Anker Eufy security cameras and connected doorbells have a big security issue. Data that should be stored locally is actually sent to the company’s servers along with sensitive information. Recordings can be viewed by third parties using a player such as VLC. Approached by The Verge, Brand tried to lie.
Just imagine. Someone you don’t know – on the other side of the world or a stone’s throw from your house – can look into their computer and watch everything that happens when they land on your house or your garden without restriction. There is an embarrassing thing. However, this may happen to some people Surveillance cameras And Attached doorbells.
Indeed, Eufy, the connected home brand powered by Anker, has come under acerbic criticism since a massive security breach was discovered and lies brought to light. It all starts at the end of November. Consultant in Security IT, Paul Moore, challenges Yuffie on Twitter, saying he “ Irrefutable evidence (In the video) The data recorded by his connected doorbell, which is supposed to be stored locally, is actually sent to the cloud, even if the cloud storage option is deactivated.
There are some serious questions you need to answer @EufyOfficial
— Paul Moore (@Paul_Reviews) November 23, 2022
The expert specifically sent facial recognition data (along with personally identifiable information) to the servers of his Anker Eufy connected doorbell brand. Pau Moore explains that the elements thus downloaded are not deleted from Ufi’s servers and the associated sequences are deleted by the user in his dedicated app.
You can record videos via VLC
Not only that. A computer security expert realized that Ufi could use the same facial recognition data on two different cameras and two different accounts. A person can therefore be identified in two different locations, whereas the data enabling this must be stored locally. Paul Moore doesn’t explain how to use the flaw, but Android Central I was able to reproduce this manipulation with the EufyCam 3 camera connected to the Eufy HomeBase 3.
The matter did not end there, on the contrary. It was also found that recordings from Ufi’s surveillance cameras and doorbells were not properly encrypted. Thus, a somewhat intelligent person can use it to watch videos VLC, the popular video player. A gold mine for the misguided.
Well, the cats are now out of the bag… and you can tell.
You can start and watch the stream remotely @EufyOfficial The cameras are live using VLC. No authentication, no encryption.
Please don’t ask for PoC – I can’t publish this.
— Paul Moore (@Paul_Reviews) November 25, 2022
However, Anchor’s spokesperson asserted optimism on the edge He “It is not possible to start the stream and watch the live images using a third-party player like VLC“. However, this is exactly what the American media managed to do in the process. So he accused the brand of lying.
Journalistson the edgeAlso mention that they require authentication information at the start to consult the details of the recording videos. However, they have not faced any verification proceedings since then. They were able to watch videos until the camera was activated – either after motion was detected, or because the owner saw the film being taken).
Anker Eufy has yet to publicly respond to these new allegations. Paul Moore says he received an email from the group, but believes the latter downplays the seriousness of the situation.
We invite you to follow us Download our Android and iOS app. You can read our articles, files and watch our latest YouTube videos.