A security researcher has claimed Eufy security camera are uploading photos containing personally identifiable data to their servers, violating not only their proposal to sell their own keys, but also the EU’s General Data Protection Regulation (GDPR).
According to a report by Android Center (opens in a new tab)Security researcher Paul Moore discovered that the Eufy Doorbell Dual camera uploads facial recognition data to the company’s AWS cloud without encryption.
On the other hand, the company says it fully complies with data protection regulations and that the data collected is only used for notifications.
GDPR compliance?
in one series of tweets (opens in a new tab), Moore claims data is being stored along with usernames and other information that can be used to identify people whose pictures were taken. Furthermore, Eury keeps the data even if the user deletes it from the Eufy app, he claims.
Moore also said the video feed can be accessed through a web browser, just knowing the correct URL without the need for a password. He says that camera videos encrypted with AES 128 are using a simple key that can be cracked relatively easily.
Since the news, the company claims to have patched “several issues,” but has not been more transparent than that, so it’s impossible to verify if the issue is ongoing.
“Unfortunately (or fortunately, however you look at it), Eufy eliminated the network call and encrypted a lot of the others to make it nearly undetectable; hence the previous PoCs. here is mine [proof of concept exploits] no longer work. You can specifically call final point manually using the payload shown, the results can still be returned,” Moore later added.
On the other hand, Eufy told the publication that its products are “fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certificates.” The problem seems to be when the user decides they want a thumbnail with their notification.
By default, notifications from the camera are text-only, meaning no thumbnails are uploaded unless, as was the case with Moore, the user manually enables the feature.
Eufy also says the thumbnails are “temporarily” uploaded to its servers before being sent as notifications. Furthermore, the company says its push notification activities are “compliant with Apple’s Push Notification service and Firebase Cloud Messaging standards” and auto-delete. It doesn’t say when.
Thumbnails also use server-side encryption, the company added, saying they shouldn’t be visible to unauthorized users.
“While our Eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it is not clear that selecting thumbnail-based notifications will require viewing images. previously stored for short periods in the cloud. That lack of communication was a cause of oversight on our part and we sincerely apologize for our error,” the company concluded.
In the future, Eufy announced that they will change the language of the push notification preferences, as well as the use of the cloud for push notifications.
