WolkyTech

The Eufy camera allegedly uploaded the data to the cloud despite the promise of local storage

Security

One of the reasons we rated the Eufy Video Doorbell Dual as one of the best video doorbells was its ability to store video locally. This is great in theory for users who do not want to store their personal data on a cloud server. Unfortunately, in practice, users may be sending sensitive data to the cloud without knowing it. [As reported by Android Central (opens in new tab), security researcher Paul Moore (opens in new tab), despite Eufy's promise of a complete local storage system, the Eufy Video Doorbell Dual camera he found that it could access thumbnails of images used for facial recognition and personally identifiable metadata stored in the cloud. If the system were truly completely local, these thumbnails would never have entered Eufy's servers. However, even after deleting the locally stored data, Moore was able to access the thumbnails and screenshots from Eufy's AWS servers.

This was not a one-time problem, and Moore was able to replicate the issue using a different camera, HomeBase (for local storage), and user name, and found that despite using a completely different system, Eufy still tagged his facial recognition ID and linked it to his photos Eufy is still able to tag his facial recognition ID and link it to his photo, even though he is using a completely different system. This should only be possible if Eufy actually stores facial recognition data in the cloud.

The worst part about this is that this sensitive data appears to be transmitted in an unencrypted manner. When combined with personally identifiable sensitive information, this represents a potentially massive privacy and security breach. In addition, another user, Andrew Oz (open in new tab), was allegedly able to access the streamed camera video from his web browser by using the appropriate URL. Moore (opens in new tab) states that he was able to reproduce this problem, but refuses to provide any evidence, possibly for security reasons.

Meanwhile, Eufy has refuted Moore et al.'s allegations; in a statement provided to Android Central, which a spokesperson for Anker (Anker owns Eufy) said we could also use, Eufy said that these problems are primarily due to certain settings being enabled According to Eufy, camera notifications are set to text only by default and do not generate or upload thumbnails. However, in Moore's case, he had enabled the option to display thumbnails along with the notification. Because this setting was enabled, Eufy temporarily uploaded the thumbnail data to AWS, bundled it with the user's device, and sent it as a notification. According to its statement, "Eufy states that its push notification practices "comply with the Apple Push Notification service and Firebase Cloud Messaging standards" and performs automatic deletion, but does not specify the timeframe in which this occurs."

Regarding concerns about encryption, Eufy states that it uses some degree of encryption. According to its statement, Eufy states that "thumbnails use server-side encryption" and can only be viewed if the user is logged in. Despite the incognito mode of his web browser, Moore was logged into Eufy's web client and therefore used the same cache that he had already authenticated. This is how he was able to access sensitive data.

This is not to say that Eufy is denying responsibility for the problem. The company has stated that it will "revise the wording of the push notification option in the eufy [sic] Security app to clearly explain that push notifications with thumbnails require a preview image that is temporarily stored in the cloud." It also states that it will "make the use of the cloud for push notifications more explicit in consumer marketing materials."

Eufy's statement definitely makes us think that, at least at this point, some of these issues are due to a lack of communication. It is disconcerting that a company touting freedom from the cloud has a feature that requires storing data in the cloud, but there may simply not be a better way to provide notifications in thumbnail form. Additionally, the workaround of using only text notifications is not inherently problematic.

However, Eufy has yet to address concerns about the ability to watch streamed camera video via a web browser. Given that certification does not appear to be required (again, no proof of concept has been provided by Moore), this is a serious concern; Eufy said in a statement that "its products, services, and processes are certified to General GDPR standards, including ISO 27701/27001 and ETSI 303645 certification," Moore said. In light of these new developments, Moore said that he had taken legal action to contest Eufy's GDPR compliance, but in a tweet that has now been pinned down, he said he is in discussions with the company's legal department and has acknowledged that he will investigate the matter further. We will update this post when we know more.

In the meantime, if you've been looking for a great video doorbell to upgrade your smart home, our video doorbell buying guide has a large number of options from Eufy and its competitors. This summer we covered how Ring and Nest allow you to show your video doorbell to the police without your consent. In this article, we recommended Eufy Video Doorbell Dual, but if you don't need Eufy's doorbell given recent allegations, we recommend Wyze Video Doorbell Pro.