The software update adds mention of transferring data to a missing cloud service. Image: Maria Diaz/ZDNET.
For the past two weeks, Eufy Security has been at the center of criticism. In question ? Multiple security flaws in its system reported by customers.
On Monday, the company rolled out an update to its Eufy Security app in response: The app now notifies users that all video thumbnails are uploaded to the company’s cloud servers.
Images uploaded to AWS servers without consent
This update follows reports that images captured from the camera or face detection stream were sent to AWS cloud servers. And this, even when the cloud storage option was disabled in the app settings.
The Eufy Security app allows users to opt for text-only push notifications, or text and a thumbnail of the image captured by the camera. These photos are only sent to the cloud when the customer chooses to display the thumbnail in push notifications on their phone.
Image: Maria Diaz/ZDNET.
A contradiction hidden by the company
Truth be told, storing images in the cloud is a pretty normal process for security cameras, which send photo thumbnail push notifications to Android devices and iPhones.
The problem is that Eufy never revealed it to his clients. The company had even insisted that customer data was kept locally and privately, appealing to people who prefer local storage for privacy reasons.
As evidenced by an email from Eufy leaked by the information security consultant Paul Moorethe company was aware of this contradiction, while it was supposed to try to solve the problem with the new version of its application.
Better hide downloaded data
Eufy Security added that it would “encrypt the API between the browser and the server to avoid displaying URLs in the clear.” In other words, the company will hide the downloaded data better.
You can also, and this is what I chose to do to avoid this kind of problem, choose to receive notifications without a tile.
The new disclaimer added to the Eufy Security app. Image: Maria Diaz/ZDNET.
Anker, the parent company of Eufy Security, did not respond to our request for comment on this update. We don’t yet know if the company will address the issue of being able to view camera feeds without authentication using the VLC player and a URL.