Eufy

Leaking data to the cloud without user consent

In 2022, security researcher Paul Moore found out that images and videos were uploaded to Eufy's servers for their notification service without informing the user.^[4] This was the case when the HomeBase was offline, which is the local device where the video footage is usually stored. According to Eufy, the HomeBase 3 is does not have to use the AWS cloud server as the "high-performance database" on the device should be sufficient.^[5] But the notification feature wants to store a video thumbnails and pictures of faces if those are in the recordings, for which it used the cloud without giving the user the option to disable this behavior. Moore found that the images remained on Eufy's AWS servers, which Eufy claimed to be deleted automatically. This led to several sponsored entities, such as YouTube channel Linus Tech Tips, dropping Anker as a sponsor.^[6]

In response to the incident, Eufy pushed an update to the Eufy Security app disclose this behavior of this feature, under an opt-in toggle to use this feature. Eufy patched the notifications service to only include text by default, and inform with disclaimers that cloud services are temporarily for the thumbnail feature. ^[7]

Shortly after this incident, it was discovered that the security of the video URLs used for streaming the video footage were lacking, were unencrypted video feeds if you were able to brute force the URLs.^[8] The encryption scheme on the URLs also seemed to lack sophistication. Moore discovered that it only had 65,536 possible combinations to brute-force (a four-digit hexadecimal value), "which a computer can run through pretty quick."

In response, Eufy increased the amount of combinations needed and increased the security such that guessing the URL was not enough for playback.^[9]