what you need to know
- Security researcher Paul Moore has discovered several security vulnerabilities in Eufy’s cameras.
- User images and facial recognition data are sent to the cloud without user consent, and live camera feeds can reportedly be accessed without authentication.
- According to Moore, some of the issues have since been fixed, but he can’t verify that cloud data is properly wiped. Moore, a UK resident, has taken legal action against Eufy over a possible breach of the GDPR.
- Eufy support has confirmed some of the issues and issued an official statement on the matter, stating that an app update will provide clearer language.
Update Nov 29 11:32 am: Added Paul Moore’s answer to Android Central.
Update Nov 29 3:30pm: Eufy issued a statement explaining what is going on which can be seen below in Eufy’s explanation section.
Based on Eufy’s statement below, many of the issues Mr. Moore encountered will not appear until users enable thumbnails for camera notifications. It is these thumbnails that are sent to the cloud for push notification purposes. No live video footage is sent to Eufy’s AWS cloud.
For years, Eufy Security has prided itself on its mantra of protecting user privacy, mainly by only storing videos and other relevant data locally. However, a security researcher questions this, citing evidence showing that some Eufy cameras upload photos, facial recognition images and other private data to its cloud servers without user consent.
A series of tweets (opens in new tab) by information security consultant Paul Moore appears to be showing a Eufy Doorbell dual camera uploading facial recognition data unencrypted to Eufy’s AWS cloud. Moore shows that this data is stored along with a specific username and other identifiable information. Additionally, Moore says that even if the footage has been “deleted” from the Eufy app, this data is stored on Eufy’s Amazon-based servers.
In addition, Moore claims that video from cameras can be streamed by entering the correct URL through a web browser and that no authentication information is required to view these videos. Moore shows evidence that video from Eufy cameras encrypted with AES-128 encryption only does so with a simple key rather than a proper random string. In the example, Moore’s videos were stored using “[email protected]” as the encryption key, something that could easily be cracked by anyone who really wants your footage.
Moore has contacted Eufy support and they confirm the evidence, citing that these uploads are done to help with notifications and other data. Support doesn’t seem to have given a valid reason why identifiable user data is also appended to the thumbnails, which could open a huge security hole for others to find your data with the right tools.
Moore says that Eufy has already patched some of the issues that make it impossible to check the status of stored cloud data and has issued the following statement:
“Unfortunately (or fortunately, however you look at it) Eufy already removed the network call and heavily encrypted others to make it almost impossible to detect, so my previous PoCs no longer work. You may be able to manually call the specific endpoint using the payloads shown, which may still return a result.”
Android Central is in discussions with Eufy and Paul Moore and will continue to update this article as the situation evolves. Read below to see Eufy’s official statement and explanation, and read on if you want to learn more about what Moore did in his research into Eufy’s potential security issues.
Eufy told Android Central that its “products, services and processes are fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.”
GDPR certification requires companies to provide evidence of data security and management to the EU. Acquiring a certification is not a rubber stamp and must be approved by a relevant governing body and is governed by the ICO.
By default, camera notifications are set to plain text and do not generate or upload any thumbnails. In Mr. Moore’s case, he enabled the option to show thumbnails along with the notification. This is how it looks in the app.
Eufy says these thumbnails are temporarily uploaded to its AWS servers and then bundled into the notification to a user’s device. This logic is checked because notifications are handled server-side and normally a text-only notification from Eufy’s servers would not contain any image data unless otherwise specified.
Eufy says its push notification practices “comply with Apple Push Notification Service and Firebase Cloud Messaging standards” and are automatically deleted, but did not provide a timeframe for when this should happen.
Additionally, Eufy says that “thumbnails should use server-side encryption” and shouldn’t be visible to users who aren’t logged in. Mr. Moore’s proof of concept below used the same incognito web browser session to retrieve thumbnails, thus using the same web cache he previously authenticated with.
Eufy says: “Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that selecting thumbnail-based notifications would require thumbnails to be temporarily hosted in the cloud. This lack of communication was an oversight on our part and we sincerely apologize for our error.”
Eufy says it’s making the following changes to improve communication on the matter:
- We are revamping the language of the push notification option in the eufy Security app to make it clear that push notifications with thumbnails require thumbnail images that are temporarily stored in the cloud.
- We will make the use of the cloud for push notifications more explicit in our consumer-facing marketing materials.
I’ve sent Eufy several follow-up questions about additional issues found in Paul Moore’s Proof of Concept below, and will update the article once those are answered.
Paul Moore’s proof of concept
Eufy sells two main types of cameras: cameras that connect directly to your home’s Wi-Fi network, and cameras that only connect to a Eufy HomeBase using a local wireless connection.
Eufy HomeBases are designed to store Eufy camera footage locally via a hard drive on the device. But even if you have a HomeBase in your home, purchasing a SoloCam or doorbell that connects directly to Wi-Fi will store your video data on the Eufy camera itself instead of the HomeBase.
In the case of Paul Moore, he used a Eufy Doorbell Dual that connects directly to WiFi and bypasses a HomeBase. Here is his first video on the subject, published on November 23, 2022.
In the video, Moore shows Eufy uploading both the image captured by the camera and the facial recognition image. He also shows that the face recognition image is stored along with multiple bits of metadata, two of which contain his username (owner_ID), another user ID, and the stored and stored ID for his face (AI_Face_ID).
To make matters worse, Moore uses a different camera to trigger a motion event and then examines the data that’s streamed to Eufy’s servers in the AWS cloud. Moore says he used a different camera, different username, and even a different HomeBase to “store” the footage locally, but Eufy was able to tag and link Face ID to his image.
This proves that Eufy stores this facial recognition data in its cloud and also allows cameras to easily identify stored faces even though they don’t belong to the people in those images. To back up this claim, Moore recorded another video in which he deletes the clips, proving that the images are still on Eufy’s AWS servers.
Additionally, Moore says he was able to stream live footage from his doorbell camera without authentication, but has not provided a public proof of concept due to the tactic’s potential abuse if it were to be made public. He notified Eufy directly and has since taken legal action to ensure Eufy complies.
Things are looking very bad for Eufy at the moment. For years, the company has stood for only storing user data locally and never uploading it to the cloud. while Eufy Also has cloud services, no data should be uploaded to the cloud unless a user specifically allows it.
Furthermore, storing user IDs and other personally identifiable data along with a picture of someone’s face is a massive security breach indeed. While Eufy has since patched the ability to easily find the URLs and other data being sent to the cloud, there is currently no way to verify whether or not Eufy is still storing that data in the cloud without user consent.