A security researcher claimed that eufy's security cameras upload photos containing personally identifiable data to its servers, violating not only its own KPO, but also the EU's General Data Protection Regulation (GDPR).
According to a report from Android Central(opens in a new tab), security researcher Paul Moore discovered that the Eufy Doorbell Dual camera uploads facial recognition data to the company's AWS cloud, without encryption.
The company, on the other hand, claims that it is fully compliant with data protection regulations and that the data collected is only used for notifications.
Is it GDPR compliant?
In a series of tweets - opens in a new tab, Moore claimed the data was stored along with usernames and other information that could be used to identify the people whose images were taken. In addition, Eury retains the data even when the user deletes it from the Eufy app, she says.
Moore also said that the video feed could be accessed through a web browser, simply by knowing the correct URL, with no password required. Camera videos encrypted with AES 128 use a simple key that can be cracked relatively easily, he said.
Since the news broke, the company claims to have fixed "some of the issues," but it's no more transparent than that, so it's impossible to check if the issue persists.
"Unfortunately (or fortunately, whichever way you look at it), eufy has already removed the call from the network and heavily encrypted the others to make it almost impossible to detect; so my previous PoCs no longer work. You may be able to manually call the specific endpoint using the displayed payloads, which can still return a result,” Moore added later.
Eufy, on the other hand, told the publication that its products "comply with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications." The problem seems to be when a user decides that he wants thumbnails with his notifications.
Camera notifications are text-only by default, meaning no thumbnails are downloaded unless, as was the case with Moore, users manually enable the feature.
Eufy also said that the thumbnails are uploaded "temporarily" to their servers, before being sent as a notification. In addition, the company said that its push notification practices "comply with Apple's Push Notification Service and Firebase Cloud Messaging Standards" and self-delete. He did not say when.
The thumbnails also use server-side encryption, the company added, saying they shouldn't be visible to unauthorized users.
"While our Eufy Security app allows users to choose between text-based or tile-based push notifications, it was not specified that choosing tile-based notifications would require preview images to be briefly hosted in the cloud. This miscommunication It was an oversight on our part and we sincerely apologize for our mistake," the company concluded.
In the future, Eufy says that it will change the language of the push notification option, as well as the use of the cloud for push notifications.