Anker’s Eufy cameras are not as secure as advertised. Several experts have found that they save captured videos in the cloud without encryption or authentication, making them accessible to third parties…
Many surveillance cameras and connected video doorbells are equipped with a system of storage on the cloud – on the Internet, therefore. In the event of intrusion detection, the manufacturers record in real time the videos transmitted by the device on a remote server, located somewhere in the world.. A very handy feature to prevent everything from being lost if the device is destroyed or stolen by intruders. But that raises a question: because we can, quite legitimately, worry about the protection of the precious images captured as well as the use that the company that collects them can make of them.
Admittedly, most manufacturers equip their cameras with a memory card slot, so that everything is stored locally. A marketing argument that is obviously put forward to attract people concerned about the security of their data. But don’t trust it! If local storage may suggest that nothing goes to a cloud space, the reality is quite different. This is what owners of connected home cameras Eufy, Anker’s brand, have bitterly discovered. Against the advice of their users and without warning them, they send the captured images to the company’s servers. Worse still: the recordings can be viewed by third parties, because they are neither encrypted nor protected…
Eufy cameras: unencrypted videos accessible online
It was Paul Moore, a cybersecurity consultant, who discovered that the data recorded by his connected doorbell Eufy Doorbell Dual was sent to the Anker cloud. A very bad surprise insofar as they were supposed to be stored locally, on an external disk. Especially since he had deactivated the cloud storage option! In fact, he found that his camera sent video thumbnails – used in smartphone notifications – but also photos of detected faces with information to identify them, and – icing on the cake – his IDs. user ! To prove his point by point, Paul Moore has also made video demonstrations, posted on his YouTube channel.
Anker responded to Paul Moore by explaining that the images recorded by its cameras are only used for notifications and are immediately deleted from the server when the user clears the events from the mobile application. The consultant therefore verified the statements of the company. And found that the downloaded items are not deleted from Eufy’s servers at all. Worse still: other users looked into the matter and discovered that anyone could access a Eufy camera. This is because the data is not properly encrypted, and the videos can be viewed in a web browser by entering the correct URLs. No authentication information is requested, and just use the famous VLC video player to view the images. A veritable gold mine for malicious people! Very serious journalists The Verge tried in turn to see stolen images. And they succeeded“proving that Anker has a way to bypass encryption and access these supposedly secure cameras via the cloud”. Certainly, the camera must be activated by a detection to see the images that it saves in the cloud. But that’s its primary function! And it shouldn’t be so easily accessible.
Since being informed of the problem, Anker has obviously corrected since some technical points. But the case still leaves an unpleasant impression. In addition to the security issues that this discovery raises, it is above all the manufacturer’s lack of transparency that is shocking. Not only does it “temporarily” store data, but it does so without the consent of the camera owner and without notifying them in advance. Eufy devices would thus be sold with false promises of privacy. The brand would even go so far as to lie, since an Anker spokesperson allegedly told The Verge that it was not “not possible to start a stream and watch live images using a third-party player such as VLC”... which however succeeded the American media. She also replied to Paul Moore that yes, data was being sent to the cloud, but not to worry as the URL was protected by a password, and therefore only the user could share it with a third party. Anker, however, intends to encrypt the interface so that the URL is no longer displayed, and thus avoid other “misunderstandings”.
Update: An official response from @EufyOfficial
“You’re right, we do send to the cloud but it’s password protected, so not publicly visible… but we intend to encrypt API messages so nobody else finds out”
Completely & utterly missed the point. pic.twitter.com/Mr08D2t60c
— Paul Moore (@Paul_Reviews) November 24, 2022