No cloud needed, local data storage on devices in your own network, everything secure and private – these are roughly the advertising promises for Eufy’s smart home devices. Among other things, the company sells smart doorbells with cameras, but also pure surveillance cameras that are connected to the company’s own network via WLAN.
A special feature is that storage on Eufy cloud servers is only optional. At least it seems so. Because in collaboration with the man known as “Wasabi” just like security researcher Paul Moore. got to knowNone of this is true: even without his consent, the data was stored on Eufy servers, linked together and worse.
doorbell dual call home
Moore noticed unwanted behavior on his doorbell, the Doorbell Dual, which has a camera. He set it up with a new account, he already had another Eufy camera. He then looked at the new camera’s data transfer and quickly discovered that it was diligently communicating with the Eufy servers he was already familiar with, which he inserted a youtube video Held. API calls are simple enough, like US medium later Self-verified by The Verge: They consist, inter alia, of the serial number of the camera.
Through web requests, Moore was able to obtain thumbnails from his cameras. They are obviously stored unencrypted on Eufy servers. However, when setting up the doorbell, they explicitly chose not to store any camera data in the cloud. They also found that data tagged with the “Face ID” attribute from both of his accounts was linked in this way. According to Moore, photographs of every recognizable face were saved.
live stream via vlc
Using URL sequences, Paul Moore was able to access the live stream from the cameras via a PC using the popular VLC program, which The Verge was able to replicate. According to Moore, it doesn’t require a login — just knowing the URL is enough. This was followed by an email exchange with Eufy support. Darin denied The company initially said its products would work as advertised, but then said it had “solved” the problem — by encrypting API calls. Moore was able to see this in the episode. The Verge, in turn, later managed to start live streams from other cameras known to the medium. After all: it shouldn’t be possible just by guessing the URL.
A detailed statement from Eufy’s parent company Anker is still pending. According to him, even Paul Moore is not getting any answers anymore and he has initiated legal action, For the group, which has built up a good reputation in recent years as an accessory supplier, mainly through chargers and power banks, its camera behavior is already having consequences: large YouTube channel Linus Tech tips cooperation is Set with the anchor and his daughters.
(never)