A security researcher has found several security flaws in a popular line of home security cameras. In a series of tweets, infosec consultant Paul Moore revealed how he discovered the Eufy Doorbell Dual camera to upload facial recognition data to the company’s AWS cloud, and that too without encryption.
Eufy cameras are manufactured by the Chinese company Anker, which has over the past decade expanded its phone charger business to span all sorts of portable electronics. The Eufy line of home security cameras is popular all over the world including in the GCC region, particularly for their military-grade security.
The news is particularly alarming considering that the demand for video surveillance is on the rise in the region thanks to the construction of several infrastructural projects including commercial ones such as the Abu Dhabi Metro, as well as a number of residential projects. Factoring in these developments, 6Wresearch expects the UAE video surveillance market to grow at a CAGR of 4.3% during 2022-2028.
Due Diligence
Moore claimed the data was being stored together with usernames and other information that could be used to identify people whose images were taken. Alarmingly, Eury keeps the data even when the user deletes it from the Eufy app, claimed Moore. The researcher also claimed that the stored video feed can be accessed via a web browser, simply by keying in the right URL, with no passwords required.
Eufy has issued an official statement to Android Central confirming some of the issues while promising to address them. In response, Moore acknowledged that some of the issues have indeed been fixed, but also claimed that he can’t verify that cloud data is being properly deleted.
Read more: Majority of companies reduce cybersecurity staff over the holidays
But this isn’t an isolated incident. Earlier this year Bitdefender highlighted grave security vulnerabilities in another popular line of home security cameras. Last year, security researchers at Nozomi Networks uncovered a flaw in software that’s used on all kinds of smart devices. If exploited it could be used to spy on people through baby monitors, home security cameras, and smart doorbells.
Security experts have long contended that not all smart devices are equally secure since some manufacturers often overlook security to save costs. Some go even as far as to suggest that security on most smart devices is actually a sham.
For instance, many smart devices often have poor or no cryptography, are manufactured in insecure environments, provide no patch or upgrade process, and usually ship with default passwords.
In our haste to deck out our houses with smart devices, we often forget that all it takes is a single device with weak security for a hacker to sneak into our home network. While the responsibility for providing good security, and privacy should start with the manufacturer, not the consumer, owners, both commercial and residential, must do their due diligence before purchasing smart devices.