Even though cloud storage is disabled and local storage settings are turned on, the popular Eufy- branded security cameras seem to be sending data to the cloud. A video detailing the issue was published by security consultant Paul Moore.
Moore bought a Eufy Doorbell dual that was supposed to be a device that would record video on the device. When cloud function is not enabled, Eufy is uploading thumbnail images of faces and user information.
Moore uses his camera to take a picture and turn off the Eufy HomeBase. Even after the footage is removed from the Eufy app, the website is still accessible through cloud integration, despite the fact that he had not signed up for cloud service. Eufy doesn't appear to be automatically uploading full streaming video to the cloud, but rather taking captures of the video as thumbnail
Eufy users can watch their videos when away from home and send rich notifications with the use of the thumbnail in the Eufy app. Eufy seems to be using facial recognition on the uploads, even though the cloud function is not active. Eufy advertises a local-only service and has been popular with those who want a more private camera solution. The website says "No Clouds or Costs".
Moore suggests that Eufy can link facial recognition data from two separate cameras and two separate apps to users, all without camera owners being aware.
The same thing happened when other Eufy users responded to Moore's message. Moore tested the Eufy doorbell camera and it appears that other Eufy cameras work the same way. Moore shows how easy it is to access the images with simple URLs, which is a potential security risk for those concerned. The background call that reveals the images was removed by Eufy.
Moore received a reply from Eufy that said the data is not able to be released to the public because the URL is restricted and requires account login.
Moore suggests Eufy camera streams can be watched live using an app, but little information on the exploit is available at this time. Eufy users are alarmed by the fact that camera content can be accessed without verification.
The article will be updated if we hear back from Anker. Moore will give Eufy's legal department time to investigate and take appropriate action before he makes a comment.
I would like to thank Derek!