Intro: I’m an Information Security Consultant & researcher.
I recently purchased a doorbell dual - impressed by the apparent lengths Eufy has gone to wrt: privacy.
“your footage will be kept private”, “stored locally”, “military grade encryption”, “transmitted to you and only you”… just some of the claims they make.
Every false positive image, every face (familiar or otherwise) are all uploaded to the cloud, without consent. I do not utilise cloud storage, so I was disgusted to find my face not only stored on Amazon AWS, but a plethora of metadata allowing Eufy to “detect” me in front of any other doorbell, even if I don’t own it.
So, my questions are as follows:
Why is my supposedly “local storage” device uploading images and AI data to the cloud - without encryption?
Why are you mapping names/locations to faces in the cloud, again without consent?
Why is it possible to stream my camera live - without encryption or authentication?! (I’m can’t publish how, just yet)
Why is the encryption key “ZXSecurity17Cam@” instead of a cryptographically random, unique key?
Needless to say, I no longer trust Eufy at all and will be taking legal action.
If this was simply a bug or oversight, I might be able to look past it. However, it’s clearly intentional given the structure of the API and supporting calls and is completely at odds with their privacy claims. I asked this via live chat - only to be told it was completely untrue and, after being supplied with evidence, cut off 3 times.
If you purchased your Eufy device believing it to be truly private, return it immediately and request they delete all information from their Amazon & surrounding infrastructure.