A security researcher has claimed that Eufy’s security cameras are uploading images containing personal data to its servers, breaching not only its main selling proposition, but also the EU’s General Data Protection Regulation (GDPR).
According to a report before AndroidCentral (Opens in a new tab)Security researcher Paul Moore discovered that the Eufy Doorbell Dual camera uploads facial recognition data to the company’s AWS cloud, without encryption.
On the other hand, the company says that it is fully compliant with the data protection regulation and that the data collected is only used for notifications.
GDPR compliant?
in The series of tweets (Opens in a new tab)Moore claimed that the data was stored along with usernames and other information that could be used to identify the people whose photos were taken. Furthermore, Eury keeps the data even when the user deletes it from the Eufy app, it claims.
Moore also said that the video feed can be accessed via a web browser, simply by knowing the correct URL, without the need for passwords. He said that AES 128-encrypted camera videos use a soft key that can be cracked relatively easily.
Since breaking the news, the company claims to have corrected “some issues,” but they haven’t been more transparent than that, so verifying that the issue persists is impossible.
Unfortunately (or fortunately, however you look at it), Eufy has already removed the network call and heavily encrypted others to make it almost impossible to detect; so [proof of concept exploits] no longer work. You may be able to call the specified endpoint manually using the payloads shown, which may still return a result,” Moore later added.
On the other hand, Eufy told the publication that its products “fully comply with GDPR standards, including ISO 27701/27001 and ETSI 303645 certifications.” The problem seems to be when the user decides they want thumbnails with their notifications.
Notifications from the camera are text-only by default, meaning no thumbnails are loaded unless, as was the case with Moore, users manually enable the feature.
Eufy also said that thumbnails are “temporarily” uploaded to its servers, before being sent as a notification. Further, the company said its push notification practices are “compliant with Apple Push Notification Service and Firebase Cloud Messaging standards” and automatic deletion. He did not say when.
The company added that thumbnails also use server-side encryption, saying they should not be visible to unauthorized users.
“While our Eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that selecting thumbnail-based notifications would require the images to be briefly previewed in the cloud. This lack of communication was an oversight from our side and we sincerely apologize for our mistake.”
Going forward, Eufy claims that it will change the push notification option language, as well as use the cloud for push notifications.
