Anker’s Eufy lied to us about the security of its security cameras

There seem to be a few comments talking about how it&#x27;s just thumbnails stored or how any cloud based system has to send some media to the cloud - fundamentally I think we need to make sure we&#x27;re not missing the bigger picture here. They said that they make sure to keep your data off of cloud servers. Exact copy:<p><i>&gt;Keep Privacy in Your Hands</i><p><i>&gt;HomeBase uses local storage kept off of cloud servers to ensure that only you are reviewing your data.</i><p>From: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20221003175526&#x2F;https:&#x2F;&#x2F;us.eufy.com&#x2F;pages&#x2F;security-eufycam3" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20221003175526&#x2F;https:&#x2F;&#x2F;us.eufy.c...</a><p>Even if it&#x27;s just a thumbnail - their copy is crystal clear about the fact that your data does not end up on the cloud. They are then putting data on the cloud.<p>They claim:<p><i>&gt;Safe and Private<p>&gt;Your videos and other data is stored privately in your own home behind 3-step military-grade AES-128 encryption. Only you have the key to access.</i><p>Their marketing is very clear. They sold devices based on this claim, and violating it to any extend is unacceptable.

In-short: &quot;Anker has built a remarkable reputation for quality over the past decade [...], including the Eufy home security cameras [...]. Eufy’s commitment to privacy is remarkable: it promises your data will be stored locally, [...], that its footage only gets transmitted with “end-to-end” military-grade encryption, and that it will only send that footage “straight to your phone.”<p>So you can imagine our surprise to learn you can stream video from a Eufy camera, from the other side of the country, with no encryption at all.&quot;<p>And a tweet showcasing how to get the unencrypted video&#x2F;images from the security researcher who discovered the issue: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;paul_reviews&#x2F;status&#x2F;1595421705996042240" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;paul_reviews&#x2F;status&#x2F;1595421705996042240</a>

This looks more like negligence than malice. In order to send the push notification you have to send the content to a server that then gets pushed down through say Apple&#x27;s Push Notification Service. The doorbell cannot talk directly to your device. The notification contains the image and whatever other text and metadata shown.<p>I&#x27;d imagine that what they mean by &quot;planning to encrypt&quot; this content is to E2EE the content and register a notification extension (something like: <a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;usernotifications&#x2F;unnotificationserviceextension&#x2F;1648229-didreceivenotificationrequest?language=objc" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;usernotifications&#x2F;...</a>) that transforms the content once received by the client.<p>As most people probably know, E2EE isn&#x27;t a simple problem to do in a user-friendly way. Perhaps when setting up the app&#x2F;doorbell the doorbell could have some certificate that the app is aware of that&#x27;s used for encrypting the data before it leaves the doorbell, and decrypted using the app&#x27;s private key but this obviously isn&#x27;t something provided out of the box.<p>Obviously a warrant could be served to Apple&#x2F;Google&#x2F;Eufy for notification content, but I don&#x27;t take this as being particularly nefarious.<p>It genuinely wouldn&#x27;t surprise me if other offline doorbells like Ubiquiti&#x27;s UniFi line were also affected.<p>*I should probably mention I wrote this comment after reading a different article&#x2F;video but didn&#x27;t catch that their marketing mentioned that everything is E2EE. So yeah, seems like a pretty glaring lie in that regard.

This article seems confused about the claims it&#x27;s making.<p>The embedded Tweet shows that the thumbnails for push notifications are stored on AWS as a secret URL. Thats not great, but also expected for the convenience of having push notifications include media.<p>The part about VLC seems to be a completely different issue.<p>&gt; This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.<p>The part about streaming from across the United States is irrelevant. Just because can be accessed over the internet doesn&#x27;t mean it&#x27;s using &quot;the cloud.&quot;<p>And of course Anker has the capability to access streams. They allow you to login to the app using a username and password and then start streaming from your devices. Them abusing that capability was always a risk.

It’s a shame they don’t seem to want to support Apples HomeKit Secure Video platform on their new devices. At least with apple we can trust everything stays local.<p>The Eufy cameras I do have that support home kit, I’ve blocked internet access to them from my router and can only access them through Apples Hone app.<p>That said I do recommend blocking internet to all cameras and use a self hosted app like Scrypted or Homebridge to manage your cameras

I recall that there was a trick to block Eufy from phoning home by connecting them to a Wifi network that connects to the internet only through a custom DNS server that blocks all the Eufy specific hosts.<p>I am not sure about it but was wondering if anyone has done it successfully so far?<p>I have Eufy cameras too but never trusted them for security, although they are pretty reliable for me from a service perspective.

&gt; there’s no proof yet that this has been exploited in the wild<p>Give it a few days.

If you want a truly local camera system with all the fancy features, check out Home Assistant (homeassistant.io) and Frigate (<a href="https:&#x2F;&#x2F;github.com&#x2F;blakeblackshear&#x2F;frigate" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;blakeblackshear&#x2F;frigate</a>).

Debunked, this is just clickbait: <a href="https:&#x2F;&#x2F;youtu.be&#x2F;a_rAXF_btvE" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;a_rAXF_btvE</a>

eufy&#x2F;anker are fucking useless.<p><a href="https:&#x2F;&#x2F;community.security.eufy.com&#x2F;t&#x2F;major-flaw-delete-homebase-data-via-camera&#x2F;903359" rel="nofollow">https:&#x2F;&#x2F;community.security.eufy.com&#x2F;t&#x2F;major-flaw-delete-home...</a><p>I spent ~1 month full-time savings on a camera kit, cameras + base station. I was to be able to return the product for a refund (NZ law), I luckily found that thread within 24 hours of buying that SHIT.<p>p.s. don&#x27;t confuse an existing good NZ law with our current inept government (i.e. we have a female Trudeau)