Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Cloud Privacy Security

Anker's Eufy Cameras Caught Uploading Content To the Cloud Without User Consent (macrumors.com) 33

Posted by BeauHD from the unauthorized-uploading dept.
Anker's popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. MacRumors reports: The information comes from security consultant Paul Moore, who last week published a video outlining the issue. According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled. Moore demonstrates the unauthorized cloud uploading by allowing his camera to capture his image and turning off the Eufy HomeBase. The website is still able to access the content through cloud integration, though he had not signed up for cloud service, and it remains accessible even when the footage is removed from the Eufy app. It's important to note that Eufy does not appear to be automatically uploading full streaming video to the cloud, but rather taking captures of the video as thumbnails.

The thumbnails are used in the Eufy app to activate streaming video from the Eufy base station, allowing Eufy users to watch their videos when away from home, as well as for sending rich notifications. The problem is the thumbnails are uploaded to the cloud automatically even when the cloud functionality is not active, and Eufy also seems to be using facial recognition on the uploads. Some users have taken issue with the unauthorized cloud uploads because Eufy advertises local-only service and has been popular among those who want a more private camera solution. "No Clouds or Costs," reads the Eufy website. Moore suggests that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users, all without camera owners being aware.

Moore received a response from Eufy in which Eufy confirmed that it is uploading event lists and thumbnails to AWS, but said the data is not able to "leak to the public" because the URL is restricted, time limited, and requires account login. There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users. There's a dedicated Reddit thread where other Eufy users are reporting the same thing happening.
This discussion has been archived. No new comments can be posted.

Anker's Eufy Cameras Caught Uploading Content To the Cloud Without User Consent More

Anker's Eufy Cameras Caught Uploading Content To the Cloud Without User Consent

Comments Filter:

  • unpossible (Score:4, Funny)

    by MooseTick ( 895855 ) on Tuesday November 29, 2022 @06:49PM (#63089458) Homepage

    I find it impossible that a tech company would lie about how it handles a user's data.

    • Also a bit disappointing from Anker which is a brand I have to appreciate over the years. (although I've yet to purchase anything from the Eufy line)'

  • These cameras are being sold well below the manufacturing, support and shipping cost.

    Iâ(TM)ve purchased a camera without permanent cloud features and it cost me $150, similar cameras (same body) with perma-cloud connectivity to Alibaba Cloud are going for $20-40. The catch is that the perma-cloud enabled one has CCP access to any stream and for premium features like recordings and notifications youâ(TM)re going to pay $2-15/month (and yes, they keep your recording even if you donâ(TM)t pay)

    • Re: (Score:2)

      by tlhIngan ( 30335 )

      The point of Eufy products is you don't need cloud.

      They are completely local only systems, if you want to make them accessible to the Internet it's "do it yourself". They are completely standalone, and you will never be billed a dollar to use any cloud service because they work without it. (Kind of important, as things like Ring charge if you want enhanced storage and stuff).

      You do not sign up for any cloud account, your cameras/doorbell/etc do not become useless in 2 years because the manufacturer takes do

      • The point of Eufy products is you don't need cloud. They are completely local only systems, if you want to make them accessible to the Internet it's "do it yourself"....

        As it happens, that apparently is not the case. According to the article, they connect to the cloud and upload data whether you want it or not.

        • It has to by nature of the fact it sends you notifications which include thumbnails and snippets. Your own camera ain't running that SMS server.

          • Re: (Score:1)

            by guruevi ( 827432 )

            Any camera is powerful enough to send e-mails. Mine runs FTP server, HTTP server and can forward to SMTP. They're tiny Linux devices, they can do anything the manufacturer wants them to do.

  • Say you're legal adult that 'looks young'.
    Ensure that it ISN'T supposed to be using cloud...
    Then change clothes a few times.
    Then get a layer involved and accuse them of automatically uploading thumbnails of potentially underage naked people...

    Poof...no more stupid system design.

  • For push notifications? (Score:5, Informative)

    by R.Mo_Robert ( 737913 ) on Tuesday November 29, 2022 @07:09PM (#63089482)

    Anker's explanation in the linked article is that this only happens if you enable push notifications and have images enabled for them (text-only is an option), and all that's (temporarily) stored is the thumbnail for the notification. This is understandable given that Apple's push notification service requires a server to send the notification in the first place -- though they do admit to not explaining this adequately to users who thought they were otherwise entirely cloud-free based on their settings.

    I realize we're only getting this explanation from Anker's side, but it's hard for me to see anything nefarious going on here unless anyone has discovered data that isn't consistent with this technical reality. And again, it's still unfortunate if anyone thought they were entirely local, but it seems like that is still possible by changing this option (which they've also said they're going to make clearer).

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      The issue is that they sold it as local only, specifically "no cloud", but to use the advertised features it does in fact need to sent private data to a cloud server. Images of faces, with timestamps, is sensitive personal information.

      If they had said "no cloud, but if you don't want the cloud service you won't get notifications" that would have been fine. Some other brands do notifications over WiFi using locally held data only. Essentially they run the notification server on the device. I know that works

  • Statement From Eufy (Score:5, Informative)

    by WankerWeasel ( 875277 ) on Tuesday November 29, 2022 @07:10PM (#63089488)

    eufy Security is designed as a local home security system. All video footage is stored locally and encrypted on the user's device. With regard to eufy Security’s facial recognition technology, this is all processed and stored locally on the user's device.

    Our products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.

    To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.

    Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.

    That lack of communication was an oversight on our part and we sincerely apologize for our error. This is how we plan to improve our communication in this matter:

    1) We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.

    2) We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.

    eufy Security is committed to the privacy and protection of our users' data and appreciates the security research community reaching out to us to bring this to our attention.

    • Re: (Score:2)

      by rossz ( 67331 )

      Does anyone believe their bullshit?

      • Re:Statement From Eufy (Score:4, Insightful)

        by thegarbz ( 1787294 ) on Wednesday November 30, 2022 @05:05AM (#63090182)

        Yeah I do. In a world of shitty Chinese companies that do nothing but lie about their products, Anker stands out in their market (cameras, USB charging accessories, flashlights, etc) as one of the few Chinese companies who products actually perform exactly on spec.

        Additionally not only does their explanation make sense, but given how the app works it stands to reason that thumbnails would need to go somewhere, and with a European head-office and registered business in Germany they stand to get a propper arse-rehemming from the German government for actual GDPR violations.

  • When will we learn??? (Score:5, Informative)

    by eclectro ( 227083 ) on Tuesday November 29, 2022 @07:17PM (#63089500)

    Anker is headquartered in China where it manufactures it also manufactures its equipment. So there will certainly be CCP influence in what it does.

    The CCP is collecting information on the American people. Likely to advance it's spying operations when needed. They are likely collecting this information for possible use in the future.

    It would not even necessarily be their target even, *but the people around* their desired target which *they may try to reach in order to influence their primary target*.

    Recently it was found that the Chinese had the complete information stored in their database of election poll workers (see Konnech inc) in the US. It *also had* all the information about their family members. Including social security numbers, driver license numbers, and all the passwords they used.

    The president of the FCC recently came out and suggested that TikTok be banned. You can be sure that the CCP is collecting all that data and constructing rainbow hash tables with it.

    Who doesn't re-use a password??? I rest my case.

    • Anker is headquartered in China

      Anker unlike most of the Chinese shitbrands is a multinational. In this case it is headquartered in Munich Germany and is a registered company in Germany with number HRB 259693.
      Unlike most Chiense shitbrands their products actually perform as specified, and have a proper warranty on them.

      So yeah nice "China" rant. We all know no American company would *ever* be caught with a privacy violation. /s

      • Re: (Score:2)

        by richi ( 74551 )

        So the company isn't headquartered in Changsha, situated in China's Hunan province? Do tell where you think its HQ actually is.

        Anker Innovations Deutschland GmbH is a regional subsidiary, so it's not that.

  • Maginon/Supra Camera's (Score:3)

    by suss ( 158993 ) on Tuesday November 29, 2022 @07:34PM (#63089538)

    I caught a Maginon/Supra IPC-250HDC trying to do the same thing; with all "cloud" settings disabled, it still tries to send data to supra-space.com. I just firewalled it off.

    Another brand of camera i can't recall the name off, tried to register with 2 different chinese dynip servers and send out a bunch of unidentifyable data to another chinese server.

    Just don't put these IoT things on the internet before you've analyzed their traffic. They're not to be trusted by default.

    • If you use these sorts of cameras at home for home security you have a tough choice to make:

      - Firewall them off from the Internet to protect your own privacy, and then roll your own notification system if you need that

      - Allow them to talk to the Internet and risk your privacy, even if you know what the camera might be sending out

      I think too many people read a product description. Think the fancy words sound good. Install them or have it installed. Don't think about it until their personal privacy is violate

    • Just don't put these IoT things on the internet before you've analyzed their traffic. They're not to be trusted by default.

      While I appreciate the caution this is very similar to telling people they need to do independent research on vaccines. Nearly all people have no ability to identify what traffic does, what it is used for or why it happens. You yourself are raising alarm about some unknown traffic going to an IP registered somewhere without any additional information or context.

      How much data is being sent? At what frequency? Are they requests? Is there a command and control style response? How does it relate to the service

  • She's innocent. Somebody must have used their Geass... /jk

  • I don't believe Eufy's response is complete.... (Score:3)

    by King_TJ ( 85913 ) on Tuesday November 29, 2022 @08:45PM (#63089676) Journal

    I've owned and used a number of Eufy cameras and their video doorbell for a while now. Built a DIY home security system with their gear, including the Bluetooth keypad to arm/disarm it and multiple door and motion sensors.

    I have no interest in it calling the police for me, but wanted push notifications to my phone if anything was happening.

    The weird thing that happened to some of us using their cameras is that several months back, they were suddenly going offline. The app couldn't communicate with the cameras anymore. The only resolution anyone got from Eufy support was to do the hard factory reset process on the camera, and then to set it back up in the app as a new device. Well - I did that but on one camera, that only worked for less than 24 hours and it fell back off my network again. One of my other cameras kept working without issues the whole time, and a third worked properly after I simply unplugged power to it for 15 seconds or so and reconnected it.

    It made no sense because the whole time the cameras were "down", they were still showing as online and assigned IP addresses via DHCP by my router.

    Some discussion on Reddit about it concluded that Eufy was, indeed, requiring some sort of cloud back-end communication with each of these cameras. It's possible they pushed a firmware update that temporarily broke that and caused them to quit functioning. Is Eufy saying the thumbnail previews they use in the app (by default) were enough to make the cameras completely stop functioning?

  • Clearly no malicious intent on their part. Nothing to do with the Chinese National Intelligence Law, no nothing at all. /s

    From the Wikipedia article:

    Article 7: All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.

    Article 10: As necessary for their work, national intelligence work institutions are to use the necessary means, tactics, and channels to carry out intell

  • Eufy is a China owned business. That's all you need to know to be guaranteed that your privacy will be violated.

    • As opposed to US based businesses like Facebook, and Google.....or the federal government itself. The patriot act. PRISM, the assassination of Seth Rich, the ongoing persecution of journalists like Julian Assange, the death of Aaron Swartz. etc. Yeah the USA is a real fucking paragon of freedom

  • Pinned certs should be illegal. It should not be possible for device creators to have the devices hide traffic from the owner for any reason. An owner should be allowed to install their own certs in any device that allows them to proxy traffic and see the contents any time they want.

  • This story lets people forget how many idiots people send crisp 4k content straight to China by consent. China can monitor my perimeter all they want if this is nefarious and count how many times they see people walking. You a fool to put any of these cameras inside your house ⦠unless Onlyfans

  • the data is not able to "leak to the public" because the URL is restricted, time limited, and requires account login

    The real problem is not leaking to the public because the general public usually doesn't know what to do with the data. The problem is leaking to Anker, Google, Meta, etc. The problem is Anker or another company sharing the data with a foreign government, the local government, an employer, with potential advertisers, etc.

    Somehow these companies are tone-deaf because they believe somehow that privacy and security are intact when they know secret data and share that data intentionally for what they consider

  • Cloud? Which cloud? (Score:3)

    by Bu11etmagnet ( 1071376 ) on Wednesday November 30, 2022 @03:25AM (#63090092)

    https://fsfe.org/contribute/pr... [fsfe.org]

Slashdot Top Deals

For God's sake, stop researching for a while and begin to think!

Close