It’s pretty weak to compare what you linked to to this. In the situation you refer to, it wasn’t even apple‘s code that had the problem.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major Privacy Breach as Eufy Security Camera Owners Report Seeing Other Users' Video Feeds
- Thread starter MacRumors
- Start date
- Sort by reaction score
It’s pretty weak to compare what you linked to to this. In the situation you refer to, it wasn’t even apple‘s code that had the problem.
Can someone advise if there is a HomeKit-only mode? Even though you set up for HSV, couldn't the Eufy app still access the feed?
I almost bought one of these! I was at Best Buy and was ready to buy a camera when I learned it needed a "base station" too and I didn't want to buy into a whole "system" just for one camera.
Guess I'm glad I didn't!
Guess I'm glad I didn't!
This is irrelevant with Eufy cameras though right ?
You can't setup these cameras without a Eufy account...
I use HomeKit but it still needs a Eufy account to access the camera.
Sure you can just delete the eufy app from your phone but that will do nothing if live feeds have crossed between users.
Even with my HomeKit cameras, the same cameras can be access with eufy app.
You can't "block" the eufy app from accessing the cameras.
It's a stupid thing - i wish they could be setup purely from Appe Home app, no need or use with eufy app
I'm surprised they were able to receive the Homekit certification from Apple if they require additional apps.
For example, when I got my Hue lights, I was able to set them up in HomeKit without installing any other apps.
Wow, more reasons I'm glad I didn't buy into this crap. Why does no one just make excellent products that work?
HomeKit cert is just required for the HomeKit integration. So those Apple Home streams are safe, like the article says.
But the Eufy app runs in parallel. Nobody is able to setup HomeKit on these devices without first setting up with Eufy app.
Deleting the eufy app from your own phone wouldn't have prevented someone overseas still randomly seeing your feed.
As someone else said, this isn't an account hacking - this is some cross feeding at Eufy end.
Crazy.
Their sales would be just as great if they just allowed people to setup with HomeKit alone - for some reason, they want to force people to use their app.
Hoping this event changes things... i hope a firmware update is released that completely disconnects the need for a Eufy app setup when using HomeKit.
Just to make it clearer in case people don't know.
Right now on my Macbook i have Apple Home viewing a live Eufy camera stream. Setup with HomeKit with iCLoud storage etc.
And at the same time, right now, i have the Eufy app open on the same camera at the same time watching the same thing....
I would imagine it was possible with todays breach for someone else to view the same camera of mine, whether i had the eufy app on my phone or had deleted it.
Right now on my Macbook i have Apple Home viewing a live Eufy camera stream. Setup with HomeKit with iCLoud storage etc.
And at the same time, right now, i have the Eufy app open on the same camera at the same time watching the same thing....
I would imagine it was possible with todays breach for someone else to view the same camera of mine, whether i had the eufy app on my phone or had deleted it.
Sorry but that's an Apple-biased response. Bottom line, Apple f-ed up when the claim they review every app and code in great detail (their cut from the App Store remember- protect the users from fraud/scams).
"According to Ars Technica, the apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information." 2500 apps! Not 2, but 2500 downloaded a total of 203 million times by 128 million users in 2015.
Everyone makes mistakes was the point. Not that they were equivocal breaches.
Further the fact that Apple didnt disclose this to users is frankly shady. They basically said "meh f-it" by the story language from emails uncovered.
Last edited:
It was bad for apple to not tell users. But, again, it’s an entirely situation and it takes a very biased eye to say that one company completely ****ing up its code and its fundamental security architecture is equivalent to an app store distributing apps that had been hacked because third parties used hacked development tools.
If it was 1-2 apps sure. But 2500 apps, no.
Human error is still human error is the point here. Both are human error/oversight; no one is disputing totally different types of breaches.
But someone was supposed to review those apps. That is the WHOLE basis of the 30% cut Epic battle argument.
Everyone makes mistakes.
The grand point was I wish people held Apple to the same standards as these smaller companies. But it seems to be infallible trust for some reason; even after stories like those drop. Forgotten tomorrow. As if HKV/iCloud could not be tomorrow due to some human error too.
Yes definitely enable HomeKit secure video. However I’d also recommend getting a router that’s able to become a HomeKit secure router. This lets you lock down accessories (like cameras) so that the original company (Eufy) cannot see them. Otherwise it will show up in the app still, and in HomeKit.
Also, you can store it for up to 10 days. But the closest setting to “always record” for now is “record with any motion at all”. Other settings include if it sees specific things like a human, animal, car, etc.
You can set it up to use HomeKit Secure Video only or to stream through Eufy's servers and app as well.
Setting it up to use HomeKit only is obviously the most secure, and should avoid this problem. The HomeKit video definitely won't be available, however as long as the Eufy system still connects through Eufy's (Anker's) own cloud servers, there's still a possibility that it could be hacked.
The best way to avoid this is to block ALL outbound access from your Eufy HomeBase, so that it cannot connect to the internet at all. This can be done using a HomeKit Secure Router (Wi-Fi 5 versions of the Eero Pro or Linksys Velop), or really any router with basic parental controls just by "Blocking" or "Pausing" the internet for the Eufy HomeBase.
You'll see a red light on the front of the HomeBase when it's blocked, but it will otherwise work fine with HomeKit Secure Video, as this channels its streams through a Home Hub (Apple TV, HomePod, or iPad), so the HomeBase doesn't need direct access to the internet.
It’s impossible to review apps and find bad things when the apps that don’t do bad things until later.
What kind of improvements? I am thinking of buying a camera and I am between a HKSV and a Nest one
Yes. You need to specifically disable local streaming when HomeKit is enabled, in which case it will stream only through HomeKit Secure Video, using a Home Hub like an Apple TV, HomePod, or iPad.
Ideally, however, you should also block ALL outbound internet access from the Eufy HomeBase. Since HomeKit Secure Video runs through an Apple Home Hub, the Eufy HomeBase doesn't need direct internet access to stream to HomeKit. Blocking outbound access will prevent it from communicating with Eufy's servers at all — you'll see a red light on the front instead of the usual blue one, but everything should otherwise work just fine with HomeKit.
If you're using a HomeKit Secure Router (Eero Pro or Linksys Velop — only the Wi-Fi 5 versions for now) you can do this in the Home app by enabling "Restrict to Home" but you don't specifically need a HomeKit router to do this — you can use any router that lets you block or "pause" devices on your network.
You'll probably occasionally want to unblock it in order to check for firmware updates, but you can do that on an as-needed basis, and leave it blocked the rest of the time.
I’ve used basically all wifi cams on the market…2 weeks ago decided to stop paying Arlo and just finally go all in on NVR glad I did…no HSV…but get 24/7 recordings all local …all wifi cams on the market suck right now and HSV cams always crash, causing huge issues with homekit….go NVR trust me
Correct. The Eufy app is irrelevant in this case, as it's just a portal into Eufy/Anker's cloud servers.
However, when using HomeKit, you can turn off streaming/recording on the Eufy side in the Eufy app's HomeKit settings, in which case you'll see a message when opening the Eufy app and starting a stream that "Live stream has been disabled when HomeKit is enabled."
The best defence by far, however, is to enable HomeKit Secure Video and block outbound access from the HomeBase entirely. At this point, it's basically impossible for your Eufy system to communicate with the outside world directly. HomeKit Secure Video will still work as it goes securely through another device on your network — an Apple TV, HomePod, or iPad that you're using as a Home Hub.
This is not correct.
You need the Eufy app to setup them up, before you setup HomeKit Secure Video.
See this post of mine above: 40 minutes ago
It depends on which Eufy camera you bought, the eufycam2 and eufycam2 Pro (both outside battery operated cameras) donc require the eufy app to be set-up … I only used apple’s HomeKit App and I never downloaded or created an account in the eufy app.
Hmmm I don't see this option in the Eufy app.
Can you or anyone share screenshots of where this is in the Eufy app?