ioffe
Eufy, Anker’s smart home brand of technology accessories, has become popular among some privacy-conscious security camera buyers. Doorbell Camera and Other Devices Proudly Announced It “No clouds or costsand that “no one has access to your data but you.”
That’s the reason behind a series of tweets and videos posted by security consultant and researcher Paul Moore, which shows that Eufy cameras have been uploading thumbnails with name tags to cloud servers to alert owners’ phones, which are likely to be unencrypted, and smart home and security enthusiasts fiercely this. the week.
Mooreheadquartered in the United Kingdom Ask Eufy rhetorical questions about its practices on Twitter starting November 21. Why can I broadcast my camera without #authentication?! Moore also posted lines from “Source code and API responsesIndicates that a very weak AES key was used to encrypt the video footage.
On November 23, Moore uploaded a video explaining his findings. with his Eufy home base Moore walked in front of the camera. From an incognito web browser, Moore can pull up a thumbnail of himself, a photo of his feed shortly before he appears, and perhaps more concerned with the identification numbers indicating his recognizable face and status as the owner of the camera.
Security researcher Paul Moore’s video detailing Eufy’s quiet uploads of thumbnails and names (from facial recognition) to a cloud server.
A day later, the security firm SEC Consult Summing up two years of analysis of EufyCam 2, indicating a similar transfer of thumbnails through the Amazon Web Services cloud. The company also saw the weak keys, indicating “encrypted encryption/decryption keys that are identical for all Homebase devices sold,” though it wasn’t clear what keys were used.
SEC Consult noted that Eufy appears to have beefed up its security since May 2021, when users were suddenly Grant almost complete access to other people’s accounts. “Unfortunately, however, it appears that thumbnails of all registered images are still being moved to AWS, so the device does not fit our privacy requirements.” The SEC said it upgraded its publication of its findings based on Moore’s tweets, and “with [Black Friday] Shopping mania is just around the corner.
Moore later published A response from Eufy to his findings, where an Eufy support representative explains that thumbnails are restricted to account login, and that the URL will “expire within 24 hours” unless shared by the user. The Eufy representative also notes that Eufy has “noticed this before” and plans to create thumbnails for storing Homebase 3 locally as well.
Moore too claimed in a subsequent tweet, tagged in another user’s screenshot, so you can remotely start and monitor Eufy Cam streams through VLC without authentication or encryption. Moore has stated that he cannot release a proof of concept for the vulnerability. he is too chirp That Eufy denied his earlier legal claim against the company, “refused compensation,” but also, Moore alleged, offered him a job.
Just had a lengthy discussion with @employeeLegal Section.
It is appropriate at this point to give them time to investigate and take appropriate action; On the contrary, it is not appropriate for me to comment further.
I will provide an update, whenever possible. Thanks!
– Paul Moore (@Paul_Reviews) November 28, 2022
Finally, on Monday, Moore tweeted that he had a “lengthy discussion with [Eufy’s] The legal department” and then “give them time to investigate and take appropriate action” and declined to comment further. We have emailed Moore for comment, but have not yet received a response (as suggested in his tweet).
Meanwhile, Yoffe responded to Ars and other outlets with a statement. Eufy asserts that video footage and “facial recognition technology” are “processed and stored locally on users’ device”. However, for mobile push notifications, thumbnails are “stored briefly and securely on an AWS-based cloud server.” They are encrypted server-side, behind usernames and passwords, deleted automatically and comply with Apple and Google messaging standards, as well as General Data Protection Regulation (GDPR) standards.
Eufy acknowledges that when users choose between text-based notifications or thumbnails from their system during setup, “it is not made clear that selecting thumbnail-based notifications will require previewing images to be hosted briefly in the cloud.”
Eufy has pledged to update its setup language and “be more explicit about the use of the cloud for push notifications in consumer-facing marketing materials.” Other allegations made by Moore and SEC Consult have not been addressed.
“Typical beer trailblazer. Hipster-friendly web buff. Certified alcohol fanatic. Internetaholic. Infuriatingly humble zombie lover.”