It’s owned by CCP, are you shocked? That’s probably the least of what they’re doing
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
On the update to this article:
Whether or not you accept this answer from Anker, it is much, much more than the kind of response we get when Apple gets caught, and Apple has been getting caught a lot recently. Usually Apple just gives us the silent middle finger, or have Craig give us a middle finger with a pretty ribbon tied around it in the form of some virtuous sounding non-answer.
Last edited:
Just checked eufy's response and they've admitted that they do briefly host the preview image on the amazon server but not the video footage, which is fine by me as I know all security cameras do that. As long as my videos are kept locally, I do not worry about it.
There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.
I would say this is the more alarming part of the article. All Eufy camera’s wide open to the internet to be exploited by anyone.
I would say this is the more alarming part of the article. All Eufy camera’s wide open to the internet to be exploited by anyone.
What? No. You only block the local IP of the cameras themselves. They don't need access to the internet ever.
There is absolutely no reason a smart camera needs to have a remote server except to either steal user data or to make an excuse for a monthly subscription fee. All of these functions could be done locally including facial recognition, notifications etc. They could set it up where you have remote access to your own device but they don't if they wanted to. This tech has been around for years and the fact you have to use their server is a scam.
Perhaps it's me, but I'm always a little puzzled why so many people get their underwear in a twist and get upset so much about privacy when it comes to a doorbell cam.
Unless you have a VERY odd house design, any doorbell will be fitted onto the front wall of your property looking out towards the front garden/street.
Now, if it was an indoor camera then sure, please get upset, but when a doorbell camera is facing AWAY from your home, and for 99.9999% of the time, you are behind the camera, why are you getting so upset about it?
You might be seen cutting your front lawn or washing your car in the driveway once a week? OMG shock horror.
Unless you have a VERY odd house design, any doorbell will be fitted onto the front wall of your property looking out towards the front garden/street.
Now, if it was an indoor camera then sure, please get upset, but when a doorbell camera is facing AWAY from your home, and for 99.9999% of the time, you are behind the camera, why are you getting so upset about it?
You might be seen cutting your front lawn or washing your car in the driveway once a week? OMG shock horror.
That’s a proper response from a company, but it’s not cool to bash Apple despite their pure arrogance when it comes to apologising for anything. But then again Apple knows billions will still buy their products regardless.
I’m sick of so many smart devices requiring the cloud to work. That’s why I stick with Eve hardware.
I check my network regularly for rogue devices. Even though I have over 30 internet-aware devices now, I've never seen any of my Eufy cameras appear on my network; only the homebase and the outdoor floodlight cams. The others don't even have the wifi router's password, so how could they be storing thumbnails?
I will wait to see what Eufy/Anker say. I have almost a dozen outdoor cameras...in case I have to defend myself in court after defending my life and home, of course. The app has not yet been updated with their verbiage, so I just won't buy any of their indoor cams until I know more about this.
I will wait to see what Eufy/Anker say. I have almost a dozen outdoor cameras...in case I have to defend myself in court after defending my life and home, of course. The app has not yet been updated with their verbiage, so I just won't buy any of their indoor cams until I know more about this.
This never happened to me.
That is messed up. But still hasn't happened to me.
I did just buy 4 more Eufy cameras. Their equipment is STILL 100% better than Arlo, and no subscription fees, either.
Oh well, I'll just have to be careful while I wait to see what they do. I'm more confident that they'll fix this than I was after waiting 3 years for Arlo/Netgear to fix the issues with their cameras, so for now I'll wait.
I've got probably a couple thousand dollars invested in my Eufy cameras and floodlights. While I love my system too, I'm still going to monitor this situation. It's the only prudent thing to do.
If this is the case, I won't worry about it either. Besides that, 75% of my security cam footage is of the neighborhood cats coming to call at all hours of the night. Each cat has his own time and day to cavort...it's almost as if they have made appointments and they don't overlap each other!
The other 25% is split between me pulling weeds, drinking a cup of coffee, or spiders and lizards doing sexy belly dances in front of my cams. I swear, I have to walk around the house Saturday and Sunday mornings with a swiffer to knock down the webs and chase all of the dancing critters away! The bar's closed, people; you don't have to put your clothes on and you don't have to go home, but you can't stay here!
I really wouldn’t be so concerned about it, all the video is stored locally as they say, they aren’t going to store anything without you paying them! As they said all they do, as they will need to, is store a thumbnail in the cloud so they can send you it as an alert.
My system records the opposite neighbour leaving or arriving home from work sometimes, the paper boy and deliveries and the Post Man, cats and spiders crawling across them lol. But I wouldn’t be without the system. I’m very tempted to give its new system a try to see if it really does reduce the false recordings it gives.
I own several video doorbells from another manufacturer. The manufacturer does not even offer a cloud storage based recurring extortion fee, only local SD card storage. What they do offer is free remote notifications, ability to remotely answer the doorbell, and remote access to live feeds and locally stored recordings.
This is all possible because the doorbell and mobile app make a P2P connection to their servers, thus eliminating the need to punch a hole (port forward) in your firewall. It just works automagically. In support of remote access they also send thumbnails of any motion events, recording, and doorbell presses. It’s just how it works!
My video doorbells and cameras also support authenticated RTSP video streaming, which can be accessed using VLC and third party IP camera applications, and NVRs. It’s not a vulnerability, it’s how all consumer and enterprise video cameras work.
I suspect every manufacturer of consumer video doorbells or video cameras that offers remote notifications and access works the same way. Seems like this “researcher” is just looking for some publicity or $, and needs to find a new hobby.
This is all possible because the doorbell and mobile app make a P2P connection to their servers, thus eliminating the need to punch a hole (port forward) in your firewall. It just works automagically. In support of remote access they also send thumbnails of any motion events, recording, and doorbell presses. It’s just how it works!
My video doorbells and cameras also support authenticated RTSP video streaming, which can be accessed using VLC and third party IP camera applications, and NVRs. It’s not a vulnerability, it’s how all consumer and enterprise video cameras work.
I suspect every manufacturer of consumer video doorbells or video cameras that offers remote notifications and access works the same way. Seems like this “researcher” is just looking for some publicity or $, and needs to find a new hobby.
Last edited:
About the streaming, maybe it has to do with this: https://community.anker.com/t/how-t...-to-stream-video-to-your-compatible-nas/64833
Yep. Un-authenticated RTSP access. That would be a security vulnerability. Don’t port forward your Eufy cameras and make sure you disable UPnP in your firewall. The fact that authenticated RTSP access was not implemented in their cameras from the start speaks volumes.
Last edited:
Is there any video-enabled home security system that you can actually trust these days?
Unless you can build your own setup entirely from scratch using Raspberry Pi's or old PCs with cheap webcams, there just doesn't seem to be any product that doesn't feel it necessary to monetize your home security footage in some fashion. And even building your own still depends on a fair amount of technical knowledge, and if you want things like pan/tilt and AI recognition and alerts, you need even more technical skill.
Amazon bought Ring and basically destroyed their trust. Now Eufy/Anker is caught monetizing and screwing around with customer data (oh, sorry, we forgot to communicate that... we promise we'll add a blurb to the 40 page long ToS for CYA purposes...). "Open" devices from Chinese brands like Foscam have had many security weaknesses. Is there literally no option that doesn't suck other than going through all the effort to build it yourself?
Unless you can build your own setup entirely from scratch using Raspberry Pi's or old PCs with cheap webcams, there just doesn't seem to be any product that doesn't feel it necessary to monetize your home security footage in some fashion. And even building your own still depends on a fair amount of technical knowledge, and if you want things like pan/tilt and AI recognition and alerts, you need even more technical skill.
Amazon bought Ring and basically destroyed their trust. Now Eufy/Anker is caught monetizing and screwing around with customer data (oh, sorry, we forgot to communicate that... we promise we'll add a blurb to the 40 page long ToS for CYA purposes...). "Open" devices from Chinese brands like Foscam have had many security weaknesses. Is there literally no option that doesn't suck other than going through all the effort to build it yourself?
I literally just installed Eufycam 3s at my house. I was previously a Google nest cam house, but I don't want to invest in their ecosystem due to their love of killing off products (they killed their security system). Eufy ticked all the boxes for me, mainly with no monthly fee and built in solar.
I'm definitely annoyed/concerned about this, especially the unsecured feeds. That said, my cams are only installed outside my home in a space where I really don't have an expectation of privacy. So I'm not returning them... but I will be following the story closely. I sure as **** won't be buying any of their cams for indoors.
Got these cameras due to a recent rash of breakins in my neighborhood. My current setup is a mishmash of ecosystems:
I'm definitely annoyed/concerned about this, especially the unsecured feeds. That said, my cams are only installed outside my home in a space where I really don't have an expectation of privacy. So I'm not returning them... but I will be following the story closely. I sure as **** won't be buying any of their cams for indoors.
Got these cameras due to a recent rash of breakins in my neighborhood. My current setup is a mishmash of ecosystems:
- 3 Eufycam 3s Monitoring parts of my house that get sunlight (due to the solar/battery nature of them)
- 2 Nest cameras for backyard and front of house
- 1 Nest doorbell cam
- 1 Wyze cam 3 for the way back of the yard (originally got this to watch a 3D printer, but have since gotten an octoprint setup)
- 2 OG wyze cams in laundry room that are only plugged in when we have to leave the house and leave the dog there.
Last edited:
I would never buy one of these.
Anker's popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. The information comes from security consultant Paul Moore, who last week published a video outlining the issue.
According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled.
Moore demonstrates the unauthorized cloud uploading by allowing his camera to capture his image and turning off the Eufy HomeBase. The website is still able to access the content through cloud integration, though he had not signed up for cloud service, and it remains accessible even when the footage is removed from the Eufy app. It's important to note that Eufy does not appear to be automatically uploading full streaming video to the cloud, but rather taking captures of the video as thumbnails.
The thumbnails are used in the Eufy app to activate streaming video from the Eufy base station, allowing Eufy users to watch their videos when away from home, as well as for sending rich notifications. The problem is the thumbnails are uploaded to the cloud automatically even when the cloud functionality is not active, and Eufy also seems to be using facial recognition on the uploads. Some users have taken issue with the unauthorized cloud uploads because Eufy advertises local-only service and has been popular among those who want a more private camera solution. "No Clouds or Costs," reads the Eufy website.
Moore suggests that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users, all without camera owners being aware.
Other Eufy users responded to Moore's tweet and saw the same thing happening, and there is also a dedicated Reddit thread on the subject. Moore tested the Eufy doorbell camera, but this also appears to be how other Eufy cameras function. As Moore demonstrates, the images can be accessed with simple URLs after logging in, which is a potential security risk for those concerned. Eufy did remove the background call that reveals the stored images after Moore's tweet, but did not remove the footage.
Moore received a response from Eufy in which Eufy confirmed that it is uploading event lists and thumbnails to AWS, but said the data is not able to "leak to the public" because the URL is restricted, time limited, and requires account login.
There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.
We've contacted Anker for additional comment on the Eufy issue and will update this article if we hear back. Moore said that he has been in touch with Eufy's legal department and will give them time to "investigate and take appropriate action" before he comments further.
Update: Anker provided a statement to MacRumors, explaining why the images are collected and how the issue will be addressed going forward.
Article Link: Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent [Updated]
Eufy ticks all the boxes for me too and no monthly fee was a requirement for me; not just a nice-to-have. I'm thinking of buying the solar panels for several of the harder-to-reach cams around my place. One spot, under an overhang, might not do anything to actually CHARGE the batter, but I'm thinking that a partial charge each day might extend the battery life from 2 months to 3 or 4. I would consider that one a big win.
We do need to consider "expectation of privacy"; for sure. And even though I could carry a low-volume conversation around the outside of my home, two things already remove the expectation of privacy for me outside: The closeness of the neighbors' homes and the presence of the Eufy cams themselves. Not the cams so much, but the microphones that each one has. This is always on my mind, and so I already DON'T have an expectation of privacy in the vicinity of any of my cameras.
If anything, I might need to have signage warning visitors and trespassers that audio recording is being done in addition to the video recording already noted by the current signs. Yeah, audio recording was another point in favor of Eufy when I was thinking about dumping Arlo during Covid in 2020.
If you don't need cameras, fine. But if you do, it's actually one of the best systems you can buy. And the others above are correct. Thumbnail storage on AWS is not really a big deal, although I will continue to monitor this while I hold off on buying any indoor cameras from Eufy.
The issue here is not with HomeKit. In fact, if this was a HomeKit-only camera, this wouldn't be an issue.
Eufy cameras have to be first connected to the Eufy app and registered with a Eufy account. That's where the problem is - Eufy is senfing thumbnail images to a server to be user for previews in push notifications. If this were a camera that could be added directly to HomeKit (and support HomeKit Secure Video) then this wouldn't be a problem. So if anything, it's a reason that you should double down on HomeKit exclusive cameras.