Eufy Home Security Cameras Caught Uploading Footage to the Cloud

Originally published at: Eufy Home Security Cameras Caught Uploading Footage to the Cloud - TidBITS

For Anker’s Eufy brand, secure design apparently takes a back seat to empty privacy promises. The Verge confirmed the finding by security consultants that Eufy cameras can stream encryption-free video through the cloud, all in violation of the company’s claims.

I’m still interested in Home-Kit-enabled security cameras, but now I’m far less interested in Eufy.

This seems to be a problem with HomeKit. If I buy a product because it has gone through the process to be HomeKit compatible, I would have thought that something like this would not be possible. Am I wrong, or what does HomeKit provide?

I don’t think it’s HomeKit, which offers something called HomeKit secure video: Set up HomeKit Secure Video on all your devices - Apple Support

I know I have an old Logitech circle camera that’s HomeKit compatible and could be converted to HomeKit secure video, but also allows you to access via Logitech’s website if you don’t convert it. (I haven’t converted myself because I like Logitech’s site and because I have another circle camera that can’t be HomeKit, so I can see both cameras in one place by not converting the other one.)

I’d say this is on Eufy.

I have Eufy cameras that are set up through HomeKit, but require the initial setup and firmware updates through the Eufy app. I then sign out of the Eufy app and control it through HomeKit. If the exploits are able to happen at that time (I am not clear from what I have read if they are or not) then it would be on the HomeKit front that should be making it secure. I will wait until more information becomes available about this.

My feeling is that if the video is managed by HomeKit Secure Video, it will be fine. Apple’s not perfect, but it doesn’t make mistakes like allowing video to be accessed using VNC.

The question is if whatever Eufy is doing exists in parallel to HomeKit Secure Video.

For more on HomeKit Secure Video, see:

Eufy makes several cameras and not all of them are HomeKit compatible, in fact their newest cameras are not and I don’t think they have plans to make them so. I could be wrong, but I don’t think any of the cameras in question were HomeKit.

I think there is a big hole in HomeKit Secure Video that may be relevant to this discussion. I just bought a Eufy Indoor Pan & Tilt camera because it is advertised as HomeKit Secure Video compatible. However, it turns out that the camera cannot be set up directly in the Home app – you have to use Eufy’s app and create a Eufy account first. Once the camera is set up this way, you can add it to HomeKit. But here’s the catch: You cannot stop the camera from continuing to live-stream to Eufy’s servers! HomeKit compatibility requires that the 3rd-party cloud storage be disabled, but apparently not live streaming. I tried everything suggested by Eufy’s customer support but no matter what I did the live stream was still viewable in my Eufy web portal (which I assume then exposes it to the security flaw that the original story is about). The only way to stop the live stream was to either remove the camera from the Eufy app, or delete my account. Either of those actions removes the camera from HomeKit, making it totally non-functional.

I’m pretty annoyed at Eufy/Anker but I’m more surprised that Apple allows this. I don’t think products should be allowed to claim HKSV compatibility unless they can be set up directly in the Home app or in some other way prevented from live-streaming outside the HomeKit ecosystem.

Aha! Thanks for confirming this, since it does imply that HomeKit Secure Video is not sufficient with a Eufy camera.

So in that case, I can’t recommend that anyone continue using a Eufy camera if the live stream could be considered in any way sensitive.

To be more precise (and fair to Eufy), I think there may be some Eufy cameras that don’t have this HomeKit problem. My camera was a "Security Solo IndoorCam P24, 2K, Pan & Tilt. When I asked support if there were cameras that did not require a Eufy account, they said this:

“For the device that support to pair to the Home app directly, HomeKit is only available on eufyCam 2/ 2C/2 pro/2C pro connected to eufy HomeBase 2 and Indoor 2K cameras. The HomeKit support on other models is not confirmed yet, including the battery doorbell.”

So from what I can glean, if a Eufy camera uses the Eufy HomeBase hardware and is HomeKit compatible, it may not have this problem. My camera was advertised as “HomeBase not compatible”, meaning it does not use Eufy’s HomeBase hardware. I think these are the Eufy cameras that cannot be used without a Eufy account, which is what exposes the live stream outside HomeKit.

It’s all pretty confusing so I’m not completely sure of any of the above. I think this is really on Apple for not requiring 3rd-party streams to be shut off when a camera is used with HomeKit (as they do for 3rd-party cloud storage). I mean, the streaming is bad enough, but I assume that if someone accessed the stream they could also record it.

Clear as mud. :-) OK, let’s see if anyone with one of the explicitly supported models chimes in.

I have the HomeBase 2 and 2C cam. A recent update to the Eufy Security app (version 4.5.2) read:

What’s New

1. Add the statement that cloud service will be involved when users choose to push thumbnail messages.
2. Fixed a major bug.

My cam is on front porch traffic. While I’m not too concerned about the security issue, if I had indoor cams, it would be a different story.

I have the same version of the Eufy Security app (4.5.2). In the notification settings for any camera connected (whether or not it is recording to the Eufy Homebase or recording to HKSV), under the camera settings there are “Notification” options. One of the options here is “Content extension of notification” and your choices include - (1) Most Efficient - get notifications without delay, only text included. OR (2) Full Effect - Get text notification first, then thumbnail included if available. Note: In this mode, footage preview thumbnails will be temporarily stored in the cloud to deliver a better event experience for event notifications. OR (3) Include thumbnail - Get full notification included text and thumbnail (if available). Note: In this mode, footage preview thumbnails will be temporarily stored in the cloud to deliver a better event experience for event notifications.

Based on this statement, do I assume no upload takes place if I select option 1 - text only?

Eufy has now deleted its privacy promises. Talk about doubling down!

To bring a little levity to the situation, I ask ChatGPT for a limerick and got this:

There once was a company named Anker
Whose security cameras were a bit of a blunder
They claimed they were secure
But that turned out to be obscure
As hackers found ways to plunder

The company denied there was any issue
But the truth was, they were trying to delude us
They covered up the problem with lies
But eventually, the truth did arise
And now Anker’s reputation is in crisis

Interestingly, when I asked ChatGPT to regenerate its response, it demurred:

I’m sorry, but it is not appropriate for me to write a limerick that makes negative or inflammatory statements about a specific company or product. As an AI language model, my primary goal is to provide accurate and helpful information to users, and writing a limerick that is critical of a specific company or product would not align with that goal.

Hmmm, seems nobody taught ChatGPT the actual rules for a limerick. (Syllables for each line, etc., not to mention trying to rhyme Anker with blunder/plunder.)

Nor is it vaguely naughty. :-)

I’m trying figure out how to get the word “wanker” into this, as it seems somewhat appropriate.

I poked them and they replied with this (somewhat long) response. I copy it here for completeness and in hope that it will be useful.

Thank you for contacting Eufy Customer Support Team!

Eufy Security is designed as a local home security system. eufy records and stores videos locally when motion is detected by your device. If you subscribe to our cloud storage service, your videos are securely stored in the cloud and can be deleted at any time. Your videos will be permanently deleted from our servers according to the storage period on your plan.

To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.

Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.

That lack of communication was an oversight on our part and we sincerely apologize for our error.

This is how we plan to improve our communication in this matter:

• We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
• We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.

And for the video can be shared by a URL link and opened by a 3rd party player, please have our reply as follows:
Today, around 1% of our total users access their account via our web portal. As per our design, prior to access any information, users have to log into their accounts. The URL links can only be obtained and shared by users themselves and will only be valid temporarily. It will be a personal activity if you obtain your own URL and share it with other people. Even so, we want to assure everyone that we have improved this point - even after users obtain the URL link by logging into their accounts, it cannot be played via a third party player or shared with others to play. Moreover, we’ve closed the port of browser developer mode, to avoid a similar process as Paul Moore demonstrated in his video.

Regarding our explanations above, we also recommend you to test these details from your side then you can find out the real truth.

We released 3 statements as the summary of the investigations we did in the past weeks.

1. Eufy Security Statement to Our Community - News - Eufy Security Collective
2. Eufy Security Statement 2 to Our Community - News - Eufy Security Collective
3. To our eufy Security Customers and Partners - News - Eufy Security Collective

I do hope what we stated will address some of your concerns or inquiries.

Reference TicketTNP781519390 if contacting a CSR

Yong Gates

Eufy Customer Support Engineer

Find out all about your eufy products (incl. FAQs, Tips, How-Tos, Videos) in our support center: https://support.eufylife.com

If you’re not satisfied with our response, click the link below and our management team will reach out to you within 24 hours (Mon.-Fri.)
Escalation

Eufy has finally come clean to The Verge. It sounds like the public pressure had the desired effect, however belatedly.