eufy Uploading Customer Data to Cloud without Consent

I see a lot of people here still suggesting people purchase eufy products lately.
This news broke a couple of days ago; (In the reddit post is links to a twitter user Paul Moore an Information Security Consultant, as well as a couple of videos demonstrating his findings)
https://www.reddit.com/r/EufyCam/comments/z5i7rr/eufy_storin…

Their doorbell that claimed to be local-only storage with no cloud storage are uploading facial-recognition-tagged photos and videos to eufy servers and are publicly accessible to stream if you have the specific URL for the device.
One other key issue with this being that eufy is owned by Anker, a Chinese company, and the CCP is able to claim any data stored by any company in China. Which is a bit gross.

If these lengths are what has been discovered, do you think that their home security cameras are any better?
How about their tracking tags?
Thoughts? Opinions?

Edit:
Also talked about in detail on LTT's WAN Show podcast

Related Stores

eufy
eufy

Comments

    • Yeah, this is what brought it to my attention. On hindsight should have put it on the post.

    • As was also being discussed here on OzBargain a couple of days ago.

  • +4

    yeah, I'll just wait until Eufy post a $3 random voucher to say sorry and I'll continue to use them.

    • Based.

    • +15

      Your worried about your information , you'd better get off the grid entirely.

      That was the whole point of these doorbells, is that they WEREN'T supposed to be sending data outside your local network. If a company says they won't upload data to the cloud, a customer SHOULD be able to reasonably expect that they won't.

      The sensible thing to do for any IoT device is to set it up in it's own VLAN so it can't access the internet even if it tried, but most people won't have the understanding or means to do this

  • -8

    basically same as optus, medibank, and others…

    • +17

      Basically you're wrong.

      Eufy carved out a big chunk of market share with their "NO CLOUD" positioning. ie All of your data is local unless you opt-in for their cloud option.

      They have been busted lying.

      Customers know that Optus, Medibank (et al) collect data.

  • Pretty disappointing, I thought Anker made quality products so sad to know that I likely won't be purchasing anything from them again.

  • I trust only Eve Cam Homekit cameras, Logitech Circle View is probably ok too but I’d still avoid. Homekit works fine offline via hub like AppleTV.

    For those not tech savvy, this is as bad as possible.

    • +1

      I tested Eufy 2K one before Eve Cam. It was marked as “works with Homekit” but no official Homekit logo and no QR code sticker. It connected to some servers immediately (I traced it). Next - eufy app asked to type in my wifi password. Nope. No true Homekit device will ever ask that.

      Returned and washed my hands twice, lol

      • I don't understand, can you explain why?

        • If you claim Homekit, do Homekit. But they asked for my wifi password, were using their servers for account and videos instead of Apple infrastructure.

  • +3

    Ever since they didn't seem to prioritise basic security issues/fixes (the potential for people to reset the camera, wiping or rendering recorded data useless), I have just never bothered looking at their brand. No real point of having a 'security' camera with no 'security'!

    • Which brand do you look at that doen't have the potential for people to reset the camera?

      • +1

        Ubiquiti.

        Someone can reset or even take the whole camera and the valuable footage will still be safe.

        • Aren't they like double the price and PoE? Not really comparing apples with apples in that case.

          • @Domingo: They are definitely more expensive upfront, but it depends on one's priorities and needs.

            For me personally, I wouldn't go with Eufy because the issue itself is potentially big enough to completely defeat the purpose of having it in the first place. But if someone is happy to accept the risks associated with how their products work, then go for it. Eufy have known about this for quite some time, yet, they seem to be in no hurry to fix it.

            • @bobbified: I am yet to find anyone who can confirm that Ring and Nest don't function in the same way, yet no one seems to have the same security concerns about those brands. I am trying to determine if Eufy are actually different from other products in the market, or if they behave similarly to others.

              • @Domingo: I won't pretend to know what Ring and Nest are like, but this shortish video, from about 3:50 onwards, suggests that they work differently (because footage stored in the cloud that requires subscription?) I'm not a fan of subscription services myself. But they also recommend ReoLink for a non-subscription service (free 7 days online storage so footage still available if the whole camera gets taken).

                Eufy's email response at 2:50: "The product is designed to be like this…" reminds me a bit of Apple! haha

              • @Domingo: It might be a matter of degrees.

                The issue with any push notification thumbnail is that it has to be viewed OUTSIDE of an authenticated session and in a public location with good performance. So you can probably assume any thumbnail shown on a push notification is going to be less private and secure that NOT doing that.

                Eufy's approach was to rely on obscure URLs however which while "ok" from a 3rd party aspect (you are not going to be able to guess it) is still not gold standard and offers zero protection from Eufy (or any other privileged party).

                Adding an API key is better… but still not exactly great since API keys are common for an app, so some sort of device registration token would be needed (which would also mean notifications can't be broadcast to multiple devices but have to be sent 1:1)

                Preventing 2nd party (Eufy, etc..) from seeing it means encryption on storage and this is going to be more difficult to implement. To be end-to-end the device would need to register with the base station and exchange an encryption key which is then used on outgoing notifications to prevent it being intercepted on Eufy's CDN or in fact… while passing through Google or Apples network.

                All in all… possible but it is a lot more complex (and thus less performant and reliable) and would mean that the solutions arch / designer had though their way through it and Eufy themselves has made it a priority.

                • @Thenhz: I think you're talking about a separate issue here. I was referring to the reset button one, not the thumbnail sending one.

                  I do wonder if anyone is watching my dog sleep though. There is a eufy camera looking into her crate

                  • @Domingo: You are right, and to be honest… the issue with camera reset wiping stored video on homebase is worse since including thumbnail isn't a default option on (most/all?) their cameras (you have to turn it on).

                    • @Thenhz: But do Ring and Google Nest have the same reset wiping functionality?

                      • @Domingo: https://support.google.com/googlenest/answer/9252162?hl=en-A…

                        As far as Nest Doorbell go, it sorta sounds like it, I don't have one to try it though.

                        Not the same issue, but it appears just adding a subscription will wipe all your footage too (!?!?);
                        https://www.reddit.com/r/Nest/comments/fj3q44/psa_nest_aware…

                        Ring don't seem to have people complaining (or a FAQ stating that is the behaviour) though it's an online only device.

                        • @Thenhz: Which is exactly my point - Nest appears to do the same yet the pitchforks only come out on Eufy deals.

                          Ring potentially does as well (I've looked it up too and it isn't definitive either way), yet no questioning or pitchforks.

                          I'm all for lynching irresponsible big tech, but can we be a bit more equitable in our lynching?

                          • @Domingo: The difference is that Eufy claimed on their product pages for these devices "No clouds".
                            Their actual selling point was that no data was uploaded anywhere.

                            Other companies having crap practices is a case of buyer beware because they're being upfront about said crap.
                            Eufy/Anker marketed a selling point that was factually incorrect.

    • The Eufy cams with homebase support using your own RTSP NAS to save the video and do whatever you want with it such as upload to cloud.

      So for anyone paranoid about the extremely unlikely event of a thief resetting the camera, those people can use the option of RTSP, such as the video surveillance app on a Synology NAS for example. And BTW, the thief has no way to verify their resetting efforts were successful. So like I said, you're worried about something that will never happen…. and if your camera is installed outside up high, the thief will need to bring his own ladder!

  • +1

    My Eufy wifi cameras (solar stand-alones) are sending a zoomed-in thumbnail of detected persons out of my network (with UPnP turned off) to the app in my phone. It must be going through a relay.

  • -1

    I mean.. a 2 second google search tells you Anker is Chinese-owned so surely nobody is shocked pikachu about that!? Any cam provider that gives either 'local' or cloud storage you have to fully assume there's a chance of some shenanigans going on (yes, including non-Chinese firms). I don't enable the facial recognition feature but I doubt that's 100% safe at all.

    Personally I've weighed up the risk and the security around my home outweighs the risk of shenanigans. Basic steps I've taken include having the base station in an isolated network without outbound comms only and the only time a cam will ever come inside the house is for charging. Even then I cover the cam the entire time and charge it in an isolated part of the home to avoid mic snooping.

    • +2

      You missing the fact that with camera url anyone on internet could see your pictures. Even after you deleted your cloud account.

      • +2

        Going to see a lot more of the postie and meter readers than me!

  • +3

    A bit of background on what is occurring: the image shown on the push notification is being uploaded to a cloud server (with some significant meta-data), and this is only protected by using an obscure URL with no added authentication or encryption of the image (or meta-data). Also, the link stays valid for a significant time (24 hours in one post) and it's unclear when the image is removed (could be 24hours… but who knows).

    The fact that push notifications exist (containing your photo) should have been a clear sign that some data was being stored in the cloud, but the real issue is lack of any protection of the images beyond the obscure URL and that they do not show that in any fashion or give you the choice of opting out (or better still… make you opt-in).

    Note on obscure URLs… that isn't the worst means of securing the image, at least from a 3rd party since guessing the URL isn't realistic. But it is not effective in any fashion for protecting from a second party (i.e. Eufy).

  • I remember, back in the day, it used to be possible to google search web connected webcams and have a look. Some even left the controls open without logging in.

    Might get to relive those days again.

    • I remember, back in the day, it used to be possible to google search web connected webcams and have a look

      Not just back in the day - they are still just as easily viewable (and no, before anyone asks, I'm not giving out the site names)

  • +1

    I assume Dahua and HikVision are pulling the same stunt behind the scenes?

    • If they send push notifications with a thumbnail there is a good chance of it.

      • The difference with Dahua and HikVision cameras is that they can use RTSP/ONVIF protocol, so can be forced as local-only provided you're capable enough of setting up your own NVR.

  • you cant trust any of this chinese stuff. that is why australia dumped the wee wee 5 g. every company in china is forced to partner with the ccp. the ccp can do what they want at will. and if the company does not comply, they can shut it down over night. that is why musk never criticizes china or the ccp. they can end tesla in a heartbeat.

  • Can't say I am surprised since the leak a few years ago where you could access other people's camera feeds. I think I will look into setting up eufy & future IoT devices on a separate VLAN.

  • +1

    I suspected that this was a bit of a "look at me" type video, as some of the functionality he described, like uploading images, seems obvious that they are doing. I mean, how else is the eufy app going to show a preview in the notification to your phone if they don't upload an image to their servers? Personally, I don't think uploading stills constitutes cloud storage, and unless I missed it, I don't see where videos are being uploaded. I don't know how long their servers retain those images, but it's not surprising to me they aren't deleted straight away, as it's not uncommon practice to just have a job that runs daily to clean up resources, but I can see why people might be concerned about it.

    Anyhow I thought I'd verify myself what he claimed. I found that:
    1. Once you obtain the image URL, it doesn't require authentication to access it. That's a fail.
    2. I was able to view the livestream of the camera via VLC, again, without authentication. However, when I stopped the livestream in the browser, the stream also stopped in VLC. So people can't just stream your cameras whenever they want, if they happen to obtain the URL.

    Don't see what Eufy being Chinese owned has to do with this, just seems like scare sensationalism. This was always public knowledge, and if CCP really want access, they could without needing any of what this guy posted in his video.

    Really, all this post reinforces is the fact that you should stay off untrusted/public networks, and if you do, most of this is really not a big deal at all.

    • However, when I stopped the livestream in the browser, the stream also stopped in VLC

      Ah, this is interesting. My concern level dropped a bit reading this! It’s still not good, but not as bad - although Eufy/Anker not being up front about this is a massive massive failure of communication. I’m not going to throw my current cameras in the bin, at any rate.

      • Yeah, this makes it not as bad as anyone being able to connect to your camera at anytime.

        Still they need to make changes to their backend and address the uploading to face recognition photos to their servers. I suspect many will never consider them after this or previous issues anyway.

    • +1

      It's all about people reading a little bit of something then jumping on the hate band wagon without bothering and understanding the issue.

      • 100%. I really don't understand the hate about still images being uploaded. Honestly, how did people think images were being delivered to their phone in the notification? Notifications require internet connectivity, so of course it has to get uploaded to the internet. It's literally impossible for your phone to show a preview in the notification if an image isn't uploaded to the internet. This was obvious to me when I set my cameras up.

  • If only China could answer my doorbell and tell the postman to leave my parcel

    • People would pay a subscription for that feature!

    • +1

      My postman got upset cuz we don't answer or talk to him through the door bell. I need a service to say leave the parcel too.

    • +1

      Note that when they say no encryption, they don't mean it's not transport encrypted. However, they are 100% proxying/reflecting the video steam through their servers from the homebase which means the actual video data is not encrypted (as vs the transport).

      Example; https://mediaserver-usa4.eufylife.com:1443/live?port=1935&ap… 64 encoded serial number + other bits which I'm not going to share….>

      (note HTTPS)

      That said, it does appear to use some sort of door knock protocol, i.e. the outgoing steam isn't open by default without a start_steam command being sent. I haven't been able to start the steam without first starting at sometime in the recent past but I don't know how long it stays active. That said… opening a stream (to the site I'm testing) isn't that reliable so maybe I've just been unlucky….

  • +1

    Their verge article (posted above) has been updated.

    Seems eufy still deny it, but have been making some minor adjustments in the background as the Verge team are having trouble accessing the data using the same method

  • The condition of being able to view the stream without a password is next to impossible unless you already have access to said account. In which case, just view the stream normally….

    https://www.zdnet.com/home-and-office/smart-home/eufy-respon…

  • Home base blinking red. App says updating. Maybe they fixed it with latest update?

Login or Join to leave a comment