Eufy, a smart home brand of tech accessory firm Anker, had become popular among some privacy-minded security camera buyers. Its doorbell camera and other devices proudly proclaimed having “No Clouds or Costs,” and that “no one has access to your data but you.”
That’s why security consultant and researcher Paul Moore’s string of tweets and videos, demonstrating that Eufy cameras were uploading name-tagged thumbnail images to cloud servers to alert owners’ phones, likely unencrypted, stung smart home and security enthusiasts so hard this week.
Moore, based in the UK, started asking Eufy rhetorical questions about its practices on Twitter starting November 21. “Why is my ‘local storage” #doorbellDual storing every face, without encryption, to your servers? Why can I stream my camera without #authentication?!” Moore also posted lines from “source code & API responses” that suggested a very weak AES key was being used to encrypt video footage.
On November 23, Moore uploaded a video that demonstrated his findings. With his Eufy Homebase unplugged, Moore walked in front of his camera. From an incognito web browser, Moore could pull up a thumbnail image of himself, an image of the feed shortly before he was visible, and—perhaps more concerning—ID numbers indicating his recognized face and his status as the camera owner.
One day later, security firm SEC Consult summarized two years of analyzing a EufyCam 2, noting a similar transfer of thumbnails through an Amazon Web Services cloud. The company also saw the weak keys, suggesting “hard-coded encryption/decryption keys which are identical for all sold Homebase devices,” though it was unclear for what the keys were being used.
SEC Consult noted that Eufy seemed to have hardened its security since May 2021, when users were suddenly given nearly full access to other people’s accounts. “But sadly, thumbnails of all recorded images still seem to be transferred into AWS, so the device does not fit our requirements for privacy.” SEC said it moved up its publication of its findings based on Moore’s tweets, and “with [Black Friday] shopping mania just around the corner.”
Moore later posted a response from Eufy to his findings, in which a Eufy support representative states that thumbnails are restricted by account logins, and the URL “will expire within 24 hours” unless the user shares it. The Eufy rep also notes that Eufy “noticed it before” and plans to make its Homebase 3 store thumbnails locally, too.
Moore also claimed in a later tweet, tagged to another user’s screenshot, that you could remotely start and monitor Eufy camera streams through VLC without authentication or encryption. Moore stated that he could not release a proof of concept for the vulnerability. He also tweeted that Eufy denied his pre-action legal claim against the company, “refusing compensation,” but also, Moore claimed, offered him a job.
Just had a lengthy discussion with @EufyOfficial‘s legal department.
It’s appropriate at this stage to give them time to investigate and take appropriate action; conversely, it’s not right for me to comment further.
I will provide an update, as & when possible. Thanks!
— Paul Moore (@Paul_Reviews) November 28, 2022
Finally, on Monday, Moore tweeted he had “a lengthy discussion with [Eufy’s] legal department” and would subsequently “give them time to investigate and take appropriate action” and declined to comment further. We’ve emailed Moore for comment, but had not heard back as of this post (as suggested in his tweet).
Eufy, meanwhile, responded to Ars and other outlets with a statement. Eufy affirms that its video footage and “facial recognition technology” are “all processed and stored locally on the users’ device.” For mobile push notifications, however, thumbnail images are “briefly and securely stored on an AWS-based cloud server.” They are server-side encrypted, behind usernames and passwords, automatically delete, and comply with Apple and Google’s messaging standards, as well as General Data Protection Regulation (GDPR) standards.
Eufy admits that when users choose between text-based or thumbnail-based notifications from their system during setup, “it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.”
Eufy pledged to update its setup language and “be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.” Other claims made by Moore and SEC Consult were not addressed.