Internet

Eufy IP cameras are spying on you without your consent

When we use surveillance cameras, one of the fears is that they could be hacked and someone is recording without our permission. It is something that can happen and we have seen it in some cases, but the truth is that it is not usual if you use safe products and they are updated. But in this article we echo what has happened with the eufy cameras. The problem is that it has been discovered that Store images and videos in the cloud recorded with their cameras, without the users knowing.

Eufy cameras store images in the cloud

These cameras belong to Anker and they’ve been sending that data to the cloud. Also, they have done it even when the cloud seemed to be disabled. All this has been shown by the security researcher Paul Moore on his personal Twitter account. There she posted a video explaining the problem. As he explains, it all started when she bought a Eufy Doorbell Dual, a device with the ability to store video recordings but theoretically on the device itself.

There he discovered that these Eufy devices were uploading content to the cloud. They stored a capture to the cloud, even if it was disabled. These thumbnails allow you to view the videos on the go through the app. But of course, all this is uploaded to the cloud automatically even with the option disabled. It is especially significant when the brand itself assured that its service did not use the cloud.

From Eufy they responded to Paul Moore’s tweets. In that answer they confirmed that they were uploading screenshots and thumbnails, but they assured that this was not a problem since the data could not be leaked publicly when using a restricted URL and that it also had a time limit. But that did not convince Moore, since he believes that anyone can access these images without authentication.

Twitter User Image

Update: An official response from @EufyOfficial

Paraphrasing…
«You’re right, we do send to the cloud but it’s password protected, so not publicly visible… but we intend to encrypt API messages so nobody else finds out»

Completely & utterly missed the point. https://t.co/Mr08D2t60c

November 24, 2022 • 15:55

The networks have been flooded with responses

As a result of these tweets by Paul Moore, many users have flooded the networks with mentions of Eufy and how their videos have been stored in the cloud. In the well-known Internet forum Reddit you can see a thread about it. There are many who leave comments on this topic.

But an added problem is that it seems to be possible access remotely to live video streams using VLC, the popular media player.

The last thing this security researcher mentioned on his personal Twitter is that the company has implemented certain changes to prevent the videos from being easily accessible, even though you have not actually deleted them. He also comments that Eufy have assured him that they will work to fix these issues as soon as possible.

Twitter User Image

Quick update on the #eufy situation…

It appears they’ve removed the background call which reveals the stored images – but not the footage itself.

They also encrypted other calls to make it almost impossible to detect.

This is NOT how it should be handled.

November 28, 2022 • 2:00 p.m.

In short, as you can see, sometimes the use of devices of this type is not as secure or private as it should be. In this case, it is about Eufy cameras, which are quite popular and used. It is essential to always choose IP cameras that store in the cloud with total security, as long as you want this function available.

Related Articles