What you need to know
- Paul Moore, a security researcher, discovered numerous security flaws in Eufy cameras.
- Images and facial recognition data from users are being uploaded to the cloud without their consent. Live camera feeds can be accessed by anyone without authentication.
- Moore said that some of the issues have been fixed but he cannot confirm that cloud data was being deleted properly.
- Eufy support has confirmed certain issues, and Moore has taken legal action to sue Eufy for a possible violation of GDPR.
Update Nov 29 11:32 am:Paul Moore’s response on Android Central.
Eufy Security prides itself on protecting user privacy. Specifically, Eufy Security stores videos and other relevant data only locally. A security researcher has questioned this, pointing out evidence that Eufy cameras upload photos, facial recognition imagery and other private data to their cloud servers without the consent of users.
A Serie of tweets(opens new tab)Paul Moore, an information security consultant, seems to have shown a Eufy Doorbell Dual camera uploading facial identification data to Eufy’s AWS cloud. It is not encrypted. Moore shows that the data is stored along with a username and other identifiable information. Moore also reveals that the data is stored on Eufy’s Amazon-based servers, even after the footage has been removed from the Eufy app.
Moore claims that video from cameras can be streamed through a web browser. He simply needs to input the URL. No authentication information is required to view said videos. Moore provides evidence that Eufy camera videos encrypted with AES 128 encryption use a simple key and not a random string. Moore’s videos were saved with “ZXSecurity17Cam@”, an encryption key that can easily be cracked by anyone wanting to access your footage.
Moore has been in touch with Eufy support to confirm the evidence. They cited that these uploads are necessary for notifications and other data. Support has not provided any valid reasons why identifiable user data was also attached to the thumbnails. This opens up a security hole that allows others to access your data using the right tools.
Moore stated that Eufy had already addressed some of these issues. It is now impossible to verify cloud data status.
“Unfortunately (or fortunately depending on how you look at it), Eufy removed the network call and heavily encrypted other calls to make it nearly impossible to detect. So my previous PoCs don’t work anymore. The payloads listed may allow you to manually call the endpoint, but this may not return a result.
Android Central is currently in discussions with Paul Moore as well as Eufy. As the situation evolves, we will continue to update this article. Continue reading if you are interested in Moore’s research on Eufy security concerns.
Personaly, I have many Eufy cameras in my home and have reviewed many for Android Central. It’s unclear at the moment which cameras could be affected by this security problem.
Moore’s steps were followed. I was unable reproduce the problem with my EufyCam3 cameras, which are powered by the Eufy HomeBase. These cameras connect directly via Wi-Fi to the HomeBase. Event data can only be viewed in the Eufy app, and not via the Web Portal as Moore’s proof-of-concept videos below.
Eufy also offers other cameras such as the eufyCam Solo series and Eufy doorsbells, which connect directly to an Internet connection instead of a HomeBase Hub. These products are more likely to be affected.
It happened!
Eufy sells two types of cameras. One is a camera that connects directly to your Wi Fi network and the other is a camera that connects to Eufy HomeBase using a local wireless connection.
Eufy HomeBases can store Eufy camera footage locally using a hard drive within the unit. Even if your HomeBase is already in place, a SoloCam/Doorbell that connects directly with Wi-Fi will save your Eufy video data to the Eufy camera instead.
Paul Moore was using an Eufy Doorbell Dual, which connects directly with Wi-Fi and bypasses the HomeBase. Here is his first video, published on November 23, 2022.
Moore shows in the video how Eufy uploads both the image taken from the camera as well as the facial recognition image. He also shows that his facial recognition image and metadata are stored together with his username (owner_ID), a second user ID, and his saved and stored ID for the face (AI_Face_ID).
Moore uses another camera for triggering a motion event. He then analyzes the data that Eufy has transferred to Eufy’s servers in AWS cloud. Moore claims that he used another camera, a different username, and a different HomeBase in order to “store” his footage locally. However, Eufy was still able to tag and link Moore’s facial ID to his photo.
This proves that Eufy stores facial recognition data in its cloud. It also allows cameras to quickly identify stored faces, even though they’re not owned by the individuals in those images. Moore also recorded another video in which he deleted the clips, proving that they are still on Eufy’s AWS servers.
Moore claims that he was able stream live footage without authentication from his doorbell camera, but did not provide proof of concept due the possibility of misuse. Eufy was notified by Moore and he has taken legal steps to ensure Eufy follows the law.
Eufy is currently facing a difficult situation. Since its inception, Eufy has maintained that user data is kept locally and never uploaded to the internet. Eufy is a cloud-based data storage service. AlsoIf you use cloud services, it is forbidden to upload data to the cloud unless an individual allows this practice.
It is also a security breach to store user IDs or other personally identifiable data along with a photo of a person’s head. Although Eufy has since fixed the problem of Eufy being able to find URLs and other data sent to the cloud, it is currently impossible to determine if Eufy is continuing to store these data without consent from users.