Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Eufy cameras upload content to the cloud without owners knowledge

A security researcher has discovered that Anker's Eufy security cameras send user images and information to the cloud without the owners' consent — even if the user doesn't pay for a cloud subscription.

Security consultant Paul Moore discovered that his Eufy Doorbell Dual was uploading data to the cloud, despite the fact he'd disabled cloud functionality. Moore uploaded a short video to YouTube to highlight what he'd found.

In the video, Moore shows how even after turning off the Eufy HomeBase, the Eufy website can still access an image he uploaded despite not signing up for the cloud service. Furthermore, the image is still accessible even after Moore removes it from the Eufy app.

Interestingly, it doesn't appear that Eufy is uploading the video as video, but rather as a series of thumbnails.

Eufy also appears to be using facial recognition on the uploads. Moore surmises that Eufy could link the facial recognition data collected from multiple cameras and apps to users — without the user's knowledge or consent.

After the disclosure, Eufy contacted Moore to confirm that it uploads events and thumbnails to Amazon Web Services. However, the company says the data cannot be leaked as the URL is only available for a short period of time and requires an account login.

A final issue Moore notes is that Eufy camera streams could be watched live using an app like VLC, though he didn't provide information on how this is possible. In addition, worryingly enough, Moore notes that the streams aren't encrypted and can be accessed without authentication.

Since his initial post, Moore posted that he'd "had a lengthy discussion with Eufy's legal department." He also stated that it would be "appropriate at this stage to give them time to investigate and take appropriate action," and that he could not comment further.

This isn't the first time Eufy has come under fire for security lapses. Most notably, in May of 2021, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of what they were expecting to see from their own cameras, and settings could be changed by those granted bogus access.



8 Comments

zviratko 2 Years · 1 comment

Apparently, Eufy has been aware of this already, which means they have also missed all deadlines on notifying agencies about GDPR violations etc. This could cost them at least a few billion EUR.
I wonder how this affects people who only ever used it with Homekit, as it claims to be disabling most of the Eufy functionality.

22july2013 11 Years · 3736 comments

A few days ago on the AI story called "Here are all the devices getting Matter Support" i said that the Eufy camera was insecure even when using HomeKit Secure Video, let alone when using HomeKit. Despite the people who argued against me, I guess this story supports my fears about Eufy.

Here was part of my claim:

it [Eufy cameras] probably works using additional software running on the hub and/or on your iOS device that requires an Internet connection and communicates some data back to home base, which is usually China. 

Where do I go to claim my reward?

boxcatcher 9 Years · 275 comments

Yeah, this was obvious because their cams would still send you notifications via their app about movement and certain objects being detected — likely sending images up to AWS and they were using AWS Rekognition.

I use a HomeKit secure router functionality to restrict their cameras’ to only be able to communicate on the local home intranet — a Home hub can still  provide the camera feed via HomeKit.

ITGUYINSD 5 Years · 550 comments

zviratko said:
Apparently, Eufy has been aware of this already, which means they have also missed all deadlines on notifying agencies about GDPR violations etc. This could cost them at least a few billion EUR.

I wonder how this affects people who only ever used it with Homekit, as it claims to be disabling most of the Eufy functionality.

Having Eufy cameras enrolled in Homekit doesn't keep one from using the Eufy software to view the cameras.  I've got 5 cameras and can view them in Homekit or Eufy app.  Some advanced features are disabled in Eufy app since they are in Homekit, but basic functionality works just fine.

FileMakerFeller 6 Years · 1561 comments

VLC lets you specify a URL that defines a video feed; I'd always wondered what that was for. Never made the mental connection to video surveillance, but it is obvious now.