Home security cameras have gotten a lot better in recent years, but the security of your footage has always been a concern. Anker’s Eufy brand claims to keep data local, but a security researcher has exposed that the claim is far from true, with footage not only going to the cloud, but remaining visible even after it was supposed to be deleted.
Eufy sells several of its security cameras with the promise that video footage and other data are local only, explicitly saying “no one has access to your data but you” on its website.
Paul Moore, a security researcher, posted on Twitter last week a frightening security situation with Eufy home security products including camera-equipped doorbells. In the thread and accompanying videos, Moore shows proof that Eufy cameras are sending data that is said to be “stored locally” to the cloud, even when cloud storage is disabled.
The security hole was first discovered on Eufy’s Doorbell Dual camera which utilizes two cameras to view both people walking up to your door as well as your doorstep where packages may be left.
The doorbell’s camera was uploading facial recognition data from the camera to Eufy’s cloud servers with identifiable information attached, and that this data wasn’t actually removed from Eufy’s servers when the related footage had been deleted from the Eufy app. In the video below, Moore also notes that Eufy used the facial recognition data from two different cameras on two completely different accounts to link data from each, and points out that Eufy never notifies the user that this is happening – the company’s market rather implies just the opposite.
It’s not clear how many of Eufy’s home security cameras and products are affected by this. Android Central was able to replicate the same security issues on a EufyCam 3 paired to a Eufy HomeBase 3.
Perhaps more frightening was another user’s findings that these streams of Eufy footage are accessible through unencrypted streams. Simply using the popular VLC media player, a user was able to access a camera’s feed, and Paul Moore confirmed (though without showing how it works) that the streams can be accessed with no encryption or authentication required.
Update 12/1: The Verge has further confirmed that the VLC security hole exists. An Anker PR manager said confidently “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” while The Verge was able to do just that.
The publication notes that it needed authentication to access the stream’s details originally, but the information then works without any further authentication. They were able to stream video as long as the camera was awake, i.e. when it is recording a clip after detecting motion or being viewed live by its owner. It’s also noted that the URL that accesses these streams include a Unix timestamp, a random token that isn’t validated at any point, a random four-digit hex code that could “easily be brute forced,” and information that is based on your camera’s serial number.
Paul Moore, the researcher who first highlighted this issue, also shared with the publication that he has started legal proceedings against Anker.
Eufy has yet to respond to these claims publicly, but the evidence is quite clear at this point, and it’s a massive security failure on top of direct lies to customers. Moore did receive an email from Eufy in which the company tried to explain the behavior shown, though Moore did reason that most of the company’s response was downplaying the seriousness of the issue.
Moore offered an update to the situation yesterday, saying that Eufy has removed the “background call” which shows stored images, but not the underlying footage, and that the company has also encrypted other calls to cover its tracks.
More on Home Security:
FTC: We use income earning auto affiliate links. More.