Eufy’s “No clouds” Cameras Upload Facial Thumbnails to AWS

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://arstechnica.com/gadgets/2022/11/eufys-no-clouds-cameras-upload-facial-thumbnails-to-aws/
Eufy, a smart home brand of tech accessory firm Anker, had become popular among some privacy-minded security camera buyers. Its doorbell camera and other devices proudly proclaimed having "No Clouds or Costs," and that "no one has access to your data but you."

That's why security consultant and researcher Paul Moore's string of tweets and videos, demonstrating that Eufy cameras were uploading name-tagged thumbnail images to cloud servers to alert owners' phones, likely unencrypted, stung smart home and security enthusiasts so hard this week. Moore, based in the UK, started asking Eufy rhetorical questions about its practices on Twitter starting November 21. "Why is my 'local storage" #doorbellDual storing every face, without encryption, to your servers? Why can I stream my camera without #authentication?!" Moore also posted lines from "source code & API responses" that suggested a very weak AES key was being used to encrypt video footage.

On November 23, Moore uploaded a video that demonstrated his findings. With his Eufy Homebase unplugged, Moore walked in front of his camera. From an incognito web browser, Moore could pull up a thumbnail image of himself, an image of the feed shortly before he was visible, and—perhaps more concerning—ID numbers indicating his recognized face and his status as the camera owner.
Click to expand...
Eufy, meanwhile, responded to Ars and other outlets with a statement. Eufy affirms that its video footage and "facial recognition technology" are "all processed and stored locally on the users' device." For mobile push notifications, however, thumbnail images are "briefly and securely stored on an AWS-based cloud server." They are server-side encrypted, behind usernames and passwords, automatically delete, and comply with Apple and Google's messaging standards, as well as General Data Protection Regulation (GDPR) standards.

Eufy admits that when users choose between text-based or thumbnail-based notifications from their system during setup, "it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud."
Click to expand...


arstechnica.com

Eufy’s “No clouds” cameras upload facial thumbnails to AWS

Company says it should have better informed users of how it sends mobile alerts.
arstechnica.com arstechnica.com
 
  • Like
  • Wow
  • +Reputation
Reactions: Stopspying, Andrew999, ForgottenSeer 76546 and 5 others
upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
(Update 7:30 a.m. ET 12/2/2022: Eufy has issued a statement in response to findings from The Verge and a security researcher:

"eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions." The original story follows.)
Click to expand...
Eufy didn't respond to other claims from security researcher Paul Moore and others, including that one could stream the feed from a Eufy camera in VLC Media Player, if you had the right URL. Last night, The Verge, working with the security researcher "wasabi" who first tweeted the problem, confirmed it could access Eufy camera streams, encryption-free, through a Eufy server URL.

This makes Eufy's privacy promises of footage that "never leaves the safety of your home," is end-to-end encrypted, and only sent "straight to your phone" highly misleading, if not outright dubious. It also contradicts an Anker/Eufy senior PR manager who told The Verge that "it is not possible" to watch footage using a third-party tool like VLC.
Click to expand...
arstechnica.com

Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted

The URLs for accessing your camera streams are also way too easy to brute-force.
arstechnica.com arstechnica.com
 
  • Like
Reactions: Stopspying, simmerskool, harlan4096 and 2 others
enaph

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,789
  • Like
  • Wow
Reactions: CyberTech, upnorth and simmerskool
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,026
According to the article below, EUFY has taken steps to address some issues. The other issues should be addressed in forthcoming firmware updates, since security vulnerabilities are now being exposed.

www.androidcentral.com

Security researcher says Eufy has a big security problem

Eufy cameras aren't as secure as they claim.
www.androidcentral.com www.androidcentral.com

FI, I have this EUFY Security System setup with 9x IP cameras and a video doorbell. I have faith in EUFY that the mentioned vulnerabilities would be addressed subsequently.

Looking forward to upgrading all my EUFY 2K cameras to 4K next year once more 4K cameras are released
 
  • Like
Reactions: CyberTech and upnorth
upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Eufy, the Anker brand that positioned its security cameras as prioritizing "local storage" and "No clouds," has issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits it could do better but also leaves some issues unaddressed.

In a thread titled "Re: Recent security claims against eufy Security," "eufy_official" writes to its "Security Cutomers and Partners." Eufy is "taking a new approach to home security," the company writes, designed to operate locally and "wherever possible" to avoid cloud servers. Video footage, facial recognition, and identity biometrics are managed on devices—"Not the cloud."

This reiteration comes after questions have been raised a few times in the past weeks about Eufy's cloud policies. A British security researcher found in late October that phone alerts sent from Eufy were stored on a cloud server, seemingly unencrypted, with face identification data included. Another firm at that time quickly summarized two years of findings on Eufy security, noting similar unencrypted file transfers.
Click to expand...
arstechnica.com

Eufy publicly acknowledges some parts of its “No clouds” controversy

Eufy changed some cloud behavior, admitted it can do more, ignored some issues.
arstechnica.com arstechnica.com
 
  • Like
Reactions: HarborFront and Gandalf_The_Grey
You must log in or register to reply here.

Similar threads

Ink
    • Like
    • Thanks
Anker’s Eufy removes 10 privacy promises; Eufy is a major privacy risk!
Replies
4
Views
763
News Archive
HarborFront
H
Ink
    • Like
Privacy News Wyze cameras showing strangers' home, again
Replies
1
Views
1,222
Security News
vtqhtr413
vtqhtr413
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,031
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top