Eufy, a smart home brand of tech accessory firm Anker, had become popular among some privacy-minded security camera buyers. Its doorbell camera and other devices proudly proclaimed having “No Clouds or Costs,” and that “no one has access to your data but you.”
That’s why security consultant and researcher Paul Moore’s string of tweets and videos, demonstrating that Eufy cameras were uploading name-tagged thumbnail images to cloud servers to alert owners’ phones, likely unencrypted, stung smart home and security enthusiasts so hard this week.
Moore, based in the UK, started asking Eufy rhetorical questions about its practices on Twitter starting November 21. “Why is my ‘local storage” #doorbellDual storing every face, without encryption, to your servers? Why can I stream my camera without #authentication?!” Moore also posted lines from “source code & API responses” that suggested a very weak AES key was being used to encrypt video footage.