What you need to know
- Security researcher Paul Moore has discovered several security flaws in Eufy's cameras.
- User images and facial recognition data are being sent to the cloud without user consent, and live camera feeds can purportedly be accessed without any authentication.
- Moore says some of the issues have since been patched but cannot verify that cloud data is being properly deleted. Moore, a U.K. resident, has taken legal action against Eufy because of a possible breach of GDPR.
- Eufy support has confirmed some of the issues and issued an official statement on the matter saying an app update will offer clarified language.
Update Nov 29, 11:32 am: Added Paul Moore's response to Android Central.
Update Nov 29, 3:30 pm: Eufy issued a statement explaining what's going on which can be seen below in Eufy's explanation section.
Update Dec 1, 10:20 am: Added information The Verge uncovered confirming that unencrypted camera streams can be accessed via software like VLC.
Update Dec 2, 9:08 am: Added the latest statement from Eufy.
Video footage from active Eufy cameras can be accessed via video software like VLC, even without proper authentication.
For years, Eufy Security has prided itself on its mantra of protecting user privacy, primarily by only storing videos and other relevant data locally. But a security researcher is calling this into question, citing evidence that shows some Eufy cameras are uploading photos, facial recognition imagery, and other private data to its cloud servers without user consent.
A series of Tweets (opens in new tab) from information security consultant Paul Moore seems to show a Eufy Doorbell Dual camera uploading facial recognition data to Eufy's AWS cloud without encryption. Moore shows that this data is being stored alongside a specific username and other identifiable information. Adding to that, Moore says that this data is kept on Eufy's Amazon-based servers even when the footage has been "deleted" from the Eufy app.
Furthermore, Moore alleges that videos from cameras can be streamed via a web browser by inputting the right URL and that no authentication information needs to be present to view said videos. The Verge (opens in new tab) has since obtained the method to stream unencrypted videos from Eufy cameras and says it was able to stream videos via the free VLC app without any proper authentication.
The Verge also said that it wasn't able to access this video unless the camera had already been woken up, usually by a motion detection event and subsequent recording. Sleeping cameras cannot be randomly woken up or accessed remotely using this method.
Moore shows evidence that videos from Eufy cameras that are encrypted with AES 128 encryption are only done so with a simple key rather than a proper random string. In the example, Moore's videos were stored with "ZXSecurity17Cam@" as the encryption key, something that would be easily cracked by anyone really wanting your footage.
Anyone with your camera's serial number could theoretically be able to gain access so long as the camera is awake.
At this time, it appears that the address used to view a camera's stream has now been hidden from the app and the web interface so, unless someone makes that address public, it's not likely this exploit will be used in the wild.
Were that address to be made public, gaining entry only requires your camera's serial number coded in Base64, per The Verge's investigation. The Verge also says that, while the address includes a Unix timestamp that should be used for verification, Eufy's system isn't actually doing its job and will verify anything put in its place, including nonsense words.
Given this particular design, anyone with your camera's serial number could theoretically be able to gain access so long as the camera is awake.
Eufy's thumbnail notifications are uploading images to the cloud. The simple fix is to disable thumbnails in the Eufy app.
Moore has been in contact with Eufy support and they corroborate the evidence, citing that these uploads occur to help with notifications and other data. Support doesn't seem to have provided a valid reason why identifiable user data is also attached to the thumbnails, which could open up a huge security hole for others to find your data with the right tools.
Moore says that Eufy has already patched some of the issues, making it impossible to verify stored cloud data status, and has issued the following statement:
"Unfortunately (or fortunately, however you look at it), Eufy has already removed the network call and heavily encrypted others to make it almost impossible to detect; so my previous PoCs no longer work. You may be able to call the specific endpoint manually using the payloads shown, which may still return a result."
Android Central is in discussion with both Eufy and Paul Moore and will continue to update this article as the situation develops. At this point, it's safe to say that, if you're concerned about your privacy — which you absolutely should be — it doesn't make much sense to use a Eufy camera either inside (opens in new tab) or outside of your home.
Eufy issued this updated statement on December 2:
"eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions."
Eufy's first statement and explanation are below. Beyond that, we've also included Paul Moore's original proof of concept of the issue.
Eufy's explanation
On November 29, Eufy told Android Central that its "products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications."
By default, camera notifications are set to text-only and do not generate or upload a thumbnail of any kind. In Mr. Moore's case, he enabled the option to display thumbnails along with the notification. Here's what it looks like in the app.
Eufy says that these thumbnails are temporarily uploaded to its AWS servers and then bundled into the notification to a user's device. This logic checks out since notifications are handled server side and, normally, a text-only notification from Eufy's servers would not include any sort of image data unless otherwise specified.
Eufy says that its push notification practices are "in compliance with Apple Push Notification service and Firebase Cloud Messaging standards" and auto-delete but did not specify a timeframe in which this should occur.
Moreover, Eufy says that "thumbnails utilize server-side encryption" and should not be visible to users who are not logged in. Mr. Moore's proof of concept below used the same incognito web browser session to retrieve thumbnails, thereby utilizing the same web cache he previously authenticated with.
Eufy says that "although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud. That lack of communication was an oversight on our part and we sincerely apologize for our error."
Eufy says it's making the following changes to improve communication on this matter:
- We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
- We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
Eufy has yet to respond to several follow-up questions Android Central sent asking about additional issues found in Paul Moore's proof of concept below. At this time, it appears that Eufy's security methods are flawed and will take re-engineering before they are fixed.
Paul Moore's proof of concept
Eufy sells two main types of cameras: cameras that connect directly to your home's Wi-Fi network, and cameras that only connect to a Eufy HomeBase via a local wireless connection.
Eufy HomeBase's are designed to store Eufy camera footage locally via a hard drive inside the unit. But, even if you have a HomeBase in your home, purchasing a SoloCam or Doorbell that connects directly to Wi-Fi will store your video data on the Eufy camera itself instead of the HomeBase.
In Paul Moore's case, he was using a Eufy Doorbell Dual which connects directly to Wi-Fi and bypasses a HomeBase. Here's his first video on the issue, published on November 23, 2022.
In the video, Moore shows how Eufy is uploading both the image captured from the camera and the facial recognition image. Further, he shows that the facial recognition image is stored alongside several bits of metadata, two of which include his username (owner_ID), another user ID, and the saved and stored ID for his face (AI_Face_ID).
What makes matters worse is that Moore uses another camera to trigger a motion event, then examines the data transferred to Eufy's servers in the AWS cloud. Moore says that he used a different camera, different username, and even a different HomeBase to "store" the footage locally, yet Eufy was able to tag and link the facial ID to his picture.
That proves that Eufy is storing this facial recognition data in its cloud and, on top of that, is allowing cameras to readily identify stored faces even though they aren't owned by the people in those images. To back that claim up, Moore recorded another video of him deleting the clips and proving that the images are still located on Eufy's AWS servers.
Additionally, Moore says that he was able to stream live footage from his doorbell camera without any authentication but did not provide public proof of concept due to the possible misuse of the tactic if it were to be made public. He has notified Eufy directly and has since taken legal measures to ensure Eufy complies.
At the moment, this looks very bad for Eufy. The company has, for years, stood behind only keeping user data local and never uploading to the cloud. While Eufy also has cloud services, no data should be uploaded to the cloud unless a user specifically allows such a practice.
Furthermore, storing user IDs and other personally identifiable data alongside a picture of a person's face is a massive security violation, indeed. While Eufy has since patched the ability to easily find the URLs and other data being sent to the cloud, there's currently no way to verify that Eufy is or is not continuing to store this data in the cloud without user consent.
