What do you want to know
- Security researcher Paul Moore discovered several security flaws in Eufy’s cameras.
- User images and facial recognition data are sent to the cloud without user consent, and live camera feeds are allegedly accessed without any authentication.
- Moore says some of the issues have since been fixed but cannot verify that the cloud data is properly deleted. Moore, a UK resident, filed a lawsuit against Eufy over a possible GDPR breach.
- Eufy Support has confirmed some of the issues and released an official statement about it stating that an app update will provide clarified language.
Update from November 29 at 11:32: Added Paul Moore’s answer to Android Central.
Update for November 29 at 3:30 p.m.: Eufy has released a statement explaining what is happening which can be seen below in Eufy’s explain section.
Based on Eufy’s statement below, many of Mr. Moore’s issues will not appear until users enable tiles for camera notifications. It is these tiles that are sent to the cloud for push notification purposes. No actual video footage is sent to Eufy’s AWS Cloud.
For years, Eufy Security has prided itself on its mantra of protecting user privacy, primarily by only storing videos and other relevant data locally. But a security researcher questions that, citing evidence that shows some Eufy cameras upload photos, facial recognition images and other private data to its cloud servers without user consent.
A series of tweets (opens in a new tab) by information security consultant Paul Moore appears to show a Eufy Doorbell Dual camera uploading facial recognition data to Eufy’s AWS cloud without encryption. Moore shows that this data is stored with a specific username and other identifiable information. Additionally, Moore says this data is retained on Eufy’s Amazon servers even after the images have been “deleted” from the Eufy app.
Additionally, Moore alleges that the videos from the cameras can be streamed through a web browser by entering the correct URL and that no authentication information needs to be present to view said videos. Moore shows evidence that videos from Eufy cameras that are encrypted with AES 128 encryption are only encrypted with a simple key rather than a proper random string. In the example, Moore’s videos were stored with “ZXSecurity17Cam@” as the encryption key, something that would be easily cracked by anyone who really wants your footage.
Moore has been in contact with Eufy Support and they corroborate the evidence, citing that these downloads occur to help with notifications and other data. Support doesn’t seem to have provided a valid reason why identifiable user data is also attached to the thumbnails, which could open up a huge security hole for others to find your data with the right tools.
Moore says Eufy has already fixed some of the issues, making it impossible to check the status of data stored in the cloud, and released the following statement:
“Unfortunately (or fortunately, whichever way you look at it), Eufy has already removed the network call and heavily encrypted the others to make it almost impossible to detect, so my previous PoCs no longer work. You may be able to be manually calling the specific endpoint using the specified payloads, which may still return a result.”
Android Central is in discussions with Eufy and Paul Moore and will continue to update this article as the situation evolves. Read below to see the official statement and explanation from Eufy and further if you want to know more about what Moore did in his research into potential security issues with Eufy.
Eufy told Android Central that its “products, services and processes are fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.”
GDPR certification requires companies to provide proof of data security and management to the EU. Acquiring a certification is not a rubber stamp and requires the approval of an appropriate governing body and is regulated by the ICO.
By default, camera notifications are set to text only and do not generate or download thumbnails of any kind. In Mr. Moore’s case, he enabled the option to show thumbnails with the notification. Here’s what it looks like in the app.
Eufy says these tiles are temporarily uploaded to its AWS servers and then bundled into the notification on a user’s device. This logic checks since notifications are handled server-side and normally a text-only notification from Eufy’s servers would not include any sort of image data unless otherwise specified.
Eufy says its push notification practices are “compliant with Apple Push Notification Service and Firebase Cloud Messaging Standards” and automatic deletion, but did not specify a time frame in which this should occur.
Additionally, Eufy says that “the thumbnails use server-side encryption” and should not be visible to users who are not logged in. Mr. Moore’s proof of concept below used the same incognito web browser session to fetch the thumbnails, thus using the same web cache. it previously authenticated with.
Eufy states that “although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not specified that choosing thumbnail-based notifications would require preview images briefly hosted in the cloud. This lack of communication was an oversight on our part and we sincerely apologize for our error.”
Eufy says it’s making the following changes to improve communication about it:
- We’re revising the push notification options language in the eufy Security app to make it clear that push notifications with tiles require preview images that will be temporarily stored in the cloud.
- We will be clearer about using the cloud for push notifications in our consumer marketing materials.
I’ve sent Eufy several follow-up questions regarding other issues found in Paul Moore’s proof of concept below and will update the article once answered.
Paul Moore’s proof of concept
Eufy sells two main types of cameras: cameras that connect directly to your home’s Wi-Fi network, and cameras that only connect to a Eufy HomeBase through a local wireless connection.
Eufy HomeBases are designed to store Eufy camera images locally via a hard drive inside the unit. But, even if you have a HomeBase in your home, buying a SoloCam or doorbell that connects directly to Wi-Fi will store your video data on the Eufy camera itself instead of the HomeBase.
In Paul Moore’s case, he was using a Eufy Doorbell Dual which connects directly to Wi-Fi and bypasses a HomeBase. Here is his first video on the matter, published on November 23, 2022.
In the video, Moore demonstrates how Eufy uploads both the captured camera image and the facial recognition image. Additionally, it shows that the facial recognition image is stored with multiple bits of metadata, two of which include his username (owner_ID), another user ID, and the recorded and stored ID for his face (AI_Face_ID).
What makes matters worse is that Moore uses another camera to trigger a motion event and then examines the data transferred to Eufy’s servers in the AWS cloud. Moore says he used a different camera, a different username, and even a different HomeBase to “store” the images locally, but Eufy was able to tag and link Face ID to his photo.
This proves that Eufy stores this facial recognition data in its cloud and, in addition, allows the cameras to easily identify the stored faces even if they do not belong to the people in these images. To support this claim, Moore recorded another video of him deleting the clips and proving that the footage is still located on Eufy’s AWS servers.
Additionally, Moore says he was able to stream live footage from his doorbell camera without any authentication, but did not provide a public proof of concept due to the possible misuse of the tactic if it were to be made public. He directly notified Eufy and has since taken legal action to ensure Eufy complies.
At the moment, this looks very bad for Eufy. The company has, for years, supported only keeping user data local and never uploading it to the cloud. While Eufy too has cloud services, no data should be uploaded to the cloud unless a user specifically authorizes such practice.
Additionally, storing user IDs and other personally identifiable data alongside a photo of a person’s face is a massive breach of security indeed. Although Eufy has since fixed the ability to easily find URLs and other data sent to the cloud, there is currently no way to verify whether or not Eufy continues to store this data in the cloud without consent. user.
#Security #researcher #Eufy #big #security #problem