What you need to know
- Security researcher Paul Moore has discovered several security flaws in Eufy’s cameras.
- User images and facial recognition data are being sent to the cloud without user consent, and live camera feeds can purportedly be accessed without any authentication.
- Moore says some of the issues have since been patched but cannot verify that cloud data is being properly deleted. Moore, a U.K. resident, has taken legal action against Eufy because of a possible breach of GDPR.
- Eufy support has confirmed some of the issues and issued an official statement on the matter saying an app update will offer clarified language.
Update Nov 29 11:32 am: Added Paul Moore’s response to Android Central.
Update Nov 29 3:30 pm: Eufy issued a statement explaining what’s going on which can be seen below in Eufy’s explanation section.
Based on Eufy’s statement below, many of the issues Mr. Moore encountered will not appear so long as users don’t enable thumbnails for camera notifications. It’s these thumbnails that are being sent to the cloud for push notification purposes. No actual video footage is being sent to Eufy’s AWS cloud.
For years, Eufy Security has prided itself on its mantra of protecting user privacy, primarily by only storing videos and other relevant data locally. But a security researcher is calling this into question, citing evidence that shows some Eufy cameras are uploading photos, facial recognition imagery, and other private data to its cloud servers without user consent.
A series of Tweets (opens in new tab) from information security consultant Paul Moore seems to show a Eufy Doorbell Dual camera uploading facial recognition data to Eufy’s AWS cloud without encryption. Moore shows that this data is being stored alongside a specific username and other identifiable information. Adding to that, Moore says that this data is kept on Eufy’s Amazon-based servers even when the footage has been “deleted” from the Eufy app.
Furthermore, Moore alleges that videos from cameras can be streamed via a web browser by inputting the right URL and that no authentication information needs to be present to view said videos. Moore shows evidence that videos from Eufy cameras that are encrypted with AES 128 encryption are only done so with a simple key rather than a proper random string. In the example, Moore’s videos were stored with “ZXSecurity17Cam@” as the encryption key, something that would be easily cracked by anyone really wanting your footage.
Moore has been in contact with Eufy support and they corroborate the evidence, citing that these uploads occur to help with notifications and other data. Support doesn’t seem to have provided a valid reason why identifiable user data is also attached to the thumbnails, which could open up a huge security hole for others to find your data with the right tools.
Moore says that Eufy has already patched some of the issues, making it impossible to verify stored cloud data status, and has issued the following statement:
“Unfortunately (or fortunately, however you look at it), Eufy has already removed the network call and heavily encrypted others to make it almost impossible to detect; so my previous PoCs no longer work. You may be able to call the specific endpoint manually using the payloads shown, which may still return a result.”
Android Central is in discussion with both Eufy and Paul Moore and will continue to update this article as the situation develops. Read below to see Eufy’s official statement and explanation and further on if you want to learn more about what Moore did in his research on Eufy’s potential security issues.
Eufy’s explanation
Eufy told Android Central that its “products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.”
GDPR certification requires companies to provide proof of data security and management to the EU. Acquiring a certification isn’t a rubber stamp and needs approval by a proper governing body and is regulated by the ICO.
By default, camera notifications are set to text-only and do not generate or upload a thumbnail of any kind. In Mr. Moore’s case, he enabled the option to display thumbnails along with the notification. Here’s what it looks like in the app.
Eufy says that these thumbnails are temporarily uploaded to its AWS servers and then bundled into the notification to a user’s device. This logic checks out since notifications are handled server side and, normally, a text-only notification from Eufy’s servers would not include any sort of image data unless otherwise specified.
Eufy says that its push notification practices are “in compliance with Apple Push Notification service and Firebase Cloud Messaging standards” and auto-delete but did not specify a timeframe in which this should occur.
Moreover, Eufy says that “thumbnails utilize server-side encryption” and should not be visible to users who are not logged in. Mr. Moore’s proof of concept below used the same incognito web browser session to retrieve thumbnails, thereby utilizing the same web cache he previously authenticated with.
Eufy says that “although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud. That lack of communication was an oversight on our part and we sincerely apologize for our error.”
Eufy says it’s making the following changes to improve communication on this matter:
- We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
- We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
I have sent Eufy several follow-up questions asking about further issues found in Paul Moore’s proof of concept below and will update the article once those are answered.
Paul Moore’s proof of concept
Eufy sells two main types of cameras: cameras that connect directly to your home’s Wi-Fi network, and cameras that only connect to a Eufy HomeBase via a local wireless connection.
Eufy HomeBase’s are designed to store Eufy camera footage locally via a hard drive inside the unit. But, even if you have a HomeBase in your home, purchasing a SoloCam or Doorbell that connects directly to Wi-Fi will store your video data on the Eufy camera itself instead of the HomeBase.
In Paul Moore’s case, he was using a Eufy Doorbell Dual which connects directly to Wi-Fi and bypasses a HomeBase. Here’s his first video on the issue, published on November 23, 2022.
In the video, Moore shows how Eufy is uploading both the image captured from the camera and the facial recognition image. Further, he shows that the facial recognition image is stored alongside several bits of metadata, two of which include his username (owner_ID), another user ID, and the saved and stored ID for his face (AI_Face_ID).
What makes matters worse is that Moore uses another camera to trigger a motion event, then examines the data transferred to Eufy’s servers in the AWS cloud. Moore says that he used a different camera, different username, and even a different HomeBase to “store” the footage locally, yet Eufy was able to tag and link the facial ID to his picture.
That proves that Eufy is storing this facial recognition data in its cloud and, on top of that, is allowing cameras to readily identify stored faces even though they aren’t owned by the people in those images. To back that claim up, Moore recorded another video of him deleting the clips and proving that the images are still located on Eufy’s AWS servers.
Additionally, Moore says that he was able to stream live footage from his doorbell camera without any authentication but did not provide public proof of concept due to the possible misuse of the tactic if it were to be made public. He has notified Eufy directly and has since taken legal measures to ensure Eufy complies.
At the moment, this looks very bad for Eufy. The company has, for years, stood behind only keeping user data local and never uploading to the cloud. While Eufy also has cloud services, no data should be uploaded to the cloud unless a user specifically allows such a practice.
Furthermore, storing user IDs and other personally identifiable data alongside a picture of a person’s face is a massive security violation, indeed. While Eufy has since patched the ability to easily find the URLs and other data being sent to the cloud, there’s currently no way to verify that Eufy is or is not continuing to store this data in the cloud without user consent.
