When it comes to home security cameras, most people prefer their video footage to stay secure. The video should be encrypted and inaccessible to anybody you don’t want to see it. Eufy sells several security cameras with a promise that all the video footage and other data are stored local-only. That’s been proven to be a lie, and Eufy’s response does little to allay my worries about the broken promise.
Security Researcher Discovers Eufy Local-Only Camera Storage Promise Is Untrue
Take, for example, Eufy’s Video Doorbell Duo. According to the product information page, this video doorbell doesn’t store anything in the cloud. Eufy claims “This means that no one has access to your data but you.”
According to security researcher Paul Moore, that’s patently false. In a series of tweets beginning Nov. 23, Moore demonstrated video footage from the Doorbell Duo streaming to a cloud service, even though cloud storage was disabled.
Not only that, but Moore discovered he could access the stream from the video doorbell remotely, unencrypted and without any authentication. That’s a serious security concern, and is the complete opposite of the level of privacy Eufy claims the product offers.
When Moore brought the falsity of Eufy’s local-only data storage promise to the company, it was an opportunity for Eufy to remedy the matter. Instead, support representatives first tried to convince Moore nothing was sent to cloud storage. Next, a Eufy customer service engineer attempted to downplay how serious the breach was. In an email, the representative claimed the resource uploaded to an Amazon Cloud server “will not be able to leak to the public.”
Eufy Backpedals, Tries to Mask Its Insecure Product Without Stopping What Makes It Insecure In the First Place
In an update, Moore states that Eufy removed one background call that was revealing the stored images on the cloud. However, the footage itself was still there. Furthermore, Moore discovered Eufy had begun encrypting “other calls to make it almost possible to detect.”
In other words, rather than trying to fix the security breach and hold to its promises, Eufy has begun trying to hide the problem. Video footage from the Eufy Video Doorbell Duo still gets sent to the cloud. The user, no matter how technically proficient, just has a more difficult time discovering that it’s happening.
Replying to Moore’s tweets, multiple users discovered other Eufy products behaving in exactly the same way. One learned the EufyCam 2C and Eufy Homebase also sent footage to the cloud. Using developer tools in a web browser, the user could “find a URL that I can paste into another browser and see an online thumbnail of the last recorded event.”
Neither Anker nor Eufy could be reached for comment as of the time of publication. As Moore has initiated legal proceedings against the company, it’s unlikely the company will respond publicly in the near future.
I don’t mind saying this only serves to reinforce my insistence on only using HomeKit Secure Video products in my own smart home setup.