Anker Eufy security cameras and connected doorbells have a big security problem. The data supposed to be stored locally is actually sent to the firm’s servers with sensitive information. The recordings can also be viewed by third parties using a player such as VLC. Approached by The Verge, the brand tried to minimize the situation, then began to deliver some explanations.
Update December 7: Eufy has updated its app to provide some explanation. More information at the end of this article originally published on December 2.
Imagine. A person you don’t know — on the other side of the world or a stone’s throw from your home — can watch on their PC, and without restriction, everything that happens on the landing of your house or in your garden. . There is something to be uncomfortable about. However, this is what can happen with certain surveillance cameras and connected doorbells.
Indeed, the connected home brand Eufy, powered by Anker, has been under fire from acerbic criticism since a gigantic security breach was discovered and lies were brought to light. It all starts at the end of November. IT security consultant Paul Moore calls out to Eufy on Twitter saying he has ” irrefutable proof (on video) that the data recorded by his connected doorbell, supposed to be stored locally, is actually sent to the cloud even when the cloud storage option is deactivated.
You have some serious questions to answer @EufyOfficial
Here is irrefutable proof that my supposedly “private”, “stored locally”, “transmitted only to you” doorbell is streaming to the cloud – without cloud storage enabled.#privacyhttps://t.co/u4iGgkWkJB
— Paul Moore (@Paul_Reviews) November 23, 2022
The specialist shows in particular that his Anker Eufy connected doorbell sent facial recognition data (with information to identify people) to the brand’s servers. Pau Moore also explains that the elements thus downloaded were not removed from Eufy’s servers when the corresponding sequences were deleted by the user on his dedicated application.
Recording videos accessible… via VLC
That’s not all. The computer security expert realized that Eufy can use the same facial recognition data on two different cameras and two different accounts. A person can therefore be recognized in two different places, whereas the data enabling this are supposed to be stored locally. Paul Moore does not explain how to exploit the flaw, but Android Central managed to reproduce this manipulation on a EufyCam 3 camera paired with a Eufy HomeBase 3.
The matter does not end there, quite the contrary. It was also discovered that the recordings from Eufy’s surveillance cameras and doorbells were not properly encrypted. Thus, a person who is a bit fiddly can watch the videos using VLC, the famous video player. A gold mine for ill-intentioned people.
Ah well, the cats out the bag now… so may as well tell you.
You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.
Please don’t ask for a PoC – I can’t release this one.
heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX
— Paul Moore (@Paul_Reviews) November 25, 2022
Lies
A spokesperson for Anker, however, confidently asserted The Verge that he was ” not possible to start a stream and watch live images using a third-party player such as VLC“. However, this is exactly what the American media was able to do in the process. He therefore accuses the brand of having lied.
The journalists ofThe Verge still specify that they needed the authentication information at the beginning to be able to consult the details of the recording videos. However, they did not face any further verification steps afterwards. They were able to view the videos as long as the camera was activated – either after detecting movement, or because its owner is seeing what it is filming).
Anker Eufy has not yet publicly reacted to these new accusations. Paul Moore claims to have received an email from the group, but believes that the latter minimizes the seriousness of the situation.
An updated app
A few days after this case escalated, Eufy updated its app to clarify some things. The Anker brand now explains that data is indeed sent to remote servers when certain settings are activated.
As summarized9to5Googleregarding the flaw allowing video recordings to be played via third-party players like VLC, Eufy admits that “thumbnails” of videos captured by its cameras or connected doorbells were downloaded in order to be able, in the process, to send notifications to users.
ZDNetshares in passing a preview of the update of the application of Eufy on iOS – it seems that the Android version does not benefit from this deployment yet.
Despite these new features, Eufy does not address the concern over facial recognition data.
To follow us, we invite you to download our Android and iOS application. You can read our articles, files, and watch our latest YouTube videos.