Since customers discovered numerous security holes in its system, Eufy Security has come under fire from the general public. Monday saw the release of an update to the Eufy Security app that added a disclaimer mentioning that thumbnail images would be uploaded to the company’s cloud servers.
The bug fix for the app comes after reports that Eufy security cameras were sending captured images of the camera feed and detected faces to even if the cloud storage option in the app’s settings was disabled, AWS cloud servers.
Users of the Eufy Security app can choose whether push notifications should display only text or text and a thumbnail of an image taken with the camera. Only when a user opts to have the thumbnail appear in push notifications on their phones are these photos actually uploaded to the cloud.
In reality, security cameras that send photo thumbnail push notifications to Android and iPhones routinely store images in the cloud; the issue here is that Eufy never informed its customers of this. In fact, it has previously emphasized the idea that customer data is kept local and private, making it appealing to those who favor local storage for privacy.
As evidenced by an email from Eufy reported by information security consultant Paul Moore, the company knew of this contradiction, while supposedly working on fixing the issue with the new HomeBase 3. The company also said it would “encrypt the API between the browser and the server to avoid plaintext URL display,” which just means the uploaded data will be hidden better.
In my opinion, the best way to avoid these problems is to not include any thumbnails in my push notifications.
We’ve asked for comment, but we haven’t heard back on whether the business will address the problem of people being able to view the camera feeds using VLC player and a URL, with no authentication necessary. You’re not alone if the sound of that makes you want to turn off your Eufy cameras and throw them into the depths of the ocean.
However, keep in mind that in order for someone to actually access your video feed in this manner, they would need to log into your account using your credentials and password in order to obtain a specific URL for the camera feed, which differs for each stream. They would also have to correctly predict when the camera is streaming, which could be either when something happens that causes it to start recording or when someone is watching the live feed.
Read More:
Source: ZDNET
