When we rated the Eufy Video Doorbell Dual as one of the best video doorbells, one of the reasons that we touted its ability to store video locally. This is great — in theory — for users that don’t want their personal data stored on a cloud server that could be compromised. Unfortunately, in practice, users may be sending sensitive data to the cloud without knowing.
As reported by Android Central (opens in new tab), security researcher Paul Moore (opens in new tab) found that despite Eufy’s promises of a fully local storage system, when using the Eufy Video Doorbell Dual camera he was able to access thumbnails of images used for facial recognition and metadata that could be used to identify him stored in the cloud. If the system is truly fully local, these thumbnails should not have made it onto Eufy’s servers. Yet even after deleting the data stored locally, Moore was still able to access thumbnails and screenshots from Eufy’s AWS servers.
This wasn’t a one-off issue either, Moore used another camera, HomeBase (for local storage) and username to replicate the issue and found that despite using an entirely different system, Eufy was still able to tag and link his facial recognition ID with his picture. This should only be possible if, in fact, Eufy is storing facial recognition data in the cloud.
Confirming that EufyCam 2C and the Homebase are also problematic. Using web inspector I can find a URL that I can paste into another browser and see an online thumbnail of the last recorded event.November 28, 2022
The worst thing about all this is that this sensitive data seems to be transmitted in an unencrypted manner. When combined with sensitive identifiable information, this represents a potentially massive privacy and security breach. Additionally, another user, Andrew Oz (opens in new tab), was allegedly able to access videos from cameras streamed from a web browser by using the right URL. This reportedly requires no authentication to access and Moore says (opens in new tab) that he was able to replicate this issue — though he declined to provide evidence, likely for security reasons.
Eufy’s response to privacy and security concerns
Just had a lengthy discussion with @EufyOfficial's legal department.It's appropriate at this stage to give them time to investigate and take appropriate action; conversely, it's not right for me to comment further.I will provide an update, as & when possible. Thanks!November 28, 2022
For its part, Eufy has responded to the allegations from Moore and others. In a statement provided to Android Central that an Anker (Anker owns Eufy) spokesperson said we could use as well, Eufy states these issues may largely be caused by having certain settings enabled. Eufy says that camera notifications are set to text-only by default and do not generate or upload a thumbnail. But in Moore's case, he enabled the option to display thumbnails along with the notification. Since this setting was enabled, Eufy does temporarily upload the thumbnail data to its AWS serves to bundle and send as a notification to the user’s device. According to its statement, “Eufy says that its push notification practices are "in compliance with Apple Push Notification service and Firebase Cloud Messaging standards" and auto-delete but did not specify a timeframe in which this should occur.”
Regarding encryption concerns, Eufy states that they do use some level of encryption. Per its statement, Eufy says that "thumbnails utilize server-side encryption" and can only be viewed if a user is logged in. Despite being in incognito mode on his web browser, Moore had logged into Eufy’s web client and therefore used the same cache he had already authenticated with. This is why he was able to access the sensitive data.
This is not to say that Eufy is declining to accept any responsibility for the issue. The company states that “We are revising the push notifications option language in the eufy [SIC] Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.” They also state that they will, “Be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.”
Conclusion: We still have some concerns about Eufy’s data handling
Eufy’s statement definitely leads us to believe — at least for now — that some of these issues came down to poor communication. While it’s disconcerting that a company that touts its ability to be free from the cloud has a feature that requires data to be stored on the cloud, there may simply not be a better way to provide notifications a thumbnail. Plus, the workaround of using only text notifications isn’t inherently a deal breaker.
However, Eufy has yet to address concerns regarding the ability to view videos from cameras streamed via a web browser. Given no authentication appears to be required — though again, no proof of concept was provided by Moore — that is a serious concern. Eufy said in its statement that its "products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications." Moore had been taking legal action against Eufy to contest its GDPR compliance given these new developments, but his current pinned tweet states that he is in talks with their legal department and allowing them to investigate further. If we learn more details, we will update this article.
In the meantime, if you were looking for a great video doorbell to upgrade your smart home, our video doorbell buying guide has a ton of options from Eufy and its competitors — though be warned, even our best doorbells are not without faults. This summer we covered how Ring and Nest can let police view your video doorbell without your consent. We actually recommended the Eufy Video Doorbell Dual in that article, but if you don’t want a Eufy doorbell given these recent allegations, the Wyze Video Doorbell Pro is a great option that prevents user footage from being used without a warrant or court orders but lacks end-to-end encryption or local storage.