Eufy has emerged as a trusted name in the smart home and wireless security systems space over the last few years. Eufy’s extensive product line includes everything from robotic vacuum cleaners and smart digital scales to pet monitoring devices and home alarm systems. Eufy’s lineup of security camera systems is one of its most important product categories. Eufy has long marketed these devices as only storing customer data (including video footage and photos) on local servers. These claims contributed significantly to the massive increase in the popularity of Eufy’s security cameras. Customers were relieved to learn that video footage captured by Eufy cameras never leaves their local servers, and they were also relieved to learn that there was no monthly fee.
However, after an investigation by Paul Moore, a security researcher based in the United Kingdom, Eufy’s claims of being a completely “cloud-free” security camera system have been called into question. Moore also claims to have discovered several security flaws in Eufy cameras, as well as allegations that the company sends images and facial recognition data to third-party Cloud servers without explicit user consent. Moore’s most shocking revelation, however, is about Eufy’s live feed feature, which can allegedly be accessed requiring no form of authentication.
Moore’s claims have some merit, according to independent analyses by publications such as The Verge and Ars Technica. However, there have been counterclaims that partially, but not entirely, defend Eufy’s position.
Moore, who had been testing Eufy’s Doorbell Dual Camera system for a while, noticed something was wrong with a security camera he purchased near the end of November 2022. Moore claimed that his security cameras, which he claimed had nothing to do with the Cloud and only stored data locally, were actually uploading some data to Eufy’s AWS (Amazon Web Services) cloud servers, despite Eufy’s claims.
Moore asked Eufy how its camera system sent facial recognition data to its servers in a series of tweets on November 21, 2022. Soon after, another Twitter user made an unexpected revelation. He claimed that by using a VLC player, he could access the live feed from a Eufy camera with no authentication.
It is important to note that in both cases, they could only access their own camera streams. While it is still theoretically possible for hackers to use brute force techniques to generate a direct link to a stream, no such instance has been documented. The user must first log in to Eufy’s web interface in order for the live stream link to be generated. These explanations did not fully explain why Eufy’s servers were storing facial recognition data on its servers, or why this was done in the first place, given Eufy’s claims about its cameras having nothing to do with the Cloud.
While Eufy misled its customers when it claimed that it completely disconnected its security cameras from the Cloud, there is more to the story. Following Moore’s revelations, a YouTuber named The Hook Up, who creates content about smart home gadgets and security camera systems, released a separate video explaining what may have occurred. The most important takeaway from his video was that many of Eufy’s features required Cloud access to function. Eufy made a mistake by failing to state these facts explicitly in its promotional and marketing materials.
Consider Eufy’s facial recognition feature, which must be configured via the Eufy app on a smartphone. Eufy needed to match a detected face to that of a person already in its database for this feature to work. These images also allow Eufy to send push notifications to users when the camera detects a face. To accomplish this, the thumbnail had to be uploaded to cloud servers. Eufy failed to explicitly reveal these aspects of its features to its customers. Moore also claimed that many of the stored thumbnail images could be accessed even after the phone was deleted. The Hook Up responded by claiming that someone automatically deleted the images from the cloud servers within 24 hours.
The Verge’s official response to Moore’s claims and subsequent findings has been less than satisfactory. Some people have stopped using Eufy security cameras since Moore’s revelations, with some even destroying the camera hardware. Following this incident, several well-known YouTubers, including Linus Tech Tips, have canceled sponsorship deals with Anker, Eufy’s parent company.