Eufy Home Security Cameras Caught Uploading Footage to the Cloud
Writing in the context of home security cameras from Anker’s Eufy brand, Sean Hollister of The Verge notes:
Eufy’s commitment to privacy is remarkable: it promises your data will be stored locally, that it “never leaves the safety of your home,” that its footage only gets transmitted with “end-to-end” military-grade encryption, and that it will only send that footage “straight to your phone.”
So you can imagine our surprise to learn you can stream video from a Eufy camera, from the other side of the country, with no encryption at all.
Anker’s denial that its security cameras make their footage available via the Internet in unencrypted form is just the start of this twisted tale of security ineptitude. In “Wyze Labs Discontinues First-Generation Security Camera” (1 February 2022), Josh Centers briefly recommended the Eufy Security Solo camera because it’s HomeKit-compatible—we can hope that HomeKit prevents such unauthorized access. I’d be hesitant to use any Eufy device that records personal information until Anker fixes the problems and independent security researchers confirm that data isn’t being exposed.
I’m still interested in Home-Kit-enabled security cameras, but now I’m far less interested in Eufy.
This seems to be a problem with HomeKit. If I buy a product because it has gone through the process to be HomeKit compatible, I would have thought that something like this would not be possible. Am I wrong, or what does HomeKit provide?
I don’t think it’s HomeKit, which offers something called HomeKit secure video: Set up HomeKit Secure Video on all your devices - Apple Support
I know I have an old Logitech circle camera that’s HomeKit compatible and could be converted to HomeKit secure video, but also allows you to access via Logitech’s website if you don’t convert it. (I haven’t converted myself because I like Logitech’s site and because I have another circle camera that can’t be HomeKit, so I can see both cameras in one place by not converting the other one.)
I’d say this is on Eufy.
I have Eufy cameras that are set up through HomeKit, but require the initial setup and firmware updates through the Eufy app. I then sign out of the Eufy app and control it through HomeKit. If the exploits are able to happen at that time (I am not clear from what I have read if they are or not) then it would be on the HomeKit front that should be making it secure. I will wait until more information becomes available about this.
My feeling is that if the video is managed by HomeKit Secure Video, it will be fine. Apple’s not perfect, but it doesn’t make mistakes like allowing video to be accessed using VNC.
The question is if whatever Eufy is doing exists in parallel to HomeKit Secure Video.
For more on HomeKit Secure Video, see:
Eufy makes several cameras and not all of them are HomeKit compatible, in fact their newest cameras are not and I don’t think they have plans to make them so. I could be wrong, but I don’t think any of the cameras in question were HomeKit.
I think there is a big hole in HomeKit Secure Video that may be relevant to this discussion. I just bought a Eufy Indoor Pan & Tilt camera because it is advertised as HomeKit Secure Video compatible. However, it turns out that the camera cannot be set up directly in the Home app – you have to use Eufy’s app and create a Eufy account first. Once the camera is set up this way, you can add it to HomeKit. But here’s the catch: You cannot stop the camera from continuing to live-stream to Eufy’s servers! HomeKit compatibility requires that the 3rd-party cloud storage be disabled, but apparently not live streaming. I tried everything suggested by Eufy’s customer support but no matter what I did the live stream was still viewable in my Eufy web portal (which I assume then exposes it to the security flaw that the original story is about). The only way to stop the live stream was to either remove the camera from the Eufy app, or delete my account. Either of those actions removes the camera from HomeKit, making it totally non-functional.
I’m pretty annoyed at Eufy/Anker but I’m more surprised that Apple allows this. I don’t think products should be allowed to claim HKSV compatibility unless they can be set up directly in the Home app or in some other way prevented from live-streaming outside the HomeKit ecosystem.
Aha! Thanks for confirming this, since it does imply that HomeKit Secure Video is not sufficient with a Eufy camera.
So in that case, I can’t recommend that anyone continue using a Eufy camera if the live stream could be considered in any way sensitive.
To be more precise (and fair to Eufy), I think there may be some Eufy cameras that don’t have this HomeKit problem. My camera was a "Security Solo IndoorCam P24, 2K, Pan & Tilt. When I asked support if there were cameras that did not require a Eufy account, they said this:
So from what I can glean, if a Eufy camera uses the Eufy HomeBase hardware and is HomeKit compatible, it may not have this problem. My camera was advertised as “HomeBase not compatible”, meaning it does not use Eufy’s HomeBase hardware. I think these are the Eufy cameras that cannot be used without a Eufy account, which is what exposes the live stream outside HomeKit.
It’s all pretty confusing so I’m not completely sure of any of the above. I think this is really on Apple for not requiring 3rd-party streams to be shut off when a camera is used with HomeKit (as they do for 3rd-party cloud storage). I mean, the streaming is bad enough, but I assume that if someone accessed the stream they could also record it.
Clear as mud. :-) OK, let’s see if anyone with one of the explicitly supported models chimes in.
I have the HomeBase 2 and 2C cam. A recent update to the Eufy Security app (version 4.5.2) read:
What’s New
My cam is on front porch traffic. While I’m not too concerned about the security issue, if I had indoor cams, it would be a different story.
I have the same version of the Eufy Security app (4.5.2). In the notification settings for any camera connected (whether or not it is recording to the Eufy Homebase or recording to HKSV), under the camera settings there are “Notification” options. One of the options here is “Content extension of notification” and your choices include - (1) Most Efficient - get notifications without delay, only text included. OR (2) Full Effect - Get text notification first, then thumbnail included if available. Note: In this mode, footage preview thumbnails will be temporarily stored in the cloud to deliver a better event experience for event notifications. OR (3) Include thumbnail - Get full notification included text and thumbnail (if available). Note: In this mode, footage preview thumbnails will be temporarily stored in the cloud to deliver a better event experience for event notifications.
Based on this statement, do I assume no upload takes place if I select option 1 - text only?
Eufy has now deleted its privacy promises. Talk about doubling down!
To bring a little levity to the situation, I ask ChatGPT for a limerick and got this:
Interestingly, when I asked ChatGPT to regenerate its response, it demurred:
Hmmm, seems nobody taught ChatGPT the actual rules for a limerick. (Syllables for each line, etc., not to mention trying to rhyme Anker with blunder/plunder.)
Nor is it vaguely naughty. :-)
I’m trying figure out how to get the word “wanker” into this, as it seems somewhat appropriate.
I poked them and they replied with this (somewhat long) response. I copy it here for completeness and in hope that it will be useful.
Eufy has finally come clean to The Verge. It sounds like the public pressure had the desired effect, however belatedly.
Thanks to everyone here for the lively and helpful discussion. Two weeks ago I decided it was time to install a couple of cameras outside the house (if only as a deterrent by their mere existence). I didn’t love the idea of paying for yet another subscription to store and access recording data… and wisely visited TidBITS Talk to see what you all have to say about HomeKit-supported security cameras.
I stumbled about this thread and read it with great interest. After devouring it, and more information on the internet, and seeing the excellent results of everyone’s hard work on the data issue, I ended up with a Eufy 2C system – the base station and two cameras. I am an Apple One customer and was delighted to see that my subscription supports storage for multiple cameras. It seems that Apple has increased the number of cameras for which recordings can been saved since some of you posted above:
The number of HomeKit Secure Video cameras you can add to Home depends on your iCloud+ plan.
Setup of the base station and cameras was easy… very easy. The system works well – the Eufy app plays nicely with the Home app, and I had only two problems, one of Apple’s making, and one entirely of my own making.
Sharing the Home – After it was all set up I wanted to share access to the camera’s with my wife, to her iCloud account. It did not work. Eventually I had a call with Apple Support (several in succession, actually, but that’s another story). It turns out – according to the Apple Support person who actually knew what to do – that there have been problems with the Home app and with sharing one’s “home” in the app. Apparently the problems are so bad that Apple isn’t allowing the app to be updated (this makes no sense to me, but that’s what she said). We went though a variety of steps, including logging out and in (and out and in) of iCloud on both of our phones, which takes a while. But in the end it worked well – it works well. It kind of feels a bit magical, even. So while not a great experience… a great result.
Mounting the cameras – I wanted to mount the camera’s without drilling holes. Naturally this means use of some sorts of miracle 3M double-faced wondertape. One camera stuck nicely – to a smooth metal surface. The second camera – not great on a relatively smooth, but not entirely smooth, concrete (stucco?) surface. It took three tries with three types of 3M double-faced wondertape. It seems that Try #3 has (if you’ll pardon the pun) stuck. Fingers crossed.
Thank you again for the great discussion. Once again TidBITS Talk saves the day.
Jeff