
[ad_1]
Oh boy, weaknesses are more fun
Last year, a “software bug” in Anker-owned Eufy caused a hubbub when owners of the company’s connected security cameras were able to access live feeds and save videos from Eufy brand cameras for others. Now, Eufy is in the same hot water again. Security researcher Paul Moore recently discovered several serious security flaws in Eufy’s software – including one that could allow people to access live video feeds from Eufy cameras without authentication .
Last week, Moore noticed that his Eufy Doorbell Dual — which he said he would buy because of Eufy’s sales pitch about privacy — was uploading small video clips. and cloud computing, although he did not choose Eufy’s cloud services. Moore points out that both the images captured by his camera and his Eufy camera can be accessed without authentication by navigating to an associated URL – but Eufy says the images are encrypted, and it seems that Moore was able to access them because he had recorded before. to his Eufy account in the same Incognito Chrome window.
Moore also found that a different Eufy camera connected to another account was able to recognize his face with the same unique ID — indicating that Eufy does not store facial recognition data in the app. cloud, but sharing that background information between stories.
Unfortunately, Moore said he was able to view live images from his camera on a web browser without authentication by navigating to the appropriate number in front of the public. Of course, Moore did not provide confirmation of this use himself, but said that he was in touch with Eufy about it.
According to Moore, Eufy says that the images are stored on Amazon Web Services (AWS) servers only and the user can release an event notification to the Eufy security software, after which the images are deleted. In a separate YouTube video, Moore revealed that the images will be stored for some time after the messages are released, although he could not confirm how long.
Eufy explains that thumbnails will be transferred to AWS if a user’s event notifications are configured to include thumbnails (by default, notifications are text only). The company told Android Central that it’s taking steps to make it easier — or, more likely, — to attach thumbnails to event notifications that those thumbnails will be stored on AWS for a while, even if not a user. choose cloud services. Eufy added that its operations comply with GDPR standards, as well as “Apple Push Notification service and Firebase Cloud Messaging standards.”
On Android Central, Moore said that Eufy is moving quickly on the issues it raised and that the methods it used to access its data in unorthodox ways no longer work. All in all, it’s the second major security snafu for Eufy in two years — not a great look for a company that publicly prides itself on protecting user privacy.
[ad_2]
Source link