Apple’s HomeKit Secure Video Leverages iCloud Storage and Preserves Privacy

Originally published at: Apple’s HomeKit Secure Video Leverages iCloud Storage and Preserves Privacy - TidBITS

You can use a home security camera without sending its video stream off to cloud storage that’s accessible by the camera’s maker—or anyone who can log into the account. Apple’s HomeKit Secure Video works with existing iCloud subscriptions and numerous third-party cameras. Glenn Fleishman, author of “Take Control of Home Security Cameras,” looks at HomeKit Secure Video’s strengths and weaknesses.

1 Like

I have been hoping other camera makers would get into business of end-to-end encryption, since it’s the gold standard for all other forms of private communication, and video is awfully private. That makes the news that Amazon is offering end-to-end encryption for Ring video doorbells very welcome.

I am curious of what goes over the WAN. Obviously clips that are stored do. As is externally viewed video streams. What about video streams that are viewed on the same network? Do they go out and come back or stay local? Those of us with data caps would love to know! Does HomeKit Secure Video stay on the local network for local traffic?

This is a good question! I had to think about it a couple of different ways. My understanding is that local access to HomeKit devices is always local, including cameras. It doesn’t round-trip data to servers, because it wouldn’t be responsive over the LAN. However, 100% of everything stored, including clips, with both Apple and Amazon’s systems are retrieved in encrypted form from cloud-based storage. I don’t know how much metadata is exposed; ostensibly, there has to be some clip knowledge that’s local to retrieve the correct remote information, unless it’s tagged in a way that would be revelatory to third parties who could gain access.

Thanks Glenn, one of my desired uses of HomeKit Secure Video cameras is to have a security display. I currently have 4 IP cameras (very insecure video) being displayed on an iPad in my kitchen. I would like to replace them. The feed I get off the of 4 IP cameras is a local feed. I have a different feed, still insecure video, for viewing outside of the home. I can not find anything that says if I open the Home.app and display the camera “snaps” or even use a app like HomeCam for HomeKit, that I don’t bust my cable data cap.

This was a great, not good question, so I did the research to get a definitive answer. Apple offers an answer with a lot of crypto detail on a platform security page.

What I didn’t realize until now is that Apple considers HomeKit IP cameras as a category, and cameras that support HomeKit Secure Video as a sub-category:

  • HomeKit IP allows the live streaming over a local network of video from supported cameras
  • HomeKit Secure Video refers to the analysis of motion at the HomeKit hub against rules you set, and then the secure upload of data encrypted by the HomeKit hub to your iCloud storage, as well as downloading and replaying clips.

Here’s one salient bit: “IP cameras in HomeKit send video and audio streams directly to the iOS, iPadOS, and macOS device on the local network accessing the stream.”

Is it one or the other (cloud storage or local storage) but not both? I have a Eufycam 2 which offers local storage on it “homebase”. I can view video clips stored on this local storage but although I have set up HomeKit Secure Video, all I can view with HomeKit is live stream, no stored clips. Do I have to disable Eufy local storage before the HomeKit video becomes available?

I have that same set up. I have found that you need to sign out of the Eufy App so that complete control in through HomeKit only. The. Make sure your settings are such that it is recording when you think it is (whether you are home or not, or time of day). You may have to recreate some automations or settings as I have have some that did not respond after a HomeKit update.

I have since found that setting each camera to “stream and record” in both home and away disables any recording on Eufy homebase and on the indoor camera’s microSD card. Live stream still operates in the Eufy app but you can disable cloud uploads to Eufy of “footage preview thumbnails” by selecting text only notifications under the content extension options for Notifications.