Here's Why You Want To Stay Away From Eufy Security Cameras
The past few years have witnessed the emergence of Eufy as a trusted name in the smart home and wireless security systems space. Eufy's wide product range spans several categories, from robotic vacuum cleaners and smart digital scales to pet monitoring devices and home alarm kits. One of the most important product categories for Eufy, however, is its lineup of security camera systems. Eufy has long marketed these products as devices that only stored customer data (including video footage and pictures) on local servers. These claims became a major reason for the massive rise in the popularity of Eufy's security cameras. Being reassured that video footage recorded using Eufy cameras never leave their local servers, consumers were also happy about the lack of a monthly subscription fee usually associated with cloud-based security camera systems.
However, following an investigation conducted by U.K.-based security researcher Paul Moore, Eufy's claims about being a completely "cloud-free" security camera system is being called into question (via MacRumors). Moore has also claimed to have unearthed several security flaws in Eufy's cameras while also alleging that the company sends images and facial recognition data to third-party servers in the Cloud — all without explicit user consent. The most startling revelation from Moore, however, centers around Eufy's live feed feature — which can be supposedly accessed without needing any form of authentication.
Independent analyses by publications like The Verge and Ars Technica have indicated that there are some merits to Moore's claims. However, there have also been counterclaims that somewhat defend Eufy's position — albeit not entirely.
Eufy security flaw: How was it detected?
Things began towards the end of November 2022 after Moore, who had been testing Eufy's Doorbell Dual Camera system for a while, noticed something amiss with a security camera he purchased. Moore said his security cameras that supposedly had nothing to do with the Cloud — and stored all information locally — were actually uploading some data to Eufy's AWS (Amazon Web Services) cloud servers in complete contrast to Eufy's claims.
Moore posted a series of tweets on November 21, 2022, asking Eufy about how its camera system sent facial recognition data to its servers. Shortly thereafter, another Twitter user made a startling revelation. He claimed that accessing the live feed from a Eufy camera was possible without any form of authentication — by simply using VLC player. The Verge was able to independently verify this claim.
In both these cases, it is pertinent to note that they could only access their own camera streams. While it is still theoretically possible for hackers to use brute force techniques to generate a direct link to a stream, there has not been a recorded instance of this happening. Additionally, it is also necessary for the user to log in to Eufy's web interface for them to generate the live stream link in the first place. Still, these did not wholly explain why Eufy's servers were storing facial recognition data on its servers, and why that was done in the first place, given that Eufy made claims about its cameras having nothing to do with the Cloud.
Who's telling the truth here?
While there is no denying that Eufy misled its customers by harping that its security cameras were completely disconnected from the Cloud, there is more to the story than that. Following Moore's revelations, a Youtuber named The Hook Up, who makes content around smart home gadgets and security camera systems, made a separate video explaining what may have actually happened. The key takeaway from his video was that many of Eufy's features needed access to the Cloud to function. Eufy's mistake was not explicitly stating these facts in its promotional and marketing materials.
Take the case of Eufy's facial recognition feature, which needs to be configured using Eufy's app on a smartphone. For this feature to work, Eufy needed to match a detected face to that of a person already in its database. These images also let Eufy provide users push notification messages when the camera detects a face. And to do that, the thumbnail needed to be uploaded to cloud servers. As mentioned earlier, Eufy failed to reveal these aspects of its features explicitly to its customers. Moore also claimed that many of these stored thumbnail images were accessible even after they were deleted from the phone. In response, The Hook Up claimed that these images were automatically deleted from the cloud servers within 24 hours.
Eufy's official response to the claims made by Moore and subsequent findings by The Verge has been less than satisfactory. Since Moore's revelations some have ceased using Eufy security cameras with a few even destroying the camera hardware. Several notable YouTubers — including Linus Tech Tips have dropped sponsorship deals from Anker— Eufy's parent company — following this incident.