Eufy’s “No Clouds” Cameras Upload Face Thumbnails to AWS

Eufy, a smart home brand from tech accessory company Anker, had become popular among some privacy-minded security camera buyers. Its doorbell camera and other devices proudly proclaimed that they had “no clouds or costs” and that “no one but you has access to your data”.

That’s why security consultant and researcher Paul Moore’s series of tweets and videos demonstrating that Eufy cameras were uploading thumbnail images with names to cloud servers to alert owners’ phones, presumably unencrypted, so stung people. smart home and security enthusiasts this week.

UK-based Moore started ask rhetorical questions to Eufy about his practices on Twitter from November 21. “Why does my #doorbellDual ‘local storage’ store every face, without encryption, on your servers? Why can I stream my camera without #authentication?!” Moore also posted lines from “source code and API responseswhich suggested that a very weak AES key was used to encrypt the video footage.

On November 23, Moore uploaded a video showing his findings. With his Eufy Homebase unplugged, Moore walked past his camera. From an incognito web browser, Moore could display a thumbnail of himself, an image of the stream shortly before he was visible, and, perhaps more disturbingly, ID numbers indicating his recognized face. and his status as the owner of the camera.

A day later, security firm SEC Consult summarized two years of analysis of a EufyCam 2, noting a similar transfer of thumbnails through an Amazon Web Services cloud. The company also saw the weak keys, suggesting “hard-coded encryption/decryption keys that are identical for all Homebase devices sold”, although it’s not clear what the keys were used for.

SEC Consult noted that Eufy appears to have tightened its security since May 2021, when users suddenly gained near-full access to other people’s accounts. “But unfortunately thumbnails of all recorded images still appear to be uploaded to AWS, so the device does not meet our privacy requirements.” The SEC said it accelerated the release of its findings based on Moore’s tweets, and “with [Black Friday] shopping mania just around the corner.”

Moore posted later a response from Eufy to his findings, in which a Eufy support representative states that tiles are limited by account logins and that the URL will “expire within 24 hours” unless the user shares it. The Eufy rep also notes that Eufy “has noticed it before” and also plans to build their Homebase 3 store thumbnails locally.

Moore too claimed in a later tweet, together with another user’s screenshot, that you can remotely start and monitor Eufy camera feeds via VLC without authentication or encryption. Moore said he couldn’t post a proof of concept for the vulnerability. He also has tweeted that Eufy denied his pre-action legal claim against the company, “denying compensation”, but also, according to Moore, offered him a job.

Finally, on Monday, Moore tweeted that he had “a long chat with [Eufy’s] legal department” and would subsequently give them “time to investigate and take appropriate action” and declined to comment further.

Eufy, meanwhile, responded to Ars and other outlets with a statement. Eufy claims that its video footage and “facial recognition technology” are “all processed and stored locally on the users’ device”. For mobile push notifications, however, thumbnail images are “stored briefly and securely on an AWS-based cloud server.” They are server-side encrypted, behind usernames and passwords, automatically deleted, and compliant with Apple and Google messaging standards, as well as General Data Protection Regulation (GDPR) standards.

Eufy admits that when users choose between text-based or tile-based notifications from their system during setup, “it was not specified that choosing tile-based notifications would require preview images briefly hosted in the cloud”.

Eufy pledged to update its configuration language and “be clearer about using the cloud for push notifications in our consumer-facing marketing materials.” Other claims made by Moore and SEC Consult have not been addressed.