A security researcher claims that Eufy’s security cameras are uploading photos containing personal information to their servers, violating not only its own key selling proposition, but also the EU’s General Data Protection Regulation (GDPR).
According to the report of Android Center (opens in a new tab)security researcher Paul Moore discovered that Eufy Doorbell’s dual camera transmits facial recognition data to the company’s AWS cloud unencrypted.
On the other hand, the company claims to be fully compliant with the Data Protection Regulation and that the collected data is only used for notifications.
GDPR compliant?
In a series of tweets (opens in a new tab)Moore claimed the data was stored along with usernames and other information that could be used to identify people whose photos were taken. Moreover, it claims that Eury retains the data even when the user deletes it from the Eufy app.
Moore also said that the video feed can be accessed through a web browser simply by knowing the correct URL, no password required. He said the camera videos encrypted with AES 128 use a simple key that can be cracked relatively easily.
Since the news was leaked, the company says it has patched “some issues” but has not been more transparent, so it’s impossible to know if the issue persists.
“Unfortunately (or fortunately, whichever way you look at it), Eufy has already removed the network connection and heavily encrypted another to make it nearly untraceable; so my previous PoC [proof of concept exploits] no longer work. You may be able to trigger a specific endpoint manually using the payloads shown, which can still return a result,” Moore later added.
On the other hand, Eufy told the publication that its products are “fully compliant with the standards of the General Data Protection Regulation (GDPR), including ISO 27701/27001 and ETSI 303645 certifications.” thumbnails with their notifications.
Camera notifications are text-only by default, meaning no thumbnails will be sent unless, as with Moore, users enable the feature manually.
Eufy also said that thumbnails are “temporarily” uploaded to its servers before being sent as a notification. In addition, the company said its push notification practices are “compliant with the Apple Push Notification service and Firebase Cloud Messaging standards” and are automatically removed. It didn’t say when.
The thumbnails also use server-side encryption, the company added, saying they shouldn’t be visible to unauthorized users.
“While our Eufy Security app allows users to choose between text or thumbnail push notifications, it wasn’t clear that opting for thumbnail based notifications would require a short storage of preview images in the cloud. This lack of communication was an oversight on our part and we sincerely apologize for our error.”
Going forward, Eufy says it will change the language of the push notification options as well as the use of the cloud for push notifications.