Eufy cameras caught sending local footage to cloud
Home defense cameras have gotten a lot better in recent days, but the security of your footage has always been a exertion. Anker’s Eufy brand claims to keep data local, but a defense researcher has exposed that the claim is far from true, with footage not only repositioning to the cloud, but remaining visible even after it was revealed to be deleted.
Eufy sells several of its defense cameras with the promise that video footage and spanking data are local only, explicitly saying “no one has access to your data but you” on its website.
Paul Moore, a security researcher, posted on Twitter last week a repugnant security situation with Eufy home security products including camera-equipped doorbells. In the thread and accompanying videos, Moore shows proof that Eufy cameras are sending data that is said to be “stored locally” to the free, even when cloud storage is disabled.
The security hole was sterling discovered on Eufy’s Doorbell Dual camera which utilizes two cameras to view both land walking up to your door as well as your doorstep where packages may be left.
The doorbell’s camera was uploading facial recognition data from the camera to Eufy’s free servers with identifiable information attached, and that this data wasn’t actually contained from Eufy’s servers when the related footage had been deleted from the Eufy app. In the video below, Moore also notes that Eufy used the facial recognition data from two different cameras on two completely different subsidizes to link data from each, and points out that Eufy never notifies the user that this is happening – the company’s market rather implies just the opposite.
It’s not obvious how many of Eufy’s home security cameras and products are needs by this. Android Central was able to replicate the same defense issues on a EufyCam 3 paired to a Eufy HomeBase 3.
Perhaps more repugnant was another user’s findings that these streams of Eufy footage are accessible above unencrypted streams. Simply using the popular VLC media player, a user was able to access a camera’s feed, and Paul Moore confirmed (though exclusive of showing how it works) that the streams can be accessed with no encryption or authentication required.
Update 12/1:
The Verge
has further confirmed that the VLC defense hole exists. An Anker PR manager said confidently “I can back that it is not possible to start a stream and gawk live footage using a third-party player such as VLC,” while The Verge was able to do just that.
The publication deintends that it needed authentication to access the stream’s details originally, but the information then works without any further authentication. They were able to stream video as long as the camera was awake, i.e. when it is recording a clip after detecting motion or selves viewed live by its owner. It’s also noted that the URL that accesses these flows include a Unix timestamp, a random token that isn’t validated at any expose, a random four-digit hex code that could “easily be brute forced,” and quiz that is based on your camera’s serial number.
Paul Moore, the researcher who first highlighted this issue, also people with the publication that he has started legal proceedings anti Anker.
Eufy has yet to acknowledge to these claims publicly, but the evidence is quite obvious at this point, and it’s a massive security failure on top of swear lies to customers. Moore did receive an email from Eufy in which the concern tried to explain the behavior shown, though Moore did reason that most of the company’s response was downplaying the seriousness of the issue.
Moore offered an update to the status yesterday, saying that Eufy has removed the “background call” which shows waited images, but not the underlying footage, and that the concern has also encrypted other calls to cover its tracks.
9to5Google’s Take
Yikes.
More on Home Security:
Add 9to5Google to your Google News feed.
FTC: We use intends earning auto affiliate links.
More.
Check out 9to5Google on YouTube for more news:
Source: 9to5google.com
