It turned out that Anker Eufy brand security device was uploading content to the cloud without user consent
It turned out that there was a case where the product of the smart home device brand Eufy was uploading information such as photos and videos taken, faces and names to the cloud without obtaining the user's consent.
@EufyOfficial - Couple of Q's—Paul Moore (@Paul_Reviews) November 21, 2022
Why is my 'local storage' #doorbellDual storing every face, without encryption, to your servers?
Why can I stream my camera without #authentication ?!
But crucially, is this really the AES key for my video footage? Please tell me it's not.pic.twitter.com/uV70koBjLk
Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent [Updated] - MacRumors
Security consultant Paul Moore, who had just started using Eufy's video doorbell dual camera intercom, noticed the problem. I noticed that even though I was using it and not using the cloud function, the thumbnails of the footage I shot and user information were being uploaded to the cloud.
Eufy said on its official website that it emphasizes privacy, and it was written that ``data is stored locally,'' so Moore tweeted, ``The notation on the site is completely false.''
This is a complete lie @EufyOfficial—Paul Moore (@Paul_Reviews) November 21, 2022
My recorded footage is being uploaded to your CDN. Every face, every false trigger, literally everything is being uploaded despite cloud storage being off!
It may be 'stored locally' - but you negate to say it's uploaded too. https://t.co/bRFgUxCeIF pic.twitter.com/JGzZRiwK1G
Mr. Moore asked Eufy, 'Why are thumbnails being uploaded to the cloud without permission? Mr. Moore commented, ``What a farce,'' with a content that was quite displaced.
Quality support too @EufyOfficial—Paul Moore (@Paul_Reviews) November 22, 2022
I didn't say it doesn't support cloud storage! I said it uploaded to the cloud without my permission - and YOU said it didn't support cloud, which it does.
Dear me, what a farce. https://t.co/bRFgUxCMyd pic.twitter.com/FelLmxRa6B
This thumbnail image is used when users using the cloud function stream recorded video from Eufy's smartphone application via Eufy HomeBase, a data storage device, and a thumbnail image is created and uploaded. This is not strange in itself, but the problem is that even if you do not use the cloud function, it is uploaded without notifying the user.
Below is a verification video showing that even though Mr. Moore used the doorbell with the cloud function turned off, the recorded video could be viewed in streaming.
Eufy leaking your 'private' images/faces & names... to the cloud.-YouTube
After receiving a report from Mr. Moore, other users confirmed that Eufy's camera video could be viewed live streaming with media player VLC.
So trying to gain visibility, as an owner of a Eufy product this is incredibly disappointing but apparently you can play camera streams via VLC pic.twitter.com/cCYF7KgKvi— Wasabi Burns [email protected] (@spiceywasabi) November 25, 2022
Regarding this matter, Mr. Moore said that he had a discussion with Eufy's legal department, saying, ``It is appropriate for Eufy to conduct an internal investigation and give time to take appropriate measures, rather I will comment further. This is not appropriate.We will keep you updated as much as possible.Thank you.'
Just had a lengthy discussion with @EufyOfficial's legal department.—Paul Moore (@Paul_Reviews) November 28, 2022
It's appropriate at this stage to give them time to investigate and take appropriate action; conversely, it's not right for me to comment further.
I will provide an update, as & when possible.