Claims by Eufy, a division of Anker, that ‘privacy is in your hands’ have been dismissed after a researcher caught the security camera company uploading footage that was not meant to be hosted only locally in the cloud. And this, without the authorization or the knowledge of the user of this state of affairs. To top it all off, users have also been informed that it is possible to watch camera streams using VLC without authentication.
Paul Moore, a security researcher, was the first to expose the security flaw in storing local data in the cloud. He pointed out that even though Eufy Security claims to take “every measure imaginable” to keep its users’ data private and local, it still uploads not only video thumbnails to cloud servers, but also photos of users’ faces. people detected in the video and user identification data.
Eufy boasts of keeping captured video data in the HomeBase box, which looks like a super hub. HomeBase connects to Eufy devices in your home and stores data, so your videos and photos stay hosted locally and you don’t have to pay for cloud services like you would with other companies like than Ring.
Local storage is very popular among smart home enthusiasts. Because your videos and all relevant data remain safe in your home, only saved on the HomeBase hard drive and/or an external hard drive. But apparently not so much at Eufy!
Paul Moore tested the process by going home, waiting for the notification to appear on his phone, then unplugging his HomeBase.
He notes that after his HomeBase was unplugged, two photos remained in the AWS cloud server: one of the video thumbnail and one of his face when the doorbell camera detected a person, along with the credentials. of the user. The video was no longer available on his phone’s mobile app, of course, since the HomeBase was inaccessible.
Eufy replied admitting the problem and pointing out that the images are only used for notifications and are immediately deleted from the server when the user deletes the events. However, once he deletes the events from his Eufy Security app, the footage remains on the server.
To top it off, other users have revealed that anyone can potentially access a Eufy camera without authentication or encryption using VLC remotely.
Since these allegations came out, The Verge said they have tried, with success, “proving that Anker has a way to bypass encryption and access these supposedly secure cameras via the cloud.”
Does this mean Eufy is not secure?
According an email From Eufy Security to Paul Moore, the HomeBase 3 is exempt from using the AWS cloud server to upload event screenshots due to a “high performance database” on the device.
Unplugging your HomeBase is like unplugging a USB drive from your computer: what’s on the flash drive is no longer available on the computer when it’s removed.
Eufy should verify that once the HomeBase is offline, any screenshots taken are deleted from this profile. At a minimum, a warning should appear when you enable screenshots on your notifications to say that those images will be stored in a cloud server if enabled.
Source: ZDNet.com