When security researchers found that Eufy’s supposedly cloud-free cameras were uploading thumbnails with facial data to cloud servers, Eufy’s response was that it was a misunderstanding, a failure to disclose an aspect of its mobile notification system to customers.
It seems there’s more understanding now, and it’s not good.
Eufy didn’t respond to other claims from security researcher Paul Moore and others, including that one could stream the feed from a Eufy camera in VLC Media Player, if you had the right URL. Last night, The Verge, working with the security researcher “Wasabi” who first tweeted the problem, confirmed it could access Eufy camera streams, encryption-free, through a Eufy server URL.
This makes Eufy’s privacy promises of footage that “never leaves the safety of your home,” is end-to-end encrypted, and only sent “straight to your phone” highly misleading, if not outright dubious. It also contradicts an Anker/Eufy senior PR manager who told The Verge that “it is not possible” to watch footage using a third-party tool like VLC.
The Verge notes some caveats, similar to those that applied to the cloud-hosted thumbnail. Chiefly, you would typically need a username and password to reveal and access the encryption-free URL of a stream. “Typically,” that is, because the camera-feed URL appears to be a relatively simple scheme involving the camera serial number in Base64, a Unix timestamp, a token that The Verge says is not validated by Eufy’s servers, and a four-digit hex value. Eufy’s serial numbers are typically 16 digits long, but they are also printed on some boxes and could be obtained in other places.
We’ve reached out to Eufy and Wasabi and will update this post with any further information. Researcher Paul Moore, who initially raised concerns with Eufy’s cloud access, tweeted on November 28 that he had “a lengthy discussion with [Eufy’s] legal department” and would not comment further until he could provide an update.
Vulnerability discovery is far more of a norm than an exception in the smart home and home security fields. Ring, Nest, Samsung, the corporate meeting cam Owl—if it has a lens, and it connects to Wi-Fi, you can expect a flaw to show up at some point, and headlines to go with it. Most of these flaws are limited in scope, complicated for a malicious entity to act upon, and, with responsible disclosure and a swift response, will ultimately make the devices and systems stronger.
Eufy, in this instance, is not looking like the typical cloud security company with a typical vulnerability. An entire page of privacy promises, including some valid and notably good moves, has been made largely irrelevant within a week’s time.
You could argue that anyone who wants to be notified of camera incidents on their phone should expect some cloud servers to be involved. You might give Eufy the benefit of the doubt, that the cloud servers you can access with the right URL are simply a waypoint for streams that have to leave the home network eventually under an account password lock.
But it has to be particularly painful for customers who bought Eufy’s products under the auspices of having their footage stored locally, safely, and differently from those other cloud-based firms only to see Eufy struggle to explain its own cloud reliance to one of the largest tech news outlets.