This top security camera brand might be uploading photos to the cloud without you knowing

Security-conscious users might be unwittingly giving Amazon their data

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A security researcher has claimed Eufysecurity camerasare uploading photos containing personally identifiable data to its servers, breaching not only its own key selling proposition but also the EU’s General Data Protection Regulation (GDPR).

According to a report byAndroid Central, security researcher Paul Moore discovered that the Eufy Doorbell Dual camera uploads facial recognition data to the company’s AWS cloud, without encryption.

The company, on the other hand, says it’s fully compliant with the data protection regulation and that the data collected is only used for notifications.

Compliant with GDPR?

In aseries of tweets, Moore claimed the data was being stored together with usernames and other information that could be used to identify people whose images were taken. What’s more, Eury keeps the data even when the user deletes it from the Eufy app, he claims.

Moore has also said video feed can be accessed via a web browser, simply by knowing the right URL, with no passwords required. Camera videos encrypted with AES 128 are using a simple key which can be broken relatively easily, he said.

Since breaking the news, the company claims to have patched “some of the issues”, but are being no more transparent than that, so verifying whether the issue is ongoing is impossible.

“Unfortunately (or fortunately, however you look at it), Eufy has already removed the network call and heavily encrypted others to make it almost impossible to detect; so my previous PoCs [proof of concept exploits] no longer work.  You may be able to call the specificendpointmanually using the payloads shown, which may still return a result,” Moore later added.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Eufy, on the other hand, told the publication that its products are “in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.” The problem seems to be when a user decides they want thumbnails with their notifications.

Check out our list of the best home security systems>How to set up a security camera system for your home>Do home security cameras invade your privacy?

Notifications from the camera are text-only by default, meaning no thumbnails get uploaded unless, as was the case with Moore, users enable the feature manually.

Eufy also said the thumbnails are “temporarily” uploaded to its servers, before being sent as a notification. Furthermore, the company said its push notification practices are “in compliance withApplePush Notification service and Firebase Cloud Messaging standards” and auto-delete. It didn’t say when.

Thumbnails also utilize server-side encryption, the company added, saying they shouldn’t be visible to unauthorized users.

“Although our Eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud. That lack of communication was an oversight on our part and we sincerely apologize for our error,” the company concluded.

Going forward, Eufy claims that it will change its push notification option language, as well as the use of cloud for push notifications.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand