Tech is often a bit of a “black box.” That is, you don’t know exactly what it’s doing. You buy a box that says it does X, it seems to do X, and you don’t know what else it’s doing. As an app developer, I can promise you your apps are doing far more than you realize they’re doing. Make no mistake, it’s usually all outlined in the user agreement and terms of service, and often it’s just simple things like analytics. Did the app crash here? Did the user experience troubles with this feature? Stuff like that. Still, sometimes software can do unwanted and unexpected things, without the user’s permission.
Proponents of open source software say this is exactly why software should always be open source, that is, with publicly available code, so people can verify that the software itself never has hidden issues. Others point out that this makes selling software all but impossible, decreasing the value of anything software engineers make because it could be re-created for free.
This all comes to a head when Eufy’s security cameras were sending data off device to the cloud. Users expected that their security cameras only communicated with their own devices. However, researchers found the cameras sent data off device to Amazon’s AWS servers. While Eufy says this is just for notifications, users are a bit shaken.
Can trust exist between users of tech and the companies that make them if terms of service can be a mere suggestion?
Eufy’s Situation
Eufy is Anker’s smart home accessories brand. They sell a variety of smart home appliances, including a popular lineup of security cameras. Their selling point is the HomeBase hub. This lets users store their recordings and streams locally. Privacy fans liked Eufy’s implementation of home security because it didn’t share the video their cameras record online.
Now security researchers have thrown all of those claims into question. Security researcher Paul Moore found his Eufy camera was “leaking” data. He found that the camera was storing a thumbnail of the image when the device was activated by motion or a door bell, as well as an image from before the event. This data also included user IDs and other identifying information, and, he claims, it’s public, not behind encryption. Reportedly, all anyone needed to do was guess the URL and they could see this information.
The user likely hasn’t consented to this data storage in the cloud, going off of Eufy’s marketing. It seems like the recorded event can be deleted, but Moore didn’t reveal whether or not the images were still accessible. Security that only relies on guessing a random number on a URL isn’t security at all. Images are apparently stored on Eufy’s AWS servers, where it wouldn’t be difficult to access them.
SEC Consult confirmed thumbnails, as well as the capability to stream from these cameras. They stated that the encryption keys are hard-coded for all devices, and easy to crack. They found that unencrypted traffic includes username, account ID, and commands sent to the device. Along with this, they were able to access streams from a browser. Moore confirmed he could do the same.
The Verge, working with security researcher “wasabi” also confirmed these findings, including the fact that users could watch a stream of a camera with just a video URL. These randomized URLs are easy to guess, basically making these feeds public to whoever wants to look. Poorly secured webcams are popular among a certain type of online voyeur. Many cameras are already hacked, but, if these researchers’ claims are true, you can add Eufy cameras to that list. This is exactly why privacy advocates wanted cameras that wouldn’t send data to the cloud.
Eufy refutes the claims, and states the thumbnails were just for notifications. They say future versions won’t have these issues, and that URLs “expire within 24 hours.” Of course, if those URLs are indeed public and just randomized, expiring wouldn’t change anything.
Moore states he can’t discuss is much because he’s taking legal action against Eufy. He hinted that the issue was worse than he let on in his video above. Eufy seems to be taking action to fix these issues, but that might not be much comfort for those who currently rely on these security cameras.
The Terms of Service
The terms of service (ToS) you agree to becomes a loose contract between customers and a company. It’s the closest thing to a guarantee that the company will do its best to keep your data safe and will not do anything else with your data without telling you. You’ve surely been a user of a service when a company sent out an updated Terms of Service. It means they’ve decided to do something else with your data and, even if they think you may not like that change, they still have to tell you about it.
There are legal ramifications for not following the ToS. Both companies and their users can sue, for example, if either party breaks that contract. Eufy may have found themselves in that situation now, as their alleged storing and streaming of data in the cloud, when they supposedly claim this is not possible, could be a violation of that agreement.
If true, Eufy’s situation seems to be a disconnect from those who imagined the product and those who implemented it. The company has stated that the thumbnail images were just for notifications. Someone had to implement that and thought the only way to get those thumbnail images in was to store them in the cloud.
The engineers may have rushed the job due to a deadline (it’s quite common in tech). It also explains the lack of encryption. It’s why every employee, from the designers, to product, marketing, managers, mobile, front end, back end, everyone, should receive not only security training but training on the company’s ToS. Everyone should know how to protect user data. Everyone should be able to push back on deadlines and features if they could break those terms. Unfortunately, that just doesn’t fit into the hierarchy of most companies, where they insist that authority only trickles down. It’s how a company can both mean well and fail to do so. The problem is always in the details of implementation.
To quote T.S. Elliot’s The Hollow Men, “Between the conception and creation … lies the shadow.” We can’t trust tech with such long, dark shadows between the conception and creation. Tech companies will have to re-think how they organize and train if they don’t want a single disaster defining their brand. Eufy may find this mark on their brand is quite damaging, and it may have been because of nothing more than a rushed project and crunched engineering.
Sources:
- Sean Hollister, The Verge
- Paul Moore, YouTube
- Kevin Purdy, Ars Technica, [2]
- SEC Consult