Accusations about Eufy security cameras have come to light in recent days. The first is related to data from cameras being sent to the cloud, even when local-only storage settings are turned on, and cloud storage is disabled. The second relates to how it’s possible to stream camera footage using VLC media player. This is all despite the fact the company seems to pride itself on its privacy commitments, claiming to use local storage only and have end-to-end encryption implemented for all its products.
However, recent revelations suggest this is not the case.
The cloud storage issue first came to light when security expert Paul Moore uploaded a video to YouTube demonstrating how Eufy uploads thumbnails of faces and user information to the cloud when cloud functionality is turned off. Using the Eufy Doorbell Dual he purchased, he showed how the cloud uploading occurred by switching off Eufy HomeBase while allowing the camera to record an image of him. He discovered that the website can still access this information through the cloud, despite the fact he hadn’t signed up for it. In the. video, Moore also suggests that Eufy could potentially link facial recognition data collected from cameras to its users, unbeknownst to them.
According to MacRumours, Eufy responded to Moore’s video, confirming that it does upload event lists and thumbnails to AWS, but it isn’t a security issue as the URL to the content is restricted, time-limited, and requires account login, so this information can’t be leaked to the public.
However, controversy mounted further when Moore revealed a few days later that it’s possible to remotely start a stream and watch Eufy cameras live using VLC, with no authentication and no encryption needed. Following this revelation, The Verge reached out to Eufy and asked them whether this was possible. While the company denied that this is possible, The Verge carried out its own tests on two Eufy cameras. It found that it was possible to watch live footage on both cameras from across the United States using VLC. They also found a potential issue with the cameras’ serial numbers being linked to the addresses of camera feeds, which bad actors could easily access using a simple online calculator.
The “good news” is that there’s no evidence that bad actors have yet exploited these vulnerabilities. Still, it is concerning that this is possible, particularly when the company behind the products claims to prioritize privacy. Poor security is, unfortunately, a continual problem when it comes to IoT products and smart home devices, so it pays to be wary if you’re thinking of investing in one and always implementing your own security measures after setup.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.