Comments
CimmerianX t1_iyb3k3q wrote
Not ok either way... To bad people don't know how to setup network border firewalls in their home.... Outbound traffic should be monitored as much as Inbound traffic.
[deleted] t1_iyb6e41 wrote
[removed]
CBus-Eagle t1_iyba0qo wrote
I have 6 Eufy cameras set up around my home. How do I get in on the impending class action lawsuit. Just kidding about the lawsuit, but I am disheartened to read this. I specifically chose Eufy because I didn’t want my videos stored on a cloud. I wanted complete control over where they are stored.
Nigredo78 t1_iybc3wx wrote
well lets hope you never understand and continue to live blissfully ignorant of any scenario that might require internal camera setups you muppet...
[deleted] t1_iybcdax wrote
[removed]
BaneBlaze t1_iybfyy2 wrote
This would solve the problem but likely break the feature they use cloud for.
Trade offs I suppose
Bipolarbearingit t1_iybgohf wrote
Omg, something not related to Elon Musk. Holy cow!
[deleted] t1_iybj4o6 wrote
[removed]
ZeroVDirect t1_iybjkif wrote
No cloud was also a selling point for me. I wonder if specific ports can be blocked to stop this behaviour? Anyone?
tboggs13 t1_iybjnhj wrote
Definitely no cloud connected cameras on the inside. Just asking for trouble.
hclpfan t1_iybks8c wrote
Full resolution photos and faces identified
AMatofFact t1_iybn1gt wrote
Yeah, I suspected this. In the app where you see the list of your cameras and their thumbnails, every disconnected camera shows the last thing it 'saw'. I think it's the first frame of the last recording. So with the camera off, it's gotta be stored somewhere.
BlackGold09 t1_iybpc6z wrote
Updated Story with Eufy response:
https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/
“Eufy Security is designed as a local home security system. All video footage is stored locally and encrypted on the user's device. With regard to eufy Security’s facial recognition technology, this is all processed and stored locally on the user's device.
Our products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.
To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.
Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.
That lack of communication was an oversight on our part and we sincerely apologize for our error. This is how we plan to improve our communication in this matter:
-
We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
-
We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
eufy Security is committed to the privacy and protection of our users' data and appreciates the security research community reaching out to us to bring this to our attention.”
smooth-dust2254 t1_iybqsyf wrote
Eufy cameras are NOT cheap.
stillrocking3770k t1_iybs5l7 wrote
Explanation sounds reasonable.
You can disable the preview feature any time, and they'll add labelling if you use the preview feature.
Guess we put the pitchforks down (for now).
ApprehensiveNews5728 t1_iybsxr8 wrote
Almost bought a ring until I leaned there was a subscription fee and non-local storage. What other options are there?
OCedHrt t1_iybsysq wrote
The headline reads like anyone can access the thumbnails.
8Eternity8 t1_iybwhrs wrote
Except the APIs aren't encrypted and you can access the video feeds from cameras using VLC without any authentication.
Actually-Yo-Momma t1_iyby72f wrote
Wtf you talking about. Eufy is the best of home cams and is the only one without a subscription
qqanyjuan t1_iyc2m80 wrote
This is literally an ad?
sim642 t1_iyc3l1a wrote
If you don't want any cloud connection, just block all WAN access for them.
ZeroVDirect t1_iyc44ij wrote
If possible I'd like to keep connection open for software/security updates andclose off access for anything else. Is that possible?
TheFriendliestMan t1_iyc94s9 wrote
This is the original video:
https://youtu.be/qOjiCbxP5Lc
And here is Linus from LTT discussing it:
https://youtu.be/2ssMQtKAMyA
This is a big thing. Not just a small Oops. Let's see if the EU slaps a giant fine on them for this, they really don't like this kind of bullshit.
TheFriendliestMan t1_iyc99he wrote
But according to the youtuber who figured it out this is bs. You can access it without authentication and the pictures are still there after being 'deleted'.
https://mobile.twitter.com/paul_reviews/status/1595421705996042240
TheFriendliestMan t1_iyc9ag9 wrote
You mixed up your youtube links.
Edit: Correct link: https://youtu.be/qOjiCbxP5Lc
TheFriendliestMan t1_iyc9cpc wrote
TheFriendliestMan t1_iyc9i7i wrote
It's not really shady stuff, it's just pure ignorance of cyber security. Afaik they don't use the data, they are just incomprehensibly unsafe with how they implemented the feature.
Puzzleheaded-Cod4909 t1_iyccfgt wrote
If your product connects in any shape way or form to a cloud, your data is not private and belongs to the government. People need to learn that cloud comes with a cost.
RejZoR t1_iycqax2 wrote
Then there is Ring that's not Chinese and are just as terrible if not worse...
medievalmachine t1_iycxunh wrote
It's for push notifications. How else is it going to work?
AngelKitty47 t1_iyd05ra wrote
thats why i installed a wired system... it's a hassle but worth it
AngelKitty47 t1_iyd07vt wrote
wow thats technical
wedontlikespaces t1_iyd5lxp wrote
Depends on how it's implemented, it may use different ports for different things.
If so, you could just close any port that it uses for streaming data. If the data is streamed via UDP it probably does use a different port than it does for updates, but you would have to look into it find out exactly what it uses.
wedontlikespaces t1_iyd5ytr wrote
Reading into it. It sounds like they are super incompetent. Even if there is no malicious intent it's still blatant violation of GDPR and whatever the American equivalent is.
anlumo t1_iydbr5z wrote
If it doesn’t have network access, you also don’t need security updates.
CimmerianX t1_iydcifr wrote
With customer approval and opt in, that's how.
medievalmachine t1_iydiv6y wrote
You do have to opt in, otherwise how would they push it?
​
I'm not saying I know everything about this situation - I don't care to spend time to research a product I don't own.
But if you're getting email/text notifications it's not secret.
8Eternity8 t1_iydmeii wrote
So apparently if you shared a YouTuve video before the ad finishes it just shares the ad. I have just learned this.
[deleted] t1_iydmlkf wrote
[removed]
GetOutOfTheWhey t1_iyeri7i wrote
In the article, the customer opted in for that function thats how he discovered the vulnerability.
The flaw of the function is that it needed the file to first be uploaded to their server and that the upload was unencrypted.
>Moore had enabled the option manually, which is how the security flaw was eventually discovered. By default, the Eufy app’s camera notifications are text-only and don’t have the same issue, since there’s nothing to upload.
cyber1kenobi t1_iyb1oh3 wrote
“Footage” aka video…? Or thumbnails? Not ok without consent either way but there’s a major difference