Eufy cameras upload content to the cloud without owners knowledge

Posted:
in General Discussion
A security researcher has discovered that Anker's Eufy security cameras send user images and information to the cloud without the owners' consent -- even if the user doesn't pay for a cloud subscription.




Security consultant Paul Moore discovered that his Eufy Doorbell Dual was uploading data to the cloud, despite the fact he'd disabled cloud functionality. Moore uploaded a short video to YouTube to highlight what he'd found.





In the video, Moore shows how even after turning off the Eufy HomeBase, the Eufy website can still access an image he uploaded despite not signing up for the cloud service. Furthermore, the image is still accessible even after Moore removes it from the Eufy app.

Interestingly, it doesn't appear that Eufy is uploading the video as video, but rather as a series of thumbnails.

Eufy also appears to be using facial recognition on the uploads. Moore surmises that Eufy could link the facial recognition data collected from multiple cameras and apps to users -- without the user's knowledge or consent.

After the disclosure, Eufy contacted Moore to confirm that it uploads events and thumbnails to Amazon Web Services. However, the company says the data cannot be leaked as the URL is only available for a short period of time and requires an account login.

A final issue Moore notes is that Eufy camera streams could be watched live using an app like VLC, though he didn't provide information on how this is possible. In addition, worryingly enough, Moore notes that the streams aren't encrypted and can be accessed without authentication.

Ah well, the cats out the bag now... so may as well tell you.

You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.

Please don't ask for a PoC - I can't release this one.

Heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX

-- Paul Moore (@Paul_Reviews)


Since his initial post, Moore posted that he'd "had a lengthy discussion with Eufy's legal department." He also stated that it would be "appropriate at this stage to give them time to investigate and take appropriate action," and that he could not comment further.

This isn't the first time Eufy has come under fire for security lapses. Most notably, in May of 2021, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of what they were expecting to see from their own cameras, and settings could be changed by those granted bogus access.

Read on AppleInsider

Comments

  • Reply 1 of 8
    Apparently, Eufy has been aware of this already, which means they have also missed all deadlines on notifying agencies about GDPR violations etc. This could cost them at least a few billion EUR.

    I wonder how this affects people who only ever used it with Homekit, as it claims to be disabling most of the Eufy functionality.
    lolliverchadbagwatto_cobraFileMakerFeller
  • Reply 2 of 8
    A few days ago on the AI story called "Here are all the devices getting Matter Support" i said that the Eufy camera was insecure even when using HomeKit Secure Video, let alone when using HomeKit. Despite the people who argued against me, I guess this story supports my fears about Eufy.

    Here was part of my claim:
    it [Eufy cameras] probably works using additional software running on the hub and/or on your iOS device that requires an Internet connection and communicates some data back to home base, which is usually China. 

    Where do I go to claim my reward?

    tyler82FileMakerFeller
  • Reply 3 of 8
    Yeah, this was obvious because their cams would still send you notifications via their app about movement and certain objects being detected — likely sending images up to AWS and they were using AWS Rekognition.

    I use a HomeKit secure router functionality to restrict their cameras’ to only be able to communicate on the local home intranet — a Home hub can still  provide the camera feed via HomeKit.
    lolliverFileMakerFeller
  • Reply 4 of 8
    zviratko said:
    Apparently, Eufy has been aware of this already, which means they have also missed all deadlines on notifying agencies about GDPR violations etc. This could cost them at least a few billion EUR.

    I wonder how this affects people who only ever used it with Homekit, as it claims to be disabling most of the Eufy functionality.
    Having Eufy cameras enrolled in Homekit doesn't keep one from using the Eufy software to view the cameras.  I've got 5 cameras and can view them in Homekit or Eufy app.  Some advanced features are disabled in Eufy app since they are in Homekit, but basic functionality works just fine.
    FileMakerFeller
  • Reply 5 of 8
    VLC lets you specify a URL that defines a video feed; I'd always wondered what that was for. Never made the mental connection to video surveillance, but it is obvious now.
  • Reply 6 of 8
    A few days ago on the AI story called "Here are all the devices getting Matter Support" i said that the Eufy camera was insecure even when using HomeKit Secure Video, let alone when using HomeKit. Despite the people who argued against me, I guess this story supports my fears about Eufy.

    Here was part of my claim:
    it [Eufy cameras] probably works using additional software running on the hub and/or on your iOS device that requires an Internet connection and communicates some data back to home base, which is usually China. 

    Where do I go to claim my reward?

    No reward for you!

    In that same discussion I informed you that you were wrong.  My FW blocks the base/cameras from the internet - only local LAN/WiFi.  The cameras work perfectly fine via HomeKit Secure vide, and have no direct internet access.  Maybe go re-visit that discussion you are referring to?  Or maybe you prefer selective memory?
  • Reply 7 of 8
    nicholfd said:
    A few days ago on the AI story called "Here are all the devices getting Matter Support" i said that the Eufy camera was insecure even when using HomeKit Secure Video, let alone when using HomeKit. Despite the people who argued against me, I guess this story supports my fears about Eufy.

    Here was part of my claim:
    it [Eufy cameras] probably works using additional software running on the hub and/or on your iOS device that requires an Internet connection and communicates some data back to home base, which is usually China. 

    Where do I go to claim my reward?

    No reward for you!

    In that same discussion I informed you that you were wrong.  My FW blocks the base/cameras from the internet - only local LAN/WiFi.  The cameras work perfectly fine via HomeKit Secure vide, and have no direct internet access.  Maybe go re-visit that discussion you are referring to?  Or maybe you prefer selective memory?
    Did you watch the video that I referred you to in that thread, which said "The Eufy setup process requires Internet access and won't even start without it" even if you aren't using their cloud service. Also, "User can't see triggered events or saved video unless the camera and phone are connected to the Internet." Also, "It's a little strange that your base station won't work unless it's connected to the Internet even if you're not using the Eufy app or the remote viewing features. Why does the base station need the Internet if the cameras are all connected to the base station by your local network?" Since you were silent on these specific issues in that other thread, I assumed you knew you were wrong, and that's why I didn't reply to you.

    Your next step should be to address those questions. Don't avoid them here, like you did in that other thread.
    gatorguy
  • Reply 8 of 8
    nicholfd said:
    A few days ago on the AI story called "Here are all the devices getting Matter Support" i said that the Eufy camera was insecure even when using HomeKit Secure Video, let alone when using HomeKit. Despite the people who argued against me, I guess this story supports my fears about Eufy.

    Here was part of my claim:
    it [Eufy cameras] probably works using additional software running on the hub and/or on your iOS device that requires an Internet connection and communicates some data back to home base, which is usually China. 

    Where do I go to claim my reward?

    No reward for you!

    In that same discussion I informed you that you were wrong.  My FW blocks the base/cameras from the internet - only local LAN/WiFi.  The cameras work perfectly fine via HomeKit Secure vide, and have no direct internet access.  Maybe go re-visit that discussion you are referring to?  Or maybe you prefer selective memory?
    Did you watch the video that I referred you to in that thread, which said "The Eufy setup process requires Internet access and won't even start without it" even if you aren't using their cloud service. Also, "User can't see triggered events or saved video unless the camera and phone are connected to the Internet." Also, "It's a little strange that your base station won't work unless it's connected to the Internet even if you're not using the Eufy app or the remote viewing features. Why does the base station need the Internet if the cameras are all connected to the base station by your local network?" Since you were silent on these specific issues in that other thread, I assumed you knew you were wrong, and that's why I didn't reply to you.

    Your next step should be to address those questions. Don't avoid them here, like you did in that other thread.
    I don't have to address anything.  You are quoting another article, without any 1st hand proof.  I personally know my devices (Homebase2 & cameras) cannot reach the internet.  I know my devices work perfectly fine with HomeKit secure video, while not being able to reach the internet.  My devices do not work with the Eufy app once configured for HomeKit Secure video & blocked form the internet..
Sign In or Register to comment.