message standards, it has since corrected some of the issues Moore discovered. The company told Android Central that it will do the following to communicate to its users about how it stores data:

1. We are revising the eufy Security app’s push notifications option language to clarify that push notifications with thumbnails require preview images to be cached in the cloud.

2. We will be more explicit about the use of the cloud for push notifications in consumer marketing materials.

Unfortunately, this isn’t the first time that Eufy has had a security issue on its cameras. last yearHowever, the company faced similar reports of “unwarranted access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to fixing things.

See also  Destiny 2 cheat distributor agrees to pay Bungie $13.5 million

Leave a Reply

Your email address will not be published.