Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major Privacy Breach as Eufy Security Camera Owners Report Seeing Other Users' Video Feeds
- Thread starter MacRumors
- Start date
- Sort by reaction score
By HomeBase you mean the Eufy product?
What would you recommend for those that don't use HomeBase, i.e. only using cameras and Apple TV as hub.
Blocking outbound traffic from router? I use an Asus router.
I think you're misunderstanding what I said. Yes, you need to set them up using the Eufy app but once they're configured you can effectively abandon the Eufy app and use HomeKit Secure Video exclusively. This is true of many HomeKit accessories, which have traditionally relied on their own apps for things like firmware updates and some features that aren't natively supported in HomeKit (iOS 14 now allows for direct firmware updates, but I don't think very many vendors have yet bought into that, as they still have to make the firmware updates available in such a way that Apple's Home app can access them).
The point, however, is that once you have set everything up in the Eufy app, you can effectively block the Eufy app from viewing your streams in one of two ways:
The first is simply to turn OFF the options to "Stream on eufy app" and "Record and notify on eufy." This is in the Eufy app under the HomeKit Setup->HomeKit Security Video section of your HomeBase Settings. With these options off, you will not be able to view your Eufy cameras in the Eufy app. This means that your camera video is no longer streaming directly to Eufy's servers (I've specifically confirmed this myself by checking the network traffic from the Eufy HomeBase).
While this first option will prevent your video from being sent to Eufy's servers, it's not 100% secure, since the entire system is managed in the cloud. Hence, it's theoretically possible for this option to be switched back ON remotely. That's not what today's exploit is about, but it's still possible.
Hence, the second and much better option is to block ALL outbound Internet access from the Eufy HomeBase at your router. The Eufy HomeBase does not need to communicate to the internet to be able to stream video through HomeKit Secure Video, as those streams are sent across your LAN to an Apple TV, HomePod, or iPad that's acting as a Home Hub, which takes care of encrypting the video and then sending it up to iCloud.
If the HomeBase can't talk to the internet at all, then it can't really talk to the Eufy app, since that's entirely dependent on Eufy/Anker's cloud servers. You'll still see your Eufy devices in the app, as they're associated with your Eufy account, they'll all show as offline — even when you're on the same Wi-Fi network — and you can't even configure anything in this mode. You'll need to temporarily unblock the HomeBase if you want to change any settings or check for firmware updates, but everything will still work fine with HomeKit Secure Video. I've been running my Eufy system in this mode ever since I got it last summer.
In that case, you'd need to block outbound traffic from each of the cameras. Most modern Asus routers have a really handy "Block" option that you can find in the devices section of the Asus mobile app. It's in the web interface as well, but you'll have to dig a bit more for it there, so it's most easily accessed from the app.
There are plenty of examples why and of this actually occuring. I can recall seeing 2 movies this year alone that highlighted this!
HKSV seems to be VERY appealing. I don't own a home security camera - but it's something I know I'll have implemented in HKSV.
while I agree nobody deserves this - it shouldn't be a non-thought to consider. It's like the law "ignorance of the law is not an excuse to not abide by the law" - just cause one doesn't know about it doesn't mean questions shouldn't be asked or talking to others to get a consensus.
Indeed.
I'm curious if their code is open-source, if so I'm wondering if such code was used to have prying eyes play with settings or make the video feeds accessible?
I use a HomeBase, so I'm not sure if the option exists on a per-camera basis for those who aren't using the HomeBase.
For the HomeBase, it's under the HomeBase Settings->HomeKit Setup->HomeKit Security Video.
However, you don't need to worry about this setting anyway if you're able to block outbound traffic entirely at the router.
Attachments
Hi,
It depends on which Eufy camera you bought, the eufycam2 and eufycam2 Pro (both outside battery operated cameras) dont require the eufy app to be set-up … I only used apple’s HomeKit App and I never downloaded or created an account in the eufy app.
These two cameras use the Homebase2 (newer Hub) but like I said earlier … I didn’t have to use Eufy’s App … I set-up everything just using the Apple HomeKit App.
The other Eufy camera models do require to be setup with the Eufy App because there are not « natively » HomeKit compatible.
Last edited:
Eufy has finally commented on their forum:
community.anker.com
Security breach @ Eufy
All good now, this has been fixed Dear user, The issue was due to a bug in one of our servers. This was quickly resolved by our engineering team and our customer service team will continue to assist those affected. We recommend all users to: 1.Please unplug and then reconnect the home base...
community.anker.com
Last edited:
Ah, right. Thanks. I'd forgotten about those other ones. I have the 2C's, which require the HomeBase, so the HomeKit settings are only found on the HomeBase, in the Eufy app.
Hello again Sir,
If you have the Homebase2 (the newer Hub) you should have been able to setup your 2C cameras only using Apple’s HomeKit App while never downloading or creating and account with the Eufy App.
I set-up the EufyCam2 Cameras by doing « add accessory » using the Apple HomeKit App and then adding the Homebase2 Hub to HomeKit.
After that, I linked the cameras to the hub using the paring buttons and soon after the cameras became available in Apple’s HomeKit App.
The Homebase2 has a HomeKit QR scanning code under the base.
Most downloading don’t follow sites like this so they have no idea. They trust Apple and assume Apple is working to protect them. Imagine an App Store with no controls at all and consumers having no way of knowing the level of security provided.
https://communitysecurity.eufylife.com/t/statement-from-eufy-security/1181099?u=ice4
People are already freaking out about the official statement that just came out.
People are already freaking out about the official statement that just came out.
Interesting. That option wasn't there when I first got the system last summer, as I definitely tried. I was able to pair the HomeBase2 without the app, but I still needed to open the Eufy app to actually add the cameras to the HomeBase and enable them for HomeKit.
Perhaps it's changed since then, but I've already got it all up and running, so it doesn't really matter now 😏
I keep the Eufy app on my iPhone just to check for firmware updates, and in case I need to tweak any settings, but I never open it, as it's useless unless I unblock the HomeBase2 anyway.
But Apple isnt the premise at all here. It was simply an example being taken way too literally. Even a $1 trillion company makes big mistakes.
Rule #1 is no cameras anywhere private or indoors in a residential setting (commercial is a different discussion). Closed system, sure, but not connected to the internet.
If someone else happens to see your outdoors you have not lost a lot there. There is no legal expectation of privacy outdoors; at least here in the US that is.
I have never ever understood this indoor camera craze. A baby monitor or watching someone sit your kids, for a limited time/purpose, ok maybe for the specific time/event. But I just dont get this wanting cameras that hook to the Internet inside the house.
It just is one of those bad ideas to begin with waiting for incidents like this to happen. This is not the first or last one. I'm fairly sure recently someone was accessing Amazon made cameras and talking to people in their houses verbally harassing them. And this wont be the last camera incident by far.
Local storage is great, then comprises that you have to get it to your mobile or some device to view somehow when out of the house unless you stay home 24/7 to locally view it (which then still involves the internet somehow), and if they steal the local recording device you're sunk with nothing to catch them defeating the whole purpose.
Neither is "best" really.
Last edited:
I debated unplugging my lone eufy cam (running on HKSV) but I decided if someone wants to see which of our two cars is present and if our garage door is open, well, so be it.
Whichever you prefer. Or both. Or it can send you an iOS notification. Or an email.
Even just with the "tick box" options (i.e. no custom scripts/processes), most people will be spoilt for choice.
"Due to a software bug during our last server upgrade today at 4:50 AM EST, a limited number (0.001%) of our users were able to access video feeds from other users’ cameras. Our development team recognized this problem around 5:30 AM EST and was able to fix it quickly by 6:30 AM EST."
It appears it was also 0.001% whatever worth that is. Sounds like a very slim few people.
Even if 5 million people have these (users not individual cams) that is only 50 people potentially affected maximum; not who actually saw it happen. And if they checked in that 1 hour time of time.
Not saying it's not bad, but it seems very very limited real effect.
It appears it was also 0.001% whatever worth that is. Sounds like a very slim few people.
Even if 5 million people have these (users not individual cams) that is only 50 people potentially affected maximum; not who actually saw it happen. And if they checked in that 1 hour time of time.
Not saying it's not bad, but it seems very very limited real effect.
Think I misread the learn more link under HomeKit on the app earlier and not sure you can do HomeKit at all for the doorbell, it only refers to actual cameras but the comparison table just mentions 2 way audio is only useable via the app not with HomeKit. If the doorbell was HomeKit supported then suspect the same would apply.
I have 4 Eufy cameras - outside. People are welcome to see my property - from the outside.
Now, putting these things on the inside is a mistake, no matter what brand.
Now, putting these things on the inside is a mistake, no matter what brand.
There are some severe limitations with HKSV for sure. 2-way audio, timestamps (basic recording stuff c'mon) and activity zones/sensitivity to stop it from going off every time a tree sways or car goes by. Those are some big missing things still, making it unusable for some.
And the stupid tier limitations is utterly ridiculous IMO. 200gb plan and you can use 1 freaking camera? That's on Apple not a technical limitation.
Paying $10/month for 2 cameras is frankly asinine and would never take up near even 200gb. have nothing else to store needing anywhere near 200gb even. I get if they set it at 4 or 5 limit, ok. But 1? Pure greed.
And that is what pushes people to ones like Eufy with no monthly fee.
So if using cloud storage, where is the benefit over HSV? You were knocking people choosing convenience, but security and convenience aren't always mutually exclusive.