Security researchers Paul Moore discovered several security flaws in Eufy’s security cameras, including uploading facial recognition imagery to the AWS cloud without encryption. Additionally, Moore demonstrated that this data is stored alongside personally identifiable information and kept even after the original footage is deleted from the app.
His proof-of-concept further shows that while Eufy’s cameras are encrypted with 128-bit AES encryption, it’s only done with a simple key instead of a random string. He also claims that a web browser can access the video feed from the cameras by using the right URL, with no authentication required.
Moore uploaded a YouTube video on November 23 demonstrating that Eufy is uploading both the image captured from the camera and the facial recognition image. Additionally, the facial recognition image is stored with metadata, including his username, another user ID and the saved ID for his face.
When using a different camera with a different username and even a different home base to store the footage locally to trigger a motion event, the data sent to Eufy’s AWS servers was enough for the company to tag and link the facial ID to his picture.
Finally, Moore claimed to have been able to live stream the footage from his Eufy doorbell camera without any authentication but did not create a proof-of-concept due to any possible misuse. Instead, he chose to inform Eufy directly and has taken legal action against the company to ensure compliance.
Eufy says it’s a temp upload
In a statement to Android Central, Eufy claims that camera notifications are text only unless the user selects the option to display thumbnails along with the notification itself. The thumbnails are temporarily uploaded to its AWS servers, with server-side encryption, to be bundled with notifications, which does seem plausible considering notifications are handled server-side.
Although the company did not specify for how long these ‘temporary’ thumbnails are stored in the database, it did claim that its push notification practices comply with Apple Push Notification service and Firebase Cloud Messaging standards.
The company seems to have resolved some of the issues Moore found, already issuing a patch making it impossible to verify stored cloud data status by removing the network call and heavily encryption others to make it nearly impossible to detect. Overall, Eufy claims it’s making the following changes to improve communication on the subject:
- Push notification settings will be better explained to reflect that asking for images in notifications will require them to be temporarily stored in the cloud.
- The company will be more clear about using cloud storage for push notifications in its consumer-facing marketing materials.