Eufy’s statement to keep “privacy in your own hands” was disabled, after a researcher caught the security camera company uploading footage locally only to the cloud without permission or knowledge. user’s consciousness. On top of that, users have also been told that you can view camera streams using VLC without authentication.
Paul Moore, a security researcher, was the first to expose a security vulnerability in local data stored in the cloud. He points out in the video below that even though Eufy Security claims to take “every step imaginable” to keep users’ data private and local, it still loads not only video thumbnails to a cloud server, but also photos of the faces of people detected in the video and user identification data.
Also: These file types are the ones most commonly used by hackers to hide their malware
Eufy recommends keeping recorded video data in HomeBase, like a smart home hub on steroids. HomeBase connects to Eufy devices around your home and stores data in them, so your videos and photos are always local and you don’t have to pay for cloud services like with other devices. other companies, such as Ring.
It’s popular among smart home enthusiasts because of this very feature: your videos and any pertinent data will be securely stored in your home, only on HomeBase’s memory drive and/or hard drive. additional HDD or SSD.
Moore tested this by walking to Dual Eufy Video Doorbellwait for the message to appear on his phone, then unplug the HomeBase.
Moore points out that when his HomeBase goes offline, two photos remain in the AWS cloud server: One of the video thumbnails and the other photo is of his face when the doorbell camera detects a person, as well as user-identifying information. Of course, the video is no longer available on the mobile app on his phone, as HomeBase is not accessible.
Eufy replied by acknowledging the problem and indicating that the image is only used for the message and is immediately removed from the server when the user deletes the event. However, after he deleted the events from his Eufy Security app, the image is still on the server.
On top of that, other users revealed that anyone can access the Eufy camera without authentication or encryption using VLC remotely.
Since these allegations surfaced, precipice says it has tried this successfully, “proving that Anker has a way to bypass the encryption and access these supposedly secure cameras through the cloud”.
Does this mean Eufy is not secure?
Based on An email From Eufy Security to Moore, HomeBase 3 is exempt from using the AWS cloud server to upload event screenshots because of the “high performance database” created on the device.
Unplugging your HomeBase is like disconnecting a USB flash drive from your computer: Everything on the flash drive will no longer be available on the computer when it is removed.
Eufy should check the heart rate to make sure that when HomeBase is offline, any screenshots taken are removed from that profile. At the very least, a disclaimer will appear when you enable snapshots on your notifications to say that these images will be stored in a cloud server if enabled.
As far as other people accessing Eufy camera streams remotely? All I can say is I’m keeping my Eufy camera outside my house at the moment.
