What did Eufy do?

During Thanksgiving 2022, a researcher for Infosec, Paul Moore, discovered something pretty shocking about the company. He discovered that Eufy has been uploading photos and videos of its customers to its cloud despite stating the exact opposite. Eufy stated that it never uploads any footage or photos of its customers to the internet. Nowhere in any documentation, written or digital, did it say that it uploads anything from the users. The company said that it’s stored locally on your device. So, the company told a massive lie, to its users are, understandably, upset.

Can the footage be accessed?

Absolutely! For starters, Eufy claims that your information is all protected by military-grade end-to-end encryption, but, even that is a lie. Moore posted a video where he showed him accessing photos from his camera using MS paint. So, either the photos are not encrypted or MS Paint got a MAJOR upgrade. Also, users at The Verge were able to access and live-streamed footage from their cameras using the free VLC player. If a person was able to gain access to these photos or video streams, there wouldn’t be anything keeping them from having a free peek show. There may be some good news on this front. For starters, the camera has to actually be awake for you to stream the footage. This means that you’d need to manually activate the camera. When this was first reported, the users were able to access the footage when the camera detected motion. However, it seems that the company has changed it so that this doesn’t happen. Also, one of the methods the users used to obtain the address for the streams no longer works. So, it seems that the company is aware of this and is patching the issue somewhat.

Is it easy to access the footage and pictures?

Yes and no. Basically, if you’re an average Joe, then you can forget it. You’ll need to gain some sensitive information about the camera and the owner in order to view the content. If you’re not tech-savvy, then you’re not equipped to view the footage. However, there are plenty of hackers and tech-savvy nerds out there who can easily find a workaround. We, obviously, are not going to share how to do this, but you will need to know information like the user’s account credentials and the camera’s serial number. Jacob Thompson, a Midiant vulnerability engineer, spoke with the Verge and gave some more bad news on this front. While it’s good that Eufy’s camera’s serial numbers are rather long at 16 characters, they don’t change. Once you know it, you can keep tabs on that device for as long as you want. An example he gave was giving a camera away and accessing the feed from that device to spy on the recipient.

Has anyone been affected by this so far?

So far, there are no reports of anyone being abused or stalked. That’s not to say that it hasn’t happened at all. We’ll keep you updated on that front if anyone comes forward.

Has the company responded?

[Update Dec. 21st: Eufy issued a forum post where it acknowledged a potential security flaw. However, it still says that it’s speculative. The company also updated the web portal so that no one can view live streams without logging in. You can no longer share live stream links with other folks as well.] Yes. Follow-up question: Does its response suck? Also, yes. Eufy has been really passive about this whole situation. The company posted two statements on its website, and they were both contradicted by the recent findings. In the first statement, the company came forth and stated that, in order to provide thumbnail previews for the push notifications, the company will upload thumbnail images to an AWS-based cloud server. Those thumbnails are deleted within 24 hours of uploading, and people are only able to access them through their accounts. So, that could explain what Paul Moore found in his video above. He did see pictures, and he did access them through his account. However, that’s not enough. Eufy vehemently stated that the data was encrypted. Also, this doesn’t explain the fact that people are able to view live streams of footage. Sure, the company did “sincerely apologize” for not informing its customers about uploading the photos for the thumbnails, but that doesn’t mean much at this point.

The app update

Eufy did try to side-step the issue by sending an update to its mobile app that offers a disclaimer. When you’re changing the notification settings, you’ll see different options for how you want your notifications displayed. Under the “Full Effect” and “Include Thumbnail” options, you’ll see a short message stating that the thumbnails are temporarily stored in the cloud. That’s a step in the right, but it still doesn’t make the situation any better. In the second statement, Eufy denied the accusations against it, and that was it. The company hasn’t stated what it plans on doing or how it will fix this issue.

At the moment, we don’t have any official reports about legal actions. Paul Moore did say that he began legal actions against the company, but we haven’t gotten any additional word on that. However, with how massive this controversy is, you can bet that there are going to be some serious lawsuits to happen. The company is in for a tough road, and there’s no way that it will get off scot-free.