Eufy and parent company Anker are in a bit of hot water at the moment, as prominent engineers and users have discovered the Eufy Doorbell Dual camera has been sending footage to the cloud without user consent.
The Linus Media Group team shared a video on the subject after being inundated by user requests and noted that the images shared to the company’s cloud server are not only high-definition but also tagged with facial recognition. In other words, the images include the subject’s identity.
It has been suggested that the cameras also send a snapshot of the feed before the photo was taken to the cloud, which is a significant privacy risk. Information security consultant Paul Moore is one of the engineers who experienced this issue first-hand and has been in a back-and-forth with Eufy.
Moore says the company is aware of the issue but downplayed its severity, saying that the photos are sent to the cloud but are also password-protected.
It is worth noting that the fine print affiliated with the camera-in-question (Video Doorbell Dual) notes that the cameras don’t even support cloud storage and are protected by bank-grade (AES-128) encryption, Eufy’s website doubles down on this, saying that photos will not be sent to the cloud.
Moore also notes that the images were available on Eufy’s cloud servers even after being deleted locally. He even deleted his account but was still able to access the stored footage. He is currently in talks with the company’s legal department as they work to resolve these issues.
The story doesn’t end there. Another user reports that you can remotely start a stream and watch the unencrypted live feeds without authentication.
Lifewire has reached out to Anker and Eufy via phone and email and has not received a response.