Eufy Camera Security

Eufy Camera Security Breach Admission Leaves Many Questions Unanswered

Owner of the trademark Anker has at last commented on evidence of a significant Eufy camera security breach, but its official response still raises a lot of questions.

The company has now admitted that it lied to users about all footage and images being stored locally, and never sent to the cloud, after a security researcher proved that this was not true …


The addition of facial recognition technology to consumer-grade home security cameras has been one of the biggest advancements. The camera can distinguish between people and other objects, like pets, in addition to simply detecting movement. Additionally, face recognition stops it from sending pointless security alerts whenever a known member of the household is seen.

Anker claimed that its Eufy cameras perform facial recognition on the devices themselves, eliminating the need to send images to the cloud, in contrast to the majority of facial recognition technology, which runs on cloud servers. The company’s website continues to make it clear that it does not send data to the cloud.

Eufy Camera Security Breach

Anker’s privacy claim is untrue, as Paul Moore recently demonstrated.

It was discovered that the doorbell’s camera was uploading personally identifiable facial recognition data to Eufy’s cloud servers and that this data was not actually deleted from Eufy’s servers when the associated footage had been deleted from the Eufy app. In the video below, Moore also makes note of the fact that Eufy linked data from each account using facial recognition data from two separate cameras on two separate accounts. Moore also emphasizes the fact that Eufy never informs the user that this is happening; in fact, the company’s market suggests the exact opposite.

Even worse, another user found that unauthenticated viewing of live video without encryption was possible.

A user was able to access a camera’s feed by using the well-known VLC media player, and Paul Moore confirmed (without demonstrating how it works) that there is no need for encryption or authentication to access the streams.

Company Partly Admits the Issues

Anker this week published a blog post providing a partial admission of the problems, while claiming that no user data had been exposed (our emphasis):

“eufy Security Uses the Cloud to Send Users Mobile Push Notifications”

It is accurate to say that Eufy Security is dedicated to minimizing the use of the cloud in our security procedures whenever practical. However, some processes today still require us to use our secure AWS server.

For instance, when a user opts to include a thumbnail with a security push notification, a small preview image of the security event is sent to our secure AWS server and then pushed to the user’s phone. End-to-end encryption is used to protect this image, which is also removed shortly after the push notification is sent. Additionally, this procedure complies with all professional standards.

It also acknowledged that its web portal had flaws but refuted claims that any user data had been compromised.

The business maintains its denial that facial recognition data is uploaded to the cloud.

Many Questions Remain Unanswered

The site sent Anker a lengthy list of additional questions:

Why do your purportedly end-to-end encrypted cameras even produce streams that aren’t encrypted?

When does video become encrypted?

Do any other components of Eufy’s service, like the desktop web portal, rely on streams that aren’t encrypted?

How long can you access a stream that isn’t encrypted?

Are there any Eufy camera models that do not transmit unencrypted streams?

Will Eufy completely stop allowing streams to be transmitted unencrypted? When, how, and if not, why not?

If not, will Eufy inform its users that their streams may not always be end-to-end encrypted? When and where?

Has Eufy changed the stream URLs to something that is more challenging to decode? In that case, will Eufy do it? When?

When cameras use HomeKit Secure Video, are unencrypted streams still available to view?

Is it true that “ZXSecurity17Cam@” is an actual encryption key? If not, why did that appear in your code marked as an encryption key and appear in a GitHub repository from 2019?

Do Eufy’s cameras permit cloud access to any other private information or identifying characteristics besides the thumbnails and the unencrypted streams?

Any other actions that Eufy’s servers can remotely instruct a camera to take aside from potentially intercepting an unencrypted stream?

What prevents employees of Eufy and Anker from utilizing these streams?

Which other particular steps will Eufy take to address its security and reassure customers?

In light of these disclosures, has Anker hired any impartial security companies to audit its procedures? Which?

Will Anker offer refunds to customers who purchased cameras in reliance on Eufy’s privacy guarantee?

Why did Anker inform The Verge that an application like VLC was required in order to view the unencrypted stream?

Do eufy’s video recordings get shared with law enforcement?

Similar events occurred back in May of last year, allowing third parties to view ostensibly end-to-end encrypted video streams from Eufy cameras.

Read More:

Source: 9to5mac

Notify of
Inline Feedbacks
View all comments

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top
Would love your thoughts, please comment.x