Are Eufy surveillance cameras less respectful of privacy than their manufacturer claims? The range of Anker products, marketed by the specialist in mobile accessories, is currently at the center of a controversy after a cybersecurity specialist accused the company of sending data to the cloud without users’ consent.
The Cloud of Discord
In a video shared on Twitter, Paul Moore explains that he discovered that his Eufy camera, precisely purchased for its ability to store images locally and not in the cloud, was sending photos to the company’s servers (leased from Amazon) even when sharing with the cloud was disabled. Worse, these images would be accompanied by personal information making it possible to identify the owner of the camera. Everything would be transmitted and stored via dubious encryption, with security practices that leave something to be desired.
But the case seems more complex than it seems. Asked after the video was posted, Eufy explained why some images were sent to the cloud. The brand’s surveillance cameras indeed offer to alert you on your smartphone when a movement is detected in front of your door. These alerts can take many forms, from a simple text notification to a text notification along with a screenshot of when the camera detected said motion. By choosing this second option (which Paul Moore did), the camera sends a screenshot to the cloud before sending it back down to the owner’s mobile. A functioning after all logical, since it is necessary that the photo transits on the Web to then land on the telephone.
Encryption not up to par
“Our products, services and processes are fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications“, defends Eufy, who adds that the photos are deleted shortly after the notification is sent. The company nevertheless recognizes that the way in which these photos are used is not clearly indicated in the application. “This lack of communication was an oversight on our part and we sincerely apologize for our mistake.“, indicates the firm, which promises to quickly remedy this shortcoming.
Be that as it may, some of the issues raised by Paul Moore’s discovery are troublesome. Data sent to the cloud is actually encrypted using “[email protected]” as the encryption key, rather than a set of random characters, and the company hasn’t explained why personal information is uploaded at the same time. time as screenshots from the camera. According to the cybersecurity specialist, the company would be studying these questions and would have no more explanations to provide for the moment.