The Anker Eufy brand claims that the data is kept locally, but a security researcher has revealed that this claim is far from the truth, as the snapshots not only go to the cloud, but remain visible even after they are deleted. The secret is that all of this is done without any coding.
Eufy is known for its security cameras, noting that the video and other data it records stays local, even emphasizing on its website that “no one has access to your data but you.”
Paul Moore, a security researcher, tweeted last week about a very significant security issue with Eufy’s home security products, including doorbells that are equipped with cameras. In the thread and accompanying video, Moore provides evidence that Eufy cameras send data to the cloud, even when cloud storage is turned off.
The vulnerability was first discovered using Eufy’s Doorbell Dual Camera, which uses two cameras to see both people approaching your door and doorstep where the packages might be.
The doorbell camera uploaded facial recognition data to Eufy’s cloud servers with identifying information attached, and this data remained on the servers even after relevant material was deleted from the Eufy app. In the video, Moore also mentions that Eufy used facial recognition data from two different cameras on two very different accounts to correlate data from each, and notes that Eufy never notified the user that this had happened.
It is unclear how many Eufy cameras and home security products have been affected by this issue. The AndroidCentral It was able to reproduce the same security issues on the EufyCam 3 paired with the Eufy HomeBase 3.
Perhaps even more disturbing were the findings of another user that video streams from Eufy devices are Available to the public without encryption. By using the popular VLC media player, the user was able to access the camera feed, and Paul Moore confirmed (though not showing how it works) that the video streams could be accessed without the need for encryption or authentication.
The Verge website has been confirmed Furthermore, there is a VLC security hole. Anker’s PR guy confidently stated, “I can confirm that it’s not possible to watch a live stream using a third-party app like VLC,” which the journalists vehemently deny, and they managed to do it.
The post notes that it initially required authentication to access the content of the stream, but then the information works without further authentication. They were able to stream video while the camera was in alert mode, meaning when it was recording video after motion was detected or when its owner was watching live.
Paul Moore, the researcher who first raised the issue, also shared with the publication that he has begun legal action against Anker.
“Avid problem solver. Extreme social media junkie. Beer buff. Coffee guru. Internet geek. Travel ninja.”