Malcolm Owen
In a major security and privacy lapse, for an hour on Monday morning, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of their own, and settings could be changed by those granted bogus access as well.
Many connected cameras bought for security offer app-based viewing and playback of video feeds for convenience. On Monday, it appears that there's a problem with the app, in that it shows feeds of cameras that aren't owned by users.
Initially spotted on Reddit, Eufy cam owners are reporting that attempts to log into the app provide complete access to another camera setup, seemingly in another country. As part of this access, the users are also able to see and change settings on the account and connected hardware, turn lights on and off, and also retrieve details like the camera owner's email address.
Users have expressed concern about the problem, declaring it as a major breach in security and privacy for users. Some posting to Reddit are worried about who may have access to their cameras, and for the safety and privacy of their children.
Some miscreants are taking advantage of this access. They are modifying settings for accounts, and there are reports of some talking to children on the other side of the camera.
It is unclear how many people are affected by the issue, as not all of tests by AppleInsider manifested an issue. One UK staffer saw no issue, and one US editor is having the problem.
HomeKit Secure Video is displaying the right camera, but the wrong camera in the app. There is some speculation it could be a regional issue, though more data is required to confirm that to be the case.
AppleInsider recommends Eufy camera owners turn their cameras off if they are concerned about their privacy, until Eufy responds to the complaints to their satisfaction.
Update: In a statement to AppleInsider and other venues, Eufy claimed that the a "server upgrade" induced the problem for 0.001 percent of its users. The company also said that identified the problem at around 5:30 AM Eastern Time, and fixed it by 6:30. AppleInsider staffers saw it as late as 6:51 AM Eastern Time before disconnecting cameras, but can confirm that the problem is now fixed.
The company confirmed that the issue was geographically limited to the US, Australia, Mexico, and New Zealand. Users in Europe were not impacted, the company said.
Update 12:58 PM Eastern Time with Eufy response.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Charles Martin
Amber Neely
Sponsored Content
AppleInsider Staff
Oliver Haslam
13 Comments
How is this possible? Eufy is a load of crap!
This just highlights the potential dangers of WiFi connected Cameras and other smart IOT devices. This kind of lapse is far more serious I would argue than to be described as a ‘concern’ and the fact that Eufy haven’t immediately restricted servers to take the network offline until they have at the least some sort of explanation is quite irresponsible I would argue. I have been slowly and cautiously adding more IOT to my home over the years and I know nothing is perfect but I have been limiting myself to only HomeKit exclusive devices, as they are at least encrypted by and large with their own security chips. Although I couldn’t speak to the security regarding the newer option of software based verification, still it is likely to be better than a lot of these other services available. As for cctv I think the safest option is to have them record locally and upload to ones own private network/server. HomeKit secure has more conveniences, but if you are forced to also upload to the developers own network as well then you have issues just such as what is happening now. Quite scary.
Agree, between this, malware, ransomware, identity thefts, assorted hacks etc etc, Apple’s stance on these issues seems to wiser with each passing month. Agree if no HomeKit, count me out.
And the people in the government who ask for an iOS backdoor, clean up your own house first—they are doing little to fix these problems and are often the worst victims.
I swapped out a Eufy doorbell for a UniFi G4 just yesterday. Fortunate timing on my part. I got tired of the Eufy app constantly marketing to me for referrals and selling more cameras to me.
I haven't seen the issue. I don't have HomeKit Secure Video turned on. Possibly related?
Without it on it's my impression that the video and camera feeds need access to your host device on your. network.