Eufy Security Camera Data Breach Surfaced
Concerns arose this week about the security of data when using Eufy cameras. A security expert had shown that recordings can be viewed via the cloud, even if users had activated local data storage. Eufy was caught uploading content to the cloud without user consent The Verge reports. Despite the selection of “local data storage”, Eufy had partly sent data to the cloud and also failed to encrypt the data.
As a result, anyone who had a URL to a Eufy camera video could access the file. This information comes from National Security Advisor Paul Moore, who released a video describing the problem.
According to Moore, he bought a Eufy Doorbell Dual, which was supposed to save recordings directly to the device. However, he found that Eufy had uploaded thumbnail images of faces and user information to its cloud service. Eufy does not automatically upload the complete streaming video to the cloud, but rather thumbnails.
Advertising promise and reality
These thumbnails are used in the Eufy app to enable video streaming from the Eufy base station, allowing Eufy users to watch their videos on the go. Since Eufy advertises a purely local service, this behavior is an absolute no-go. Moore suspects that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users without the camera owners knowing.
Moore further elaborated that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.
Eufy previously confirmed that event listings and thumbnails will be uploaded to Amazon AWS, but said the data cannot be made public as the URL is restricted, time-limited, and requires account login.
The company has now commented in detail on the allegations and initiated changes. API calls are encrypted to prevent unauthorized access.
Excerpts from the statement:
Although our Eufy security app allows users to choose between text-based and thumbnail-based push notifications, it has not been made clear that selecting thumbnail-based notifications requires the thumbnails to be temporarily hosted in the cloud. This lack of communication was an oversight on our part and we sincerely apologize for our error. Going forward, our communication on this matter will be improved:
- We’re revising the language of the push notification options in the Eufy Security app to clearly state that push notifications with thumbnails require thumbnail images that are temporarily stored in the cloud.
- We will make our use of the cloud for push notifications more prominent in our consumer marketing materials.
- Eufy Security is committed to protecting the privacy and data of its users and thanks the security research community for bringing this to our attention.”
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
