Moore later posted a response from Eufy to his findings, in which a Eufy support representative states that thumbnails are restricted by account logins, and the URL “will expire within 24 hours” unless the user shares it. The Eufy rep also notes that Eufy “noticed it before” and plans to make its Homebase 3 store thumbnails locally, too.
Moore also claimed in a later tweet, tagged to another user’s screenshot, that you could remotely start and monitor Eufy camera streams through VLC without authentication or encryption. Moore stated that he could not release a proof of concept for the vulnerability. He also tweeted that Eufy denied his pre-action legal claim against the company, “refusing compensation,” but also, Moore claimed, offered him a job.
— Paul Moore – Security Consultant (@Paul_Reviews) November 28, 2022Just had a lengthy discussion with @EufyOfficial's legal department.
It's appropriate at this stage to give them time to investigate and take appropriate action; conversely, it's not right for me to comment further.
I will provide an update, as & when possible. Thanks!
Finally, on Monday, Moore tweeted he had “a lengthy discussion with [Eufy’s] legal department” and would subsequently “give them time to investigate and take appropriate action” and declined to comment further. We’ve emailed Moore for comment, but had not heard back as of this post (as suggested in his tweet).
Eufy, meanwhile, responded to Ars and other outlets with a statement. Eufy affirms that its video footage and “facial recognition technology” are “all processed and stored locally on the users’ device.” For mobile push notifications, however, thumbnail images are “briefly and securely stored on an AWS-based cloud server.” They are server-side encrypted, behind usernames and passwords, automatically delete, and comply with Apple and Google’s messaging standards, as well as General Data Protection Regulation (GDPR) standards.
Eufy admits that when users choose between text-based or thumbnail-based notifications from their system during setup, “it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.”
Eufy pledged to update its setup language and “be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.” Other claims made by Moore and SEC Consult were not addressed.