Eufy “no cloud” security cameras streaming data to the cloud
Eufy home security cameras are currently in a spot of trouble as a result of door camera footage. This is because it turns out that data which should not have been going to the cloud was doing so anyway in certain conditions.
Securing your home: a complicated proposition
Insecure cameras, unprotected cloud footage, streams going where they shouldn’t be: these are all areas for concern when looking into buying a home security system. Maybe you want full CCTV across the property. Perhaps you want alarms tied to cameras, or just a doorbell cam to see who’s popping in during the day.
In all of these cases, potential buyers need to find the answers to just some of the following questions:
Is the device internet connected?
Can you access feeds from outside your home, and if so, how?
Is the footage password protected? Is the device password protected?
If we’re talking storage, is data written to a local drive, or are cloud services available? Is the cloud offering bespoke, or can you hook up the device to a cloud provider of your choosing?
Is the footage encrypted? Is audio recorded? How long is any of this stored for, and under what conditions?
If there’s an app, how secure is it?
When there’s a service outage, are the devices rendered inoperable?
It’s not just a case of buying some random cameras and bolting them to the side of your house. There’s a lot to consider, and even then, something can happen to catch you completely unaware…as we’re about to find out.
When “local” means “also some cloud”
Many folks would err on the side of caution where cameras are concerned, choosing not to go down the road of internet connectivity or footage being placed in the cloud. Now, security researcher Paul Moore has discovered that a system he chose for those reasons was in fact placing data in the cloud anyway.
You have some serious questions to answer @EufyOfficial
Here is irrefutable proof that my supposedly “private”, “stored locally”, “transmitted only to you” doorbell is streaming to the cloud – without cloud storage enabled.#privacyhttps://t.co/u4iGgkWkJB
— Paul Moore (@Paul_Reviews) November 23, 2022
Facial recognition data in the form of thumbnails and other information was being stored against usernames. Paul Moore claims that data is kept on servers even after being deleted from the app. As Gizmodo notes, another user discovered that this data wasn’t encrypted. Moore even found out that you can remotely start a stream and watch live with VLC.
Ah well, the cats out the bag now… so may as well tell you.
You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.
Please don’t ask for a PoC – I can’t release this one.
Heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX
— Paul Moore (@Paul_Reviews) November 25, 2022
What was happening with the thumbnails, and more importantly, why was it happening? Well, the system in question defaults to text alerts only. You have the option to tweak this, allowing for options with thumbnail included if available. What was not made as clear as it could be is that these thumbnails are temporarily sent to Eufy’s AWS servers before arriving in the notification.
Sure, it’s not there long. However, people buying a device on a “No cloud, please” policy are going to expect their data to never be in the Cloud. If it turns out to not be the case at any point in the device’s operation, those people are going to be understandably annoyed without clear explanation and notification.
Fixing a cloudy outlook
Some of the many issues raised here have already been patched by Eufy, and the organisation told Android Central that it is in full compliance with GDPR standards. Despite this, Eufy admitted that it was not made clear enough that selecting thumbnail-based notifications would mean preview images being briefly hosted in the cloud.
The following changes are being made, according to the rest of the statement given to Android Central:
“We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.”
What we have now is definitely an improvement over people finding out that their non-cloud storage doorbell system is in fact doing some form of cloud storage, no matter how briefly. This just goes to show how much effort needs to also go into disclosure and clear, transparent explanations of functionality. Despite being a security researcher who did due diligence before purchasing a system, he still made a surprising discovery and only then after having put the device to work.
If, after having read your own user manual, there’s anything which seems slightly off or not clear enough, the very best thing you can do is approach support directly. Most of the time something like this is a genuine oversight, and organisations would very much like to get it right the first time. If we have to occasionally help them along to get it right on the second attempt, let’s aim for that too if all else fails.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.