Home security cameras are purchased so owners would be able to watch over their homes remotely. It becomes an issue when outsiders are able to access that as well. Eufy has finally released a statement admitting that its products have a security flaw.
Not as Private as You Think
Anker, the electronics company responsible for Eufy, has released a blog post regarding the matter. They emphasized in bold letters that Eufy Security's Live View feature on its Web-Portal feature has a security flaw, as mentioned in The Verge.
They clarified that no user data had been exposed and justified that the security flaws that were pointed out were speculative. Following that statement, they agreed that there were key areas that they needed to improve.
Although Eufy denied sending facial recognition data to the cloud, a researcher has proven that to be false. Paul Moore, the researcher who found the flaw, claimed that the service provider was storing video thumbnails and facial recognition data.
This happened despite the customer not opting for the company's cloud services. Moore also stated that a different camera from Eufy, which was linked to a different account, was capable of identifying his face with the same unique ID.
Although Moore did not provide proof of his claims, he said that he managed to view live footage from his camera via a web browser without the need for authentication. All anyone needs to do is go to the right public-facing address, as mentioned in Crast.
Eufy claimed that it stored images in the cloud but deleted them immediately after a user dismissed the notification that needed it. However, Moore shows in a YouTube video that the images were not immediately deleted after the notification had been dismissed.
Eufy's Defense
The surveillance service provider expressed that it had a security model has never been attempted, which is why there were unforeseen flaws. They also claimed that all facial recognition and biometric processes are completed on the user's device locally.
Eufy's Video Doorbell Dual had a security flaw that the company claims it had fixed. Instead of using the AWS server they initially utilized, which shared the initial image with other cameras on the user's local security system, it has been upgraded to a LAN/P2PP process.
Since most of the security issues come from the company's use of the cloud, they aim to reduce it. They expressed that they will be more clear about which processes are done locally and which require their AWS server.
It would be hard to trust the company's claims even if they mean to fix the issues, especially since independent researchers have proven that they lied about such instances. When concerns were raised, they provided false claims to deny the complaints.
It was discovered that videos could be streamed from a Eufy camera. This can be done from a distance with no encryption for private data in sight. When confronted about it, the surveillance provided denied its possibility.
However, after denying it, The Verge managed to do the exact same thing Eufy claimed was not possible. They watched a live video from Eufy cameras that were across the US using the VLC media player.