© Getty Images/iStockphoto/PhotoGraphicss/iStockphoto.com
branded security cameras Eufy Sending some data to your Amazon based cloud server (AWS) even when cloud storage is disabled and only local storage settings are enabled. that security researcher Paul Moore Recently revealed and shown in several tweets.
to show the problem, he has a Eufy Doorbell Dual Camera Used. Among other things, Eufy is said to upload thumbnail images of faces to its cloud service. This data is stored there along with usernames and other identifiable information.
easy to crack key
The manufacturer’s website can access the content through cloud integration even if you haven’t signed up for the cloud service. According to Moore, even after the recordings are deleted from the Eufy app, this data will remain stored on the servers. Additionally, by entering the correct URL, the video can be streamed through a web browser. It does not require authentication data.
videos that start with a so-called AES-128 encryption are encrypted, according to that, only encrypted with a simple key and not with a sufficiently random character sequence. For example, Moore’s recording was saved with the key “ZXSecurity17Cam@”. But it can be cracked very easily.
face recognition for upload
It looks like Eufy doesn’t automatically upload full streaming videos, but instead uploads thumbnail footage of videos. These thumbnails are used in the Eufy app to enable streaming video from the Eufy base station, allowing users to watch them on the go. Eufy also uses facial recognition for uploads.
Eufy has confirmed the researcher’s findings, but said the data cannot be made public because the URL is restricted and time-limited. An account registration is also required. According to Moore, some of the issues have already been resolved. Among other things, Eufy removed network calls.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.