There seem to be a few comments talking about how it's just thumbnails stored or how any cloud based system has to send some media to the cloud - fundamentally I think we need to make sure we're not missing the bigger picture here. They said that they make sure to keep your data off of cloud servers. Exact copy:<p><i>>Keep Privacy in Your Hands</i><p><i>>HomeBase uses local storage kept off of cloud servers to ensure that only you are reviewing your data.</i><p>From: <a href="https://web.archive.org/web/20221003175526/https://us.eufy.com/pages/security-eufycam3" rel="nofollow">https://web.archive.org/web/20221003175526/https://us.eufy.c...</a><p>Even if it's just a thumbnail - their copy is crystal clear about the fact that your data does not end up on the cloud. They are then putting data on the cloud.<p>They claim:<p><i>>Safe and Private<p>>Your videos and other data is stored privately in your own home behind 3-step military-grade AES-128 encryption. Only you have the key to access.</i><p>Their marketing is very clear. They sold devices based on this claim, and violating it to any extend is unacceptable.
In-short: "Anker has built a remarkable reputation for quality over the past decade [...], including the Eufy home security cameras [...]. Eufy’s commitment to privacy is remarkable: it promises your data will be stored locally, [...], that its footage only gets transmitted with “end-to-end” military-grade encryption, and that it will only send that footage “straight to your phone.”<p>So you can imagine our surprise to learn you can stream video from a Eufy camera, from the other side of the country, with no encryption at all."<p>And a tweet showcasing how to get the unencrypted video/images from the security researcher who discovered the issue: <a href="https://twitter.com/paul_reviews/status/1595421705996042240" rel="nofollow">https://twitter.com/paul_reviews/status/1595421705996042240</a>
This looks more like negligence than malice. In order to send the push notification you have to send the content to a server that then gets pushed down through say Apple's Push Notification Service. The doorbell cannot talk directly to your device. The notification contains the image and whatever other text and metadata shown.<p>I'd imagine that what they mean by "planning to encrypt" this content is to E2EE the content and register a notification extension (something like: <a href="https://developer.apple.com/documentation/usernotifications/unnotificationserviceextension/1648229-didreceivenotificationrequest?language=objc" rel="nofollow">https://developer.apple.com/documentation/usernotifications/...</a>) that transforms the content once received by the client.<p>As most people probably know, E2EE isn't a simple problem to do in a user-friendly way. Perhaps when setting up the app/doorbell the doorbell could have some certificate that the app is aware of that's used for encrypting the data before it leaves the doorbell, and decrypted using the app's private key but this obviously isn't something provided out of the box.<p>Obviously a warrant could be served to Apple/Google/Eufy for notification content, but I don't take this as being particularly nefarious.<p>It genuinely wouldn't surprise me if other offline doorbells like Ubiquiti's UniFi line were also affected.<p>*I should probably mention I wrote this comment after reading a different article/video but didn't catch that their marketing mentioned that everything is E2EE. So yeah, seems like a pretty glaring lie in that regard.
This article seems confused about the claims it's making.<p>The embedded Tweet shows that the thumbnails for push notifications are stored on AWS as a secret URL. Thats not great, but also expected for the convenience of having push notifications include media.<p>The part about VLC seems to be a completely different issue.<p>> This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.<p>The part about streaming from across the United States is irrelevant. Just because can be accessed over the internet doesn't mean it's using "the cloud."<p>And of course Anker has the capability to access streams. They allow you to login to the app using a username and password and then start streaming from your devices. Them abusing that capability was always a risk.
It’s a shame they don’t seem to want to support Apples HomeKit Secure Video platform on their new devices. At least with apple we can trust everything stays local.<p>The Eufy cameras I do have that support home kit, I’ve blocked internet access to them from my router and can only access them through Apples Hone app.<p>That said I do recommend blocking internet to all cameras and use a self hosted app like Scrypted or Homebridge to manage your cameras
I recall that there was a trick to block Eufy from phoning home by connecting them to a Wifi network that connects to the internet only through a custom DNS server that blocks all the Eufy specific hosts.<p>I am not sure about it but was wondering if anyone has done it successfully so far?<p>I have Eufy cameras too but never trusted them for security, although they are pretty reliable for me from a service perspective.
If you want a truly local camera system with all the fancy features, check out Home Assistant (homeassistant.io) and Frigate (<a href="https://github.com/blakeblackshear/frigate" rel="nofollow">https://github.com/blakeblackshear/frigate</a>).
eufy/anker are fucking useless.<p><a href="https://community.security.eufy.com/t/major-flaw-delete-homebase-data-via-camera/903359" rel="nofollow">https://community.security.eufy.com/t/major-flaw-delete-home...</a><p>I spent ~1 month full-time savings on a camera kit, cameras + base station. I was to be able to return the product for a refund (NZ law), I luckily found that thread within 24 hours of buying that SHIT.<p>p.s. don't confuse an existing good NZ law with our current inept government (i.e. we have a female Trudeau)