Anker’s Eufy cameras are caught uploading content to the cloud without user consent [Updated]

Anker’s popular Eufy-branded security cameras appear to be sending data to the cloud, even when cloud storage is disabled and local storage-only settings are enabled. The information comes from security consultant Paul Moore, who released a video last week outlining the issue.

According to Moore, he bought a Eufy Doorbell Dual, which was supposed to be a device that stored video recording on the device. He discovered that Eufy uploads thumbnail images of faces and user information to his cloud service when cloud functionality is not enabled.

Moore demonstrates unauthorized cloud uploading by allowing his camera to capture his image and turning off Eufy HomeBase. The website is still able to access content via cloud integration, despite not having signed up for the cloud service, and it remains accessible even when images are deleted from the Eufy app. It’s important to note that Eufy doesn’t appear to automatically upload the full streaming video to the cloud, but rather takes captures of the video as thumbnails.

Thumbnails are used in the Eufy app to enable video streaming from the Eufy Base Station, allowing Eufy users to watch their videos while away from home, as well as send notifications enriched. The problem is that thumbnails are automatically uploaded to the cloud even when the cloud feature is not active, and Eufy also seems to use facial recognition on uploads. Some users have taken issue with unauthorized cloud uploads, as Eufy advertises a local-only service and is popular among those who want a more private camera solution. “No Clouds or Costs,” reads Eufy’s website.

Moore suggests that Eufy is also capable of linking facial recognition data collected from two separate cameras and two separate apps to users, all without the camera owners knowing.

Other Eufy users responded to Moore’s tweet and saw the same thing happen, and there is also a dedicated Reddit thread on the subject. Moore tested the Eufy doorbell camera, but that seems to be how other Eufy cameras work too. As Moore demonstrates, images can be accessed with simple URLs after login, posing a potential security risk to those affected. Eufy deleted the background call that reveals footage stored after Moore’s tweet, but did not remove the footage.

Moore received a response from Eufy in which Eufy confirmed that he was uploading event listings and thumbnails to AWS, but said the data could not “leak to the public” because the URL is restricted, limited over time and requires account login.

There’s also another issue that Moore highlighted, suggesting that Eufy cam streams can be watched live using an app like VLC, but not much information about the exploit is available to the moment. Moore said unencrypted Eufy camera content is accessible without authentication, which is alarming for Eufy users.

We’ve reached out to Anker for additional feedback on the Eufy issue and will update this article if we receive a response. Moore said he has been in contact with Eufy’s legal department and will give them time “to investigate and take appropriate action” before commenting further.

Update: Anker provided a statement to MacRumorsexplaining why the images are being collected and how the issue will be resolved in the future.

eufy Security is designed as a local home security system. All video footage is stored locally and encrypted on the user’s device. As for eufy Security’s facial recognition technology, all of this is processed and stored locally on the user’s device.

Our products, services and processes are fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.

To provide users with push notifications on their mobile devices, some of our security solutions create small preview images (thumbnail) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails use server-side encryption and are set to be automatically deleted and comply with Apple Push Notification Service and Firebase Cloud Messaging standards. Users can only access or share these tiles after securely logging into their eufy Security account.

Although our eufy Security app allows users to choose between text-based or tile-based push notifications, it was not specified that choosing tile-based notifications would require preview images to be briefly hosted in the cloud.

This lack of communication was an oversight on our part and we sincerely apologize for our error. Here is how we intend to improve our communication in this area:

1) We’re revising the push notification options language in the eufy Security app to make it clear that thumbnail push notifications require preview images that will be temporarily stored in the cloud.

2) We will be clearer about using the cloud for push notifications in our consumer marketing materials.

eufy Security is committed to respecting the privacy and data protection of our users and appreciates the security research community who contact us to bring this to our attention.