In 2021, owners of Anker’s EufyCam security cameras and video doorbells were stunned to to see videos of strangers while using the Eufy app. Now, a security researcher says Eufy cameras have been storing unencrypted video thumbnails and facial-recognition information in the cloud without properly notifying users.
Update: Shortly after we published this story, reporters at The Verge posted a devastating report detailing how they managed to stream footage from Eufy cams without any encryption using the VLC media player. We’re still awaiting further comment from Anker. Our original story follows.
As reported by Android Central, security researcher Paul Moore said he was able to access a thumbnail of a video event recording from his Eufy Doorbell Dual, as well as pictures of faces that were recognized in the clip, on Amazon Web Services servers employed by Eufy, even though he had disabled the doorbell’s cloud access.
Moore tweeted about his findings last week, and uploaded a YouTube video in which he demonstrates how he could access the video thumbnail and associated facial recognition data from his Eufy doorbell on Eufy’s Amazon-powered servers.
Eufy has since added new security measures to plug the privacy hole, according to Moore.
In a statement to TechHive, Eufy said the video thumbnails are used for rich push notifications and are automatically deleted after a brief period, but admitted that it could do a better job of informing users that their data is being stored on AWS servers, even if only briefly. Eufy’s push notifications are text-only by default, Android Central notes.
Here’s the relevant section from the Eufy statement:
To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.
Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.
That lack of communication was an oversight on our part and we sincerely apologize for our error.
This is how we plan to improve our communication in this matter:
1) We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
2) We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
Moore also tweeted that he verified the claims of another user who was supposedly able to access a live video stream from their Eufy cam without authorization, although Moore didn’t reveal any details about the purported breach. We’ve asked Anker for more details about the claim.
Last year, Eufy apologized after Eufy Cam owners discovered video streams from other users in the Eufy app.
For its part, Eufy said that only about 700 users were affected by the earlier bug, and the company pledged to upgrade its servers and authentication methods to prevent the breach from happening again.