Anker Eufy Doorbell Dual: Security camera sends facial data without consent

Security researcher Paul Moore has uncovered a critical data and security vulnerability at the eufy brand, which belongs to Anker. At least the smart doorbell with camera, namely the Anker Eufy Doorbell Dual, is affected.

Anker Eufy Doorbell Dual transmits facial recognition data to server

In the case of the Anker Eufy Doorbell Dual, the manufacturer promises security and economy. On the product website, it says, “That means no one but family has access to the data – and with no cloud service fees at all.”

That this is apparently not the case has now been found out by security researcher Paul Moore and recorded in a video on YouTube. According to this, the camera is supposed to transmit facial recognition data to the company’s servers, even when cloud storage is actually disabled and only local storage is to be used.

Moore also via Twitter reveals that the camera transmits data to the manufacturer in the process without being asked and without consent. And that via an unencrypted API call directly to eufy’s servers.

According to Moore, even names and locations are transmitted, while even a stream of the camera can be started without authentication. There is also no clear encryption of the data, Moore added.

Already in May 2022, BitDefender had uncovered various critical security flaws in an eufy product; affected at the time was the Eufy 2K Indoor Camera, which is vulnerable in various ways.

The manufacturer boasts of its particularly high level of security and the fact that all data from its camera is only stored locally. Even with the eufy HomeBase 3 and eufyCam 3, which were only introduced in October, it says that data is only stored locally and in its own cloud.

“HomeBase uses local storage that is kept away from cloud servers to ensure all data stays at home,” the manufacturer says. However, it is unclear whether these products also transmit data to the manufacturer’s cloud without being asked.

Addendum: Statement from Anker

eufy Security is designed as a local home security system. All video footage for this is stored locally and encrypted on users’ devices. The facial recognition technology of eufy Security is also processed and stored locally on the device. Our products, services and processes fully comply with the applicable standards of the General Data Protection Regulation (GDPR), including ISO 27701/27001 and ETSI 303645 certifications.

To provide users with push notifications for their mobile devices, some of our security solutions can display small preview images (called thumbnails) of videos that are briefly and securely hosted on an Amazon Web Services (AWS) based cloud server. These thumbnails use server-side encryption and are set to be automatically deleted. They comply with all standards of Apple push notification services (iOS app) and Firebase cloud messaging (Android app). Only after users have securely logged in to their eufy Security account can they access or share these thumbnails.

Although our eufy Security app offers users the option to choose between text and thumbnail-based push notifications from launch, we did not make it clear enough that when thumbnail notifications are selected, the thumbnails are briefly hosted in the cloud.

This lack of communication was an oversight on our part and we sincerely apologize for this error.

We will improve our communication, including the following:

1. We will revise the wording of the push notification options in the eufy Security app to clearly state that push notifications with thumbnails require small thumbnails that are temporarily stored in the cloud.
2. We will more clearly highlight the use of the cloud for push notifications in our consumer marketing materials.

eufy Security is fully committed to protecting the privacy and data of its users and thanks the security community for bringing this issue to our attention.Anker