Eufy cameras: an update made video feeds available to other users
Fanny Dufour May 20, 2021 @ 2:263pm
Due to a bug, some users of Eufy surveillance cameras had access to other people's video feeds.
By logging into the application to control their surveillance cameras, some users realized that they were not on their account, but on that of another person, with access to all their information. A bug fixed quickly, but which caused a real panic.
Update May 20, 2021: response from eufy
During an update to our server in the United States, a bug affected 712 users in countries outside of Europe. The problem was corrected one hour after being identified. All of our users' video data is stored locally on the devices. Eufy provides remote account management, device management, and P2P access for users through AWS servers. All stored data and personal information is encrypted. To prevent further incidents, we are taking the following measures:
- Upgraded the network architecture and strengthened the two-way authentication mechanism between servers, devices and the eufy Security app.
- Upgrading servers to improve their processing capacity and eliminate potential risks.
- TUV and BSI Privacy Information Management System (PIMS) security certifications.
We are sorry for this incident and understand that we need to rebuild trust with our customers. Thank you for trusting us with your safety.
A major security breach
The alert was raised on Reddit, with several users from New Zealand and Australia reporting that they had access to the surveillance cameras of others in other countries, including the United States.
In addition to being able to see the video feeds of strangers, people affected by the bug could control camera movements, view video recordings, record them themselves, and also access users' personal details, such as their name, address or their network details.
A major security breach that legitimately panicked users on Reddit, with many worrying about their privacy and that of their loved ones. The other risk raised was that of seeing customers being threatened, or even extorted, with videos filmed without their knowledge and using their personal information.
A bug during a server update
Eufy eventually communicated about the bug, stating that it happened during a scheduled update to their server. They also said they were made aware of its existence after 40 minutes and corrected it an hour later. To regain access to their own feeds, users had to unplug and reconnect their cameras as well as log out and back in on the app.
The company told 9to5Mac that the bug affected 0.001% of its customers in the United States, New Zealand, Australia, Argentina, Cuba, Brazil and Mexico. It would therefore seem, according to Eufy, that European users were not affected. But it is still more prudent to carry out the steps recommended by the company to ensure that its cameras are up to date.
Source: The Record