Person holding a phone for a door lock
News

Eufy “no cloud” security cameras streaming data to the cloud

Posted: December 5, 2022 by Christopher Boyd

Eufy home security cameras are currently in a spot of trouble as a result of door camera footage. This is because it turns out that data which should not have been going to the cloud was doing so anyway in certain conditions.

Securing your home: a complicated proposition

Insecure cameras, unprotected cloud footage, streams going where they shouldn’t be: these are all areas for concern when looking into buying a home security system. Maybe you want full CCTV across the property. Perhaps you want alarms tied to cameras, or just a doorbell cam to see who’s popping in during the day.

In all of these cases, potential buyers need to find the answers to just some of the following questions:

  • Is the device internet connected?

  • Can you access feeds from outside your home, and if so, how?

  • Is the footage password protected? Is the device password protected?

  • If we’re talking storage, is data written to a local drive, or are cloud services available? Is the cloud offering bespoke, or can you hook up the device to a cloud provider of your choosing?

  • Is the footage encrypted? Is audio recorded? How long is any of this stored for, and under what conditions?

  • If there’s an app, how secure is it?

  • When there’s a service outage, are the devices rendered inoperable?

It’s not just a case of buying some random cameras and bolting them to the side of your house. There’s a lot to consider, and even then, something can happen to catch you completely unaware…as we’re about to find out.

When “local” means “also some cloud”

Many folks would err on the side of caution where cameras are concerned, choosing not to go down the road of internet connectivity or footage being placed in the cloud. Now, security researcher Paul Moore has discovered that a system he chose for those reasons was in fact placing data in the cloud anyway.

Facial recognition data in the form of thumbnails and other information was being stored against usernames. Paul Moore claims that data is kept on servers even after being deleted from the app. As Gizmodo notes, another user discovered that this data wasn’t encrypted. Moore even found out that you can remotely start a stream and watch live with VLC.

What was happening with the thumbnails, and more importantly, why was it happening? Well, the system in question defaults to text alerts only. You have the option to tweak this, allowing for options with thumbnail included if available. What was not made as clear as it could be is that these thumbnails are temporarily sent to Eufy’s AWS servers before arriving in the notification.

Sure, it’s not there long. However, people buying a device on a “No cloud, please” policy are going to expect their data to never be in the Cloud. If it turns out to not be the case at any point in the device’s operation, those people are going to be understandably annoyed without clear explanation and notification.

Fixing a cloudy outlook

Some of the many issues raised here have already been patched by Eufy, and the organisation told Android Central that it is in full compliance with GDPR standards. Despite this, Eufy admitted that it was not made clear enough that selecting thumbnail-based notifications would mean preview images being briefly hosted in the cloud.

The following changes are being made, according to the rest of the statement given to Android Central:

“We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.

We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.”

What we have now is definitely an improvement over people finding out that their non-cloud storage doorbell system is in fact doing some form of cloud storage, no matter how briefly. This just goes to show how much effort needs to also go into disclosure and clear, transparent explanations of functionality. Despite being a security researcher who did due diligence before purchasing a system, he still made a surprising discovery and only then after having put the device to work.

If, after having read your own user manual, there’s anything which seems slightly off or not clear enough, the very best thing you can do is approach support directly. Most of the time something like this is a genuine oversight, and organisations would very much like to get it right the first time. If we have to occasionally help them along to get it right on the second attempt, let’s aim for that too if all else fails.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

RELATED ARTICLES

UnitedHealth Group logo
News | Personal

“Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach

April 23, 2024 - UnitedHealth has made an announcement about the stolen data in the ransomware attack on subsidiary Change Healthcare.

CONTINUE READING 0 Comments
The Lock and Code logo, which includes the Malwarebytes Labs insignia ensconced in a pair of headphones
Podcast

Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09

April 22, 2024 - This week on the Lock and Code podcast, we speak with Justin Brookman about past consumer wins in the tech world, and how to avoid despair.

CONTINUE READING 0 Comments
Discord logo
News | Privacy

Billions of scraped Discord messages up for sale

April 22, 2024 - An internet scraping platform is offering access to a database filled with over four billion Discord messages and combined user profiles.

CONTINUE READING 0 Comments
week in security
News

A week in security (April 15 – April 21)

April 22, 2024 - A list of topics we covered in the week of April 15 to April 21 of 2024

CONTINUE READING 0 Comments
Fishing in a lake
Cybercrime

Law enforcement reels in phishing-as-a-service whopper

April 18, 2024 - A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Christopher Boyd

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams