eufy Admits That Its Cameras Have a “Security Flaw”

Andrew Heinzman

Review Geek


eufy Admits That Its Cameras Have a “Security Flaw”

After three weeks of silence, eufy finally acknowledges that its cameras have a “security flaw.” The company published a blog post explaining how it will increase the privacy, security, and transparency of its smart cameras. Still, eufy hasn’t apologized to customers or explained how camera streams were accessed in VLC.

Here’s a quick recap; eufy’s smart security cameras rely on a “base station” to store video locally. This keeps your data off the cloud and away from hackers. But security researchers found that eufy cameras feeds can be accessed through VLC, a free media player. (As far as we know, this vulnerability hasn’t been utilized by hackers.)

Researchers also discovered that eufy cameras send some data to the cloud. Encrypted video thumbnails are dumped into AWS to serve mobile push notifications, for example. Customers don’t seem to care too much about these video thumbnails, but they’re frustrated by eufy’s lack of transparency on this matter.

Initially, eufy denied the existence of any vulnerabilities. It stopped responding to press inquires related to this matter, and it quietly deleted several lines from its “Privacy Commitment” page.

But the company now admits that the “Live View feature on its Web-Portal feature has a security flaw.” It doesn’t explain this “flaw,” and it doesn’t mention VLC, but it claims that users can no longer access Web Portal livestreams outside of the Web Portal. The ability to share livestreams with other people has also been removed—you need to log into an account associated with a camera to view its live feed. (We’re still waiting for researchers to verify that this vulnerability is fixed.)

Additionally, eufy is taking steps to increase transparency. The eufy Security app now provides detailed explanations for its push notification settings, allowing users to see which settings require interaction with the cloud. The Video Doorbell Dual is also updated to prevent facial recognition data from traveling to the cloud (previously, this doorbell used the cloud to send a new face to your other eufy cameras).

Later this week, eufy will publish a revised security statement. We hope that this statement gives customers a better understanding of how their cameras work. Still, we’re dissatisfied by how eufy handled this incident. For this reason, Review Geek no longer recommends eufy’s smart security cameras.

Source: eufy

Continue Reading