Eufy doorbell cameras uploading facial recognition data to the cloud without consent
If you use Eufy security cameras, they may be sending biometric information to the cloud despite claims to “keep data local,” according to a report on 9 to 5 Google, which details an ongoing back-and-forth between the Anker brand and a security professional on social media.
Last week, on Twitter, a security researcher named Paul Moore posted proof that EufyCam’s Video Doorbell Dual cameras were uploading unencrypted facial recognition data and identity information to Eufy’s cloud servers, without permission, even when the device’s cloud functionality was disabled.
“You have some serious questions to answer, Eufy,” wrote Moore, whose profile lists him as an Information Security Consultant who “defeats behavioral biometrics.” In a series of tweets, he revealed that footage from the company’s cameras could be accessed using simple audio software, without any encryption or authentication measures. “You can remotely start a stream and watch Eufy cameras live using VLC,” Moore tweeted.
The system uploaded face biometrics to the cloud in the form of thumbnail captures, and stored that data on company servers even after it is deleted from the app, Moore said. He also worried that Eufy could link footage collected from different cameras and apps to individuals using facial recognition.
The Video Doorbell Dual, which Moore tested, has two cameras, two-way audio, and smart AI support, and includes PIR motion scans for body heat and radar detection scans for movement. Eufy’s website specifically advertises the product as being an edge computing device, independent of the cloud, and promises that “no one has access to your data but you.”
In Moore’s latest post on the matter, from November 28, he said he has spoken to Eufy’s legal department, and that he believes “it’s appropriate at this stage to give them time to investigate and take appropriate action.” He promised to “provide an update, as & when possible.”
A statement from Eufy published by Android Central seems to indicate that disabling thumbnails for push notifications from the camera prevents them from being uploaded to the cloud.
In addition to doorbell cameras and security systems, Eufy also makes biometric smart locks, robotic vacuums, baby monitors, and other smart home products.