Anker Apologizes For Eufy Cameras Uploading Unencrypted Content Without User Consent
The proliferation of “smart” devices within the home has raised privacy concerns as it has become more apparent that the companies selling these devices often have access to data and media collected by the devices. Eufy, a sub-brand of the popular Chinese electronics manufacturer Anker Innovations, tries to capitalize on these concerns by presenting itself as a privacy-preserving alternative to other smart device brands. According to Eufy, its line of security cameras and video doorbells protect users’ privacy by storing data locally, rather than in the cloud. However, a recent analysis of Eufy’s online portal has revealed that Eufy devices do upload some user content to the cloud, contrary to the company’s marketing claims.
Eufy video devices make good on the company’s local storage claim by transmitting footage to a “HomeBase,” which resides within the user’s home. The HomeBase contains a hard drive where all this footage is stored locally. Users can then access this footage in the Eufy app or web portal, which connects directly to each user’s HomeBase. According to the company, this recorded footage is end-to-end encrypted (E2EE), meaning the data is encrypted not only during transit, but also at rest, and must be decrypted with a private key restricted to each user’s account.
Eufy video devices make good on the company’s local storage claim by transmitting footage to a “HomeBase,” which resides within the user’s home. The HomeBase contains a hard drive where all this footage is stored locally. Users can then access this footage in the Eufy app or web portal, which connects directly to each user’s HomeBase. According to the company, this recorded footage is end-to-end encrypted (E2EE), meaning the data is encrypted not only during transit, but also at rest, and must be decrypted with a private key restricted to each user’s account.
The HomeBase 3, Eufy’s most recent version of this device, can use machine learning to recognize vehicles, pets, and people captured in video recordings. The company claims that this machine learning video analysis takes place locally on the HomeBase 3. While this claim may be true, it seems that the results of this facial recognition analysis make their way to an Amazon Web Services (AWS) server owned by Eufy.
Recently, after purchasing a Eufy video doorbell, security consultant Paul Moore found that, when logged into the Eufy web portal, the site’s source code contains plaintext URLs that specify the location of unencrypted images stored on a Eufy cloud storage server. These images are drawn from footage captured by Eufy video devices, then stored on the cloud for at least twenty-four hours. These images remain accessible at the URLs found in the web portal even after the user disconnects the HomeBase from the internet, deletes the original footage from local storage, or deletes the user account entirely.
Recently, after purchasing a Eufy video doorbell, security consultant Paul Moore found that, when logged into the Eufy web portal, the site’s source code contains plaintext URLs that specify the location of unencrypted images stored on a Eufy cloud storage server. These images are drawn from footage captured by Eufy video devices, then stored on the cloud for at least twenty-four hours. These images remain accessible at the URLs found in the web portal even after the user disconnects the HomeBase from the internet, deletes the original footage from local storage, or deletes the user account entirely.
For every video recording stored on the Eufy HomeBase, the Eufy cloud storage server receives a thumbnail image, as well as an image of every face identified in the video by the facial recognition software. Each face recognized by this software is also paired with a unique face identifier code. This discovery appears to flatly contradict Eufy’s assertion that “your private data never leaves the safety of your home.” Moore and other researchers also found plaintext URLs that allowed them to view footage from Eufy cameras in live time without any authentication. This additional discovery punches a hole in Eufy’s claims regarding secure E2EE.
Eufy has responded to these revelations by apologizing for a “lack of communication,” as “it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.” According to the company, these images are set to be automatically deleted after an unspecific amount of time, though Eufy stated that the plaintext URLs found in the web portal source code expire within twenty-four hours. Eufy also told Moore that it plans to encrypt the API that connects the web portal to Eufy’s cloud sever in order to avoid displaying plaintext URLs. The company has said that it will update the language in its marketing and push notification settings to make clear that thumbnail-based push notifications require that preview images be uploaded to the cloud.
Top image courtesy of Eufy
Eufy has responded to these revelations by apologizing for a “lack of communication,” as “it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.” According to the company, these images are set to be automatically deleted after an unspecific amount of time, though Eufy stated that the plaintext URLs found in the web portal source code expire within twenty-four hours. Eufy also told Moore that it plans to encrypt the API that connects the web portal to Eufy’s cloud sever in order to avoid displaying plaintext URLs. The company has said that it will update the language in its marketing and push notification settings to make clear that thumbnail-based push notifications require that preview images be uploaded to the cloud.
Top image courtesy of Eufy
