Eufy not patching cameras, instead just warning users about cloud use
Eufy isn't patching out a potential security issue in the Eufy Security app, and is instead just telling users that their thumbnails will be uploaded to the cloud when they choose specific notification settings in the app.
In late November, a security researcher discovered that Anker's Eufy security cameras sent user images and information to the cloud without the owners' consent -- even if the user doesn't pay for a cloud subscription.
In response, Eufy has added a statement on their App Store listing and in the Eufy Security app that discloses when the cloud service will be involved when users choose a specific notification option.
The Eufy Security app has a few different options for notifications. For example, users can choose to have notifications display only text or to display text and a thumbnail image of the camera. If the user selects the thumbnail option, Eufy uploads the image to the cloud.
As noted by ZDnet, the issue isn't that Eufy was uploading images to the cloud, it was that it hadn't been informing users that it was doing so.
For those who own a Eufy security camera and don't want their data uploaded to the cloud, we encourage you to change your notification type within the Eufy Security app to Most Efficient, rather than Full Effect or Include Thumbnail.
The company still needs to address the issue that would allow Eufy camera streams to be watched live using an app like VLC. The streams are not encrypted and can be accessed without authentication.
This isn't Eufy's first security hiccup, either. In May of 2021, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of what they were expecting to see from their own cameras, and settings could be changed by those granted bogus access.
Read on AppleInsider
In late November, a security researcher discovered that Anker's Eufy security cameras sent user images and information to the cloud without the owners' consent -- even if the user doesn't pay for a cloud subscription.
In response, Eufy has added a statement on their App Store listing and in the Eufy Security app that discloses when the cloud service will be involved when users choose a specific notification option.
The Eufy Security app has a few different options for notifications. For example, users can choose to have notifications display only text or to display text and a thumbnail image of the camera. If the user selects the thumbnail option, Eufy uploads the image to the cloud.
As noted by ZDnet, the issue isn't that Eufy was uploading images to the cloud, it was that it hadn't been informing users that it was doing so.
For those who own a Eufy security camera and don't want their data uploaded to the cloud, we encourage you to change your notification type within the Eufy Security app to Most Efficient, rather than Full Effect or Include Thumbnail.
The company still needs to address the issue that would allow Eufy camera streams to be watched live using an app like VLC. The streams are not encrypted and can be accessed without authentication.
This isn't Eufy's first security hiccup, either. In May of 2021, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of what they were expecting to see from their own cameras, and settings could be changed by those granted bogus access.
Read on AppleInsider
Comments
People need to grow up.
So a Thumbnail, and text regarding the thumbnail to support a notification that the user had to request to receive, but the app didn’t tell them it was being sent on the net, even though that’s the only way they could get it? That’s the main issue?
Connecting with vlc on a local network is a security hole, you still need to connect to the local network in order to connect to the cameras, then you too can see when the Amazon driver drops off your packages. Needs to be fixed, but Apple and others have had worse.
Nice to know, but click bait