Eufy’s claims to keep “privacy in your own hands” have been rendered null, after a researcher caught the security camera company uploading local-only footage to the cloud without user authorization or knowledge. To top it all off, users have also been made aware that you can watch camera streams using VLC without authentication.
Paul Moore, a security researcher, was the first to expose the security flaw in local data being stored in the cloud. He pointed out in the video below that, even though Eufy Security claims to take “every step imaginable” to keep its users’ data private and local, it still uploads not only video thumbnails to cloud servers but also photos of the faces of people detected in the video, and user identifier data.
Eufy Security, a brand owned by the Chinese company Anker Innovations, touts to keep captured video data in the HomeBase, which is like a smart home hub on steroids. The HomeBase connects to Eufy devices around your home and stores the data within it, so your videos and pictures stay local and you don’t have to pay for cloud services like you would with other companies such as Ring.
It’s popular among smart home enthusiasts because of this very feature: your videos and any pertinent data stay safely in your home, only saved in the HomeBase’s memory drive and/or an added HDD or SSD.
Also: These file types are the ones most commonly used by hackers to hide their malware
Moore tested this by walking to his Eufy Video Doorbell Dual, waiting for the notification to appear on his phone, then unplugging the HomeBase.
Moore pointed out that once his HomeBase was offline, two photos remained in the AWS cloud server: one of the video thumbmail and the other of his face when the doorbell camera detected a person, as well as user identifier information. The video was no longer available on the mobile app on his phone, of course, since the HomeBase was unreachable.
There is an option to enable cloud storage in the Eufy Security app, but Moore discovered the data was uploaded to cloud servers even when the cloud storage was disabled.
Eufy responded by admitting to the issue and pointing out that the images are only used for notifications and immediately deleted from the server when the user deletes the events. However, once he deleted the events from his Eufy Security app, the images were still left on the server.
To top it all off, other users exposed that anyone could potentially access a Eufy camera without authentication or encryption by using VLC remotely.
Since these allegations came out, The Verge said it tried this successfully, “proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud”.
ZDNET reached out to Anker, Eufy’s parent company, for comment but we’ve yet to hear back.
Does this mean Eufy isn’t secure?
According to an email from Eufy Security to Moore, the HomeBase 3 is exempt from using the AWS cloud server to upload event screenshots due to a “high-performance database” made on the device.
Unplugging your HomeBase is like disconnecting a USB flash drive from your computer: whatever is on the flash drive is no longer available on the computer when it’s removed.
Eufy should have a heartbeat check that, once the HomeBase is offline, any screenshots taken are deleted from that profile. At the very least, a disclaimer should appear when you enable snapshots on your notifications to say that these images would be stored in a cloud server if enabled.
The biggest problem with this situation isn’t that users’ data is stored in cloud servers; it’s that this is being done not only without consumers’ consent, but with Eufy publicly touting to do the opposite.
As far as someone else accessing the Eufy camera streams remotely? All I can say is that I’m keeping my Eufy cameras outside my home for the time being.