What you need to know
- Eufy has updated its app with version 4.5.1 to include a statement about user data being uploaded to its AWS cloud server.
- High-resolution images potentially containing sensitive user data were being uploaded to the cloud via push notifications without user knowledge or permission.
- While Android Central can no longer recommend Eufy products, users still keeping its products should change their push notifications to “text-only.”
Eufy is trying to stem the bleeding as it rolls out a patch in an attempt to address crucial security issues.
According to ZDNet, a fix has started rolling out to the Eufy app for iOS users on Monday as the company tries to rectify problems with its security protocols. For version 4.5.1 of the Eufy app, its patch notes state it's added a “statement that cloud service will be involved when users choose to push thumbnail messages.”
Most people who own Eufy products would probably argue that this statement should've been present since the beginning — and rightfully so. This statement is part of the patchwork Eufy has been forced into doing ever since a security researcher found and brought to light several security flaws with its products.
The biggest issue here is that Eufy security cameras are not as secure as people once thought for the past few years. In fact, it was found out that Eufy had been sending pieces of sensitive user data, such as their images and facial recognition, to their Amazon-based cloud server without their permission.
Update: An official response from @EufyOfficial Paraphrasing…”You’re right, we do send to the cloud but it’s password protected, so not publicly visible… but we intend to encrypt API messages so nobody else finds out”Completely & utterly missed the point. pic.twitter.com/Mr08D2t60cNovember 24, 2022
All of this was done through the push notifications users may have enabled, where Eufy would send an alert with a “thumbnail” of what triggered the camera to alert you. The security researcher that is taking legal action against Eufy, Paul Moore, has tweeted snapshots of his emails to the company that these images in the push notifications are not simple thumbnails. They are “full size, original resolution images.”
Of course, there is also the risk that someone on the outside could access your Eufy camera feed with the right information, something that Eufy has yet to substantially address.
If you are still considering keeping Eufy security camera products, it would be best to avoid this issue entirely by changing your push notification content to text-only and not the “full effect” or “include thumbnail” options. It would also be better to remove any indoor Eufy cameras that you may have, as there is the risk (slight but apparent) that someone on the outside could access your information.
However, Eufy has completely broken our trust in the brand, and Android Central will no longer recommend its products.