This uploading of data to the cloud, without consent, is intentional. It is how you are able to consume the app and data in the camera. Ring and Blink operate in the exact same way as do Amcest and Arlo. I use Ring because I pay for the security service on the exterior of my home. Inside, I use Foscam or Reolink because they do not require the cloud to access local data. Buyer beware. Anything that provides "advanced recognition" is probably doing it on a server somewhere unless you know for a fact that the server is in your home because you built it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is the latest fairly concerning development to involve Eufy.
First there was the huge outage that left users unable to view their cameras (kind of exposing the fallacy of their ‘local’ advertising for the average user). Then there was the massive issue last year where unauthorised users were able to access others cameras - I had someone from the other side of the country talking to me through my doorbell 😳.
I’m glad this broke just before the black Friday sales as I was going to pull the trigger on 4x Eufy cameras - went with another brand.
First there was the huge outage that left users unable to view their cameras (kind of exposing the fallacy of their ‘local’ advertising for the average user). Then there was the massive issue last year where unauthorised users were able to access others cameras - I had someone from the other side of the country talking to me through my doorbell 😳.
I’m glad this broke just before the black Friday sales as I was going to pull the trigger on 4x Eufy cameras - went with another brand.
I was already calling it a shady test because he left himself logged in for each event. When he logged out in the video, he had already triggered another event. So from a "test your theory" perspective it was pretty lazy. However, in the response from the MFG, it makes total sense. If you have push notifications with preview turned on, then it pushes that data temporarily to the cloud for the notification. He never demonstrated access to video, he never demonstrated access to images on events when fully logged out of the online portal. Does that mean people shouldn't keep poking and prodding? Keep doing it! But this is sort of a "nothing to see here" type of situation.
Now from a follow-on perspective of being able to live stream the camera, maybe some traction there if someone gains local access to your home network. But then, I would assume that there is a lot of damage they are going to do aside from just streaming your camera.
Now from a follow-on perspective of being able to live stream the camera, maybe some traction there if someone gains local access to your home network. But then, I would assume that there is a lot of damage they are going to do aside from just streaming your camera.
I have given up on HomeKit cameras, and almost on HomeKit completely. They've had a while to work this stuff out and are dragging their feet. I'm looking at the UniFi stuff now.
If you're concerned:
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
Does anyone else have issues with Eufy Cameras randomly going offline for HomeKit only?
It is true that features are disabled. It tells you it when you enable the feature. You might not care about what it disables, but it does turn on features and not all of them exist in HomeKit.
On top of that, the HomeKit has to rely on video analysis for movement and detection and it is sub-par compared to what I get out of the camera on-board processing. I finally took my outdoor cameras out of HomeKit because it wasn't reliable enough.
Not sure if you saw the update, but they do it locally and what is sent to the cloud is for Push notifications. Also, not sure if you saw the video, but the "testing" was super sketchy and when he did the "test" he messed up in the video itself and proved really nothing. Not saying there might not be something to uncover, but his method was flawed.
Only certain devices can. But to be honest HomeKits camera implementation is woefully lacking and quickly drains any wireless solution. Eufys app is way better than using HomeKit.
SECURITY RESEARCHER WARNS… IF YOU SET IT UP TO USE A THUMBNAIL IT WILL USE A THUMBNAIL!. Just as you asked. And, if you didn’t know that “thumbnail” meant “picture”, then they’re updating the text to make it clear.
Anker's popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. The information comes from security consultant Paul Moore, who last week published a video outlining the issue.
According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled.
Moore demonstrates the unauthorized cloud uploading by allowing his camera to capture his image and turning off the Eufy HomeBase. The website is still able to access the content through cloud integration, though he had not signed up for cloud service, and it remains accessible even when the footage is removed from the Eufy app. It's important to note that Eufy does not appear to be automatically uploading full streaming video to the cloud, but rather taking captures of the video as thumbnails.
The thumbnails are used in the Eufy app to activate streaming video from the Eufy base station, allowing Eufy users to watch their videos when away from home, as well as for sending rich notifications. The problem is the thumbnails are uploaded to the cloud automatically even when the cloud functionality is not active, and Eufy also seems to be using facial recognition on the uploads. Some users have taken issue with the unauthorized cloud uploads because Eufy advertises local-only service and has been popular among those who want a more private camera solution. "No Clouds or Costs," reads the Eufy website.
Moore suggests that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users, all without camera owners being aware.
Other Eufy users responded to Moore's tweet and saw the same thing happening, and there is also a dedicated Reddit thread on the subject. Moore tested the Eufy doorbell camera, but this also appears to be how other Eufy cameras function. As Moore demonstrates, the images can be accessed with simple URLs after logging in, which is a potential security risk for those concerned. Eufy did remove the background call that reveals the stored images after Moore's tweet, but did not remove the footage.
Moore received a response from Eufy in which Eufy confirmed that it is uploading event lists and thumbnails to AWS, but said the data is not able to "leak to the public" because the URL is restricted, time limited, and requires account login.
There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.
We've contacted Anker for additional comment on the Eufy issue and will update this article if we hear back. Moore said that he has been in touch with Eufy's legal department and will give them time to "investigate and take appropriate action" before he comments further.
Update: Anker provided a statement to MacRumors, explaining why the images are collected and how the issue will be addressed going forward.
Article Link: Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent [Updated]
I’m sure a few people turned it on and was wondering why they were getting face pictures and not… you know, pictures of the nails on people’s thumbs.
If the security researcher is on social media, please be aware that their EVERY post is geared towards driving attention to themselves. Such that, even benign security issues are blown WAY out of proportion.
Because, if they told the truth without sensationalizing, everyone would just go, “oh” and wouldn’t re-communicate it to others. The first, most valid response to all of the ones on social media is, “Oh, I bet it’s really no big deal.”
Because, if they told the truth without sensationalizing, everyone would just go, “oh” and wouldn’t re-communicate it to others. The first, most valid response to all of the ones on social media is, “Oh, I bet it’s really no big deal.”
That's super sketchy and their response is even worse. It's basically a non-statement where they don't really answer anything about what's going on in this video.
What do you mean by this? The "test" shown in the article was horrible and wasn't done correctly. He doesn't even bother to log out until AFTER he triggers another event. Just complete rubbish of a test procedure. The response by the MFG shows directly what the "issue" is and how to stop it.
The response from Anker on this was excellent
I heard there are little Chinese people inside the chargers. who send personal information back to china.
Yes, Anker's explanation of this should clear up why thumbnails are stored, but all the people who've badmouthed them, called them an arm of the CCP, etc. will not bother to read and understand it, admit their initial reactions were hasty and wrong, or both.
How is this hard to understand? How does this response not explain what's going on?
eufy Security is designed as a local home security system. All video footage is stored locally and encrypted on the user's device. With regard to eufy Security’s facial recognition technology, this is all processed and stored locally on the user's device.
Our products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.
To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.
Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.
That lack of communication was an oversight on our part and we sincerely apologize for our error. This is how we plan to improve our communication in this matter:
1) We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
2) We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
eufy Security is committed to the privacy and protection of our users' data and appreciates the security research community reaching out to us to bring this to our attention.
Made in China by Chinese company. What did you expect.
It was just a joke about cameras being in USB chargers.
Brand: Nexete
Nexete ≠ Anker