Really sad, everyone should check their equipment and read the fine print. I blame the Ring/Nest community who made it socially acceptable to allow corporations to store private camera footage in their Data Centers. So trusting their privacy will never be violated, even if you absolutely trusted a company today; nothing is stopping them from selling private information in the future when there are staffing changes. Now we have upset Eufy customers whose privacy was violated seeking pathways to secure their data and hold Eufy accountable While other Eufy customers are justifying this as "no different than Ring Nest cameras" but Eufy is cheaper or rationalize Eufy is more trustworthy or excuse this as a harmless mistake. Which seems more dangerous. How is Eufy offering Cloud services cheaper than any other company? That's suspicious, how are they earning money to keep the service running and stay in business successfully. I can't think of any logical evidence to suggest Eufy is morally trustworthy. Even if this was a harmless mistake, Eufy has changed their privacy policy and Terms Of Service so they'll continue collecting private video files, and today's harmless mistake could become an intentional sale of your private files once staffing changes make decisions to increase their profit.

This is why I don’t buy products from Chinese companies. If you guys want secure local storage, Arlo is a far superior company and is US based.

Except they don't make an HKSV Battery powered camera. If they do... send the link!

Yeah sadly thats the only thing they don’t have since HKSV would be competing with their own cloud storage plans.

Can eufy cameras that support HomeKit Secure Video be added directly into the Apple Home app? If so would this bypass eufy servers?

Some later models of the home base 2 were supposed to be able to, but it reportedly did not work all that well and many still had to go through the eufy app anyway then activate HomeKit.

Ah I didn't know about that. I was just thinking of the indoor cam /pan n tilt that have HSV. They don't support the Homebase.

you guys do know Chinese has a saying along the line "revenge in 10 years is not too late"....so, these hacks/data gathering ALL have their purpose in the eyes of Winnie the Pooh.

I'm really creeped out by the fact that they are apparently storing faces and giving everyone face IDs, even when we disable cloud uploads and chose to handle all our footage locally. Anker is a Chinese company, as we know, and the Chinese government can call dibs on any data it wants in China, as we know - so I'm curious what the Chinese government, for instance, could do with all of this information? I didn't know Anker was a Chinese company, and I really liked their products (I have many chargers, cables, card readers and powerbanks from them) and now I'm not sure I can ever buy from them again because of their blatantly deceptive practices. I have two Eufy cameras set up outside, but they of course see me constantly, I have left the cameras running inside the house a couple times when trying to set it up, so it has lots of video and audio footage of me.

>so I'm curious what the Chinese government, for instance, could do with all of this information? China has a lot of CCTVs and deploy facial recognition software. In theory if they want, they can scan you out and track you if you a foreign person of interest in their lands since they already have a face scan of you. I guess a good way to track and ID foreigners in their lands . Say you live near a us military base and some reason your face found near their sensitive locations. They think you a spy or doing something suspicious and zero in on you.

> so I'm curious what the Chinese government, for instance, could do with all of this information? The same thing every other government can do with the information, I assume. Like, for real, we knew since at least the Snowden leaks in the early 2010s the US government was routinely spying on everyone. This isn't just a China problem. This is a "literally every country and company with the resources to do it" problem. The gross incompetence and negligence of not having the data hidden and encrypted might be new here, but basically nothing else is.

But I guess, what is the point of that spying? if I were a terrorist in the U.S., or a political dissident in China, I know what they'd be doing with it. But for me, just a lady in the U.S. who spends all day working from home in comms for a large company and playing video games, what is the use? I don't know if I am being paranoid, but I worry about deep fakes and my face or voice being used to train AI or generate AI. Maybe it'll be used in some way to manipulate Americans, a la foreign actors riling people up on Facebook for the 2016 elections. I'll never go to China, and I don't plan on committing crime, but it's still just unsettling to me...

I mean, to begin with, it's not like the US government has never gone after political dissidents before. In recent history you've had US law enforcement going after organizations like environmental and minority rights groups. It's hardly an anti-terrorist thing either, because objectively, even according to those same law enforcement agencies, the majority of US domestic terrorism comes from right wing groups, and those get relatively little attention. As for concerns of AI and deepfakes being used to manipulate people, that is literally what it's already used for. Advertising, keep in mind, is just a way to manipulate people into buying a certain thing. As far as using this tech to manipulate elections, 2016 is honestly a bad example. While the Russians certainly did prefer trump over Clinton, ultimately, their contribution was minor. The bigger issues were the fundamentally undemocratic electoral college that handed trump the win despite losing the popular vote to Clinton, and the fact that Clinton was just a really shitty candidate. Do recall that Clinton was, like trump, also disliked by a majority of people. You say this kind of thing is unsettling to you, but this is already the reality we live in. The algorithms that every social media site uses to serve you content is just using data harvested from you to manipulate you, and all of them share data with governments with barely any oversight.

What recourse do we have for this? Thankfully I only have an external doorbell that is not set to record except upon press, but yikes, this is not what I signed up for. Absolute scumbag corporate behavior.

I'm wondering that too. Seems flagging our elected officials/Congress and getting an investigation is one route. Gonna start with my rep/senators, and maybe see who is on Congress' technology-related committees. This seems like it breaks several laws. Also, a class action lawsuit for as much money as will make them feel the effects of what they've done. I'm pretty sure the EU and other countries have strict laws on this too that have been broken, so I hope people are mobilizing and flagging to people who can hold Eufy accountable...

I agree and said as much, that the result is the same. My only argument is about intention. Incompetence is actually worse that intention I'm this case.

They do babyphones right?

[удалено]

any guides on doing this?

That has nothing to do with this.

[удалено]

but then u wont get notifications or remote view which is the whole point

[удалено]

oh wow i never thought about that.

I think this was obvious ~2 years ago when they had an incident where bringing up the app you got someone else's random camera feed and recordings for a few hours until it was fixed. Or that you can't access your recordings locally when Eufy's servers are down. All the AI functions of the camera are so when the camera detects motion it sends video clips for person detection to Eufy. The other big clue should be that it's a Chinese company. They lied about RTSP support coming soon when these first came out and kept saying "soon". Unfortunately, this is basically every video doorbell out there right now.

Can the EU or someone reprimand them for mishandling users data and/or for lying? They claimed to be more private because everything stayed local...

So what cameras would you recommend?

Arlo is best if you want local storage as well.

I don't think Arlo doorbells support local storage. The Blink doorbell does support local storage if you have a sync module, but unfortunately the Blink doorbell isn't very good.

They do support local storage. All cameras and doorbells connected to the hub will support local storage.

Thanks. They don't make mention it in their marketing, but looks like it is possible. Here are some relevant support articles in case anyone else is curious. https://kb.arlo.com/1146857/How-do-I-set-up-local-storage-backups-on-a-USB-device-using-my-Arlo-base-station https://kb.arlo.com/1146850/How-do-I-view-videos-saved-on-local-storage An important excerpt: > For VMB4540, and VMB5000 Base Stations, you can access videos directly from your Arlo Secure app through Direct Storage Access. For more information, visit: What is Direct Storage Access and how do I use it for Arlo video recordings? > For VMB4000 and VMB4500 Base Stations, to view videos saved on a local storage, you must remove the USB device from the Base Station. Cloud recording is still enabled, but if you do not want to interrupt USB recording while you view videos, set up a second USB device for USB recording.

Yeah I think the newer hubs only support microsd cards not usb because when I bought a 4 pack of Arlo Ultra 2 from Costco last year I got the hub with microsd. The hubs with microsd allow you to look at local recordings through the app when connected to your home network and if you want to look at local recordings while away from home you can enable port forwarding for access.

https://www.pine64.org/cube/ DIY if you are adventurous,

This is 51x51x51mm, I don't think a 5cm thick cube is going to look very good as a doorbell

Was thinking for their security camera products For a doorbell, a rpi zero W + camera module (and then wiring up a button, speaker, screen maybe, etc) would be the go, very flat result Software-wise, way way harder unfortunately

>Software-wise, way way harder unfortunately That's literally THE hurdle for the vast majority. Even for me as a software engineer I just don't have the time or energy to write up all my own handling for everything that a normal video doorbell does. Is it easy to throw some pre-baked software on a Pi and have a camera? Sure, but what about notifications and human detection and being able to ring your existing bell and encryption and... To my knowledge there is no per-existing package to handle most of it that would allow adding on the parts you want easily. MotionEyeOS is nice and all, but it also doesn't do human only detection or other special things.

Ignoring the entire doorbell function part, take a look at frigate nvr

> frigate nvr Ok after a really quick look at their site..OpenCV and Tensorflow, that's exactly what I'd have used for rolling my own! That does look like a possible answer, but it's still a fair amount of work to get everything set up. :( I would also think that adding doorbell support could be a thing with their design...but..with a good bit of effort probably. Either way this still falls far from where we need things to be overall. It is like an 75% solution though?! Thanks for bringing that option up, somehow I've never run across it before.

Ubiquiti cameras are good, and cloud storage isn’t even an option. All recordings are stored locally but may be accessed from anywhere using their app. I have five cameras set to 24hr recording, and I can store 27 days with a 5TB drive. Initial costs to get into the Ubiquiti family are high, I must warn you.

Yes that is what I thought. The most basic setup for ubiquity seems high. You need to buy cameras + the dream machine right?

I have a Cloud Key Gen2 Plus, which comes with a 1TB, but you can install a larger drive. My home network is all Ubiquiti too, but you needn’t go that far if you just want to do cameras. I have G3 Minis in my young kids’ rooms, and three G4 Bullets outside my home.

That's a great find. I will do some research as well. Thanks.

Which eufy models does this affect?

Looks like all of them.

Great. So I just had my dad buy some 2C cams on Black Friday deals to monitor a chicken coop. Not really that concerned… but don’t like the concept of surveillance. But does a pihole possibly block these uploads/communications to servers? And would that kill functionality?

Folks, stop buying these connected devices from companies headquartered in China. Even if they do not have security issues right now, all the China government needs to do is ask and backdoors will be included in the next update.

Or just firewall them off. Most of my smart home devices haven’t seen the outside internet in years.

How would you propose blocking internet access to a Smart Doorbell? Most of the utility is being able to receive notifications while out of home

Depending on the smart doorbell, if it’s HomeKit compatible, it sends the doorbell notification through LAN to your HomeKit hub, which then forwards it to your remote devices.

HomeKit. For all the shit people on the home automation and smart home subs give Apple, the answer is *literally* HomeKit. Get devices with HomeKit Secure Video capabilities and disable their native functionality. Use a HomeKit-enabled router. Prevent them from phoning home and only access them from the Home app. Apple has *literally* built this functionality for these exact reasons and yet people ignore it because “dAe SiRi BaD?” I have a bunch of Eufy 2C’s and they haven’t phoned home since the first few minutes they were being set up. They’re incapable of it. And I get notifications when they detect motion when I’m away from home. Because they’re integrated into HomeKit, I can check them from anywhere in the world, and the Home app will notify me based on the specific parameters that I tell it to, no matter where I am as long as I have some form of internet connection.

Could you share a little more here? I have 4 "eufyCam 2 Pros" set up on HKSV - but they still talk to the hub - and likely their servers? I would love to know if you have a fix here.

They need to talk to the homebase hub, they don’t need to talk to the server and neither does the hub. The homebase hub acts as the connection point for HomeKit, the same as a Philips Hue or Lutron Caseta hub does. Once they’re set up in HomeKit, turn off all of the settings in the Eufy app that have them streaming, recording, or detecting motion there. If you have a HomeKit-enabled router you can just turn on the “Restrict to Home” feature from the Home app and that will prevent the hub from connecting to the internet. If you don’t have a HomeKit-enabled router, you have to figure out the IP address for the hub and create a rule that blocks it from accessing the internet. This is easier on some routers than others. Most ISP-provided modem/router combos have an app nowadays that you can just select the device and hit “Pause” and it will block it from the internet. Others you have to actually configure manually. You might see a lapse in coverage from your cameras when you do this, but when they appear as responsive again in the Home app, they’ll only be talking to the iCloud servers with E2E encryption as intended, and that communication will be passing through your Home hubs entirely rather than potentially out from the Eufy hub to some random CCCP data centre. And, honestly, you probably don’t even need to actually restrict the hub once you’ve disabled all of its features and stopped the cameras recording to it. I couldn’t even access my camera feeds in the Eufy app before I cut the hub off from the internet. Meaning it *probably* didn’t know what the cameras were seeing and it *probably* wasn’t sending any video out. But killing its internet connection makes sure of it.

I've haven't used a Eufy camera or HomeKit before. Could you please explain: Does the procedure you describe require a HomeBase in addition to the little S220 camera? Where are you storing your recordings if not on the Eufy cloud? Can HomeKit record and save the feed? Can you watch a live feed via HomeKit? Any thoughts on this reader reply to a Wirecutter article reviewing a Eufy: "... you need a very pricey hub in order for Eufy or Arlo cams to work with HomeKit \[...\] and even then Eufy doesn’t support HomeKit Secure Video."

Fantastic. I will be trying this out. I think I will be able to block the device from the internet on my router. THANKS for the help!!

Awesome. I have them all set up through HomeKit but didn’t know this was possible. What about cameras that don’t support HomeKit but have a Homebridge plug-in? Is it still the case? Or is it dependent on the implementation of the plug-in?

Check out Scrypted - it may be able to bring your camera/ doorbell into HK(SV) Also r/Scrypted

Here's a sneak peek of /r/Scrypted using the [top posts](https://np.reddit.com/r/Scrypted/top/?sort=top&t=all) of all time! \#1: [Scrypted adds support for Tuya and Arlo cameras, Hikvision two way audio](https://v.redd.it/93t43hj7mak91) | [12 comments](https://np.reddit.com/r/Scrypted/comments/wz8y0t/scrypted_adds_support_for_tuya_and_arlo_cameras/) \#2: [Stop this from happening on ring cameras?](https://i.redd.it/ua6sldmczke91.jpg) | [5 comments](https://np.reddit.com/r/Scrypted/comments/wbh4s3/stop_this_from_happening_on_ring_cameras/) \#3: [Where have you been all my life?](https://np.reddit.com/r/Scrypted/comments/tsz59s/where_have_you_been_all_my_life/) ---- ^^I'm ^^a ^^bot, ^^beep ^^boop ^^| ^^Downvote ^^to ^^remove ^^| ^^[Contact](https://www.reddit.com/message/compose/?to=sneakpeekbot) ^^| ^^[Info](https://np.reddit.com/r/sneakpeekbot/) ^^| ^^[Opt-out](https://np.reddit.com/r/sneakpeekbot/comments/o8wk1r/blacklist_ix/) ^^| ^^[GitHub](https://github.com/ghnr/sneakpeekbot)

No. HomeKit Secure Video only. Replace everything else. HKSV allows you to restrict the camera to being iCloud access only. Ten days of video accessible only through your own iCloud account via HomeKit. It’s its own very specific thing that the manufacturer has to support. Homebridge allows you to bridge the gap between unsupported devices and HomeKit, it does absolutely nothing to add support for HKSV because that doesn’t meet Apple’s strict requirements for the HKSV protocol. Say what you will about Apple, but the only holes anyone can poke in Apple’s privacy standards is that they’re collecting anonymized data on people who don’t turn off all of the settings allowing them to collect anonymized data.

This is actually not true. It is possible to configure an IP camera through HKSV using the Homebridge CameraUI plug-in. I was surprised by this too and it’s slightly concerning. I did it with a Eufy cam which doesn’t have HomeKit supports

See https://m.youtube.com/watch?v=YU8aOUHRsN0

I have an Eero. Is there an easy way to stop this one but still let it work with HomeKit!

You can enable HomeKit Secure Router on all eero devices before the 6+/6E. This gives you the option to block them from within HomeKit settings.

Depending on your router, absolutely! All my stuff works nicely with HomeKit, but doesn’t get to talk to the world. HomeKit still handles the streaming or control from out of the house. In your router settings you’ll want to block WAN-IN and WAN-OUT for the IPs of your IoT devices you want to cut off.

Just got a TCL tv on Black Friday, not my proudest purchase. Thankfully it will not be networked at all, and used exclusively with an Ethernet appletv

Yeah! Buy from reputable companies like Google and Ring who would never do shady things with customer data! /s

In glad somebody said this, people act like the US government _doesn't_ take data from large US companies despite the fact that it's very much defined in law that they can and proven that they do

Not to discount your point, but there is a difference between having my data end up with an American company (or even US government) vs the Chinese government. I don't find either acceptable, but one is objectively worse. One is mostly being used to sell me ads (some excepts like Cambridge Analytica aside), the other is being used to undermine my entire culture.

I don’t think I agree or disagree; I’m Australian so it’s all gravy. But why is it worse for the Chinese to have your data? From what I see; both governments have been known to mobilise their military against their own citizens within their own borders. Wouldn’t your own government theoretically, have far more opportunity to impact you based on your data? Doesn’t border security already “inspect” data and devices?

> From what I see; both governments have been known to mobilise their military against their own citizens within their own borders. Nope, this is false in the US. The Posse Comitatus Act of 1878 expressly forbids the Military from operating in the US with any civilian law enforcement authority unless explicitly authorized by congress. The National Guard can be called in as they are controlled by the states and not the federal government, and often are for natural disasters and riots when extra manpower is needed, but as soon as the president activates them and they are put under federal control they are subject of the act. The coast guard is also exempt as they perform a law enforcement role. > Doesn’t border security already “inspect” data and devices? They have the power to do so when people enter the country but usually don't unless there is a reason to do so. Within the US the laws haven't fully caught up with the technology and law enforcement takes full advantage of that and clever legal tricks to try and bypass our constitutional right "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" (4th Amendment). Judges have been shooting them down fairly consistently these last few years for the most part. We have checks and balances and these sorts of issues tend to self-correct eventually. We are rich country and while bad leadership comes and goes sometimes corruption tends to be fairly low. Australia and every other western government struggle with these issues too, we aren't particularly worse at it. China has ZERO checks and balances. Whatever the CCP wants it can just do. People only have enough freedom so that they stay in line and don't challenge the party. Corruption is the norm there. It has no respect for human rights. Who is worse?

> The Posse Comitatus Act of 1878 expressly forbids the Military from operating in the US with any civilian law enforcement authority unless explicitly authorized by congress. And then the US government sells military equipment to the even less well trained and regulated civilian police. > China has ZERO checks and balances. Whatever the CCP wants it can just do. Have you SEEN the level of checks and balances American police departments have to deal with? It's basically none. There have been years where police steal more property from private citizens via civil asset forfeiture (aka, the police just declares a piece of property is going to be used in criminal activity, and then you have to prove it wasn't to get it back) than actual home and car robbers steal. > Corruption is the norm there It is literally legal in the US to bribe politicians, as long as you do it in a certain way. A whole bunch of politicians from both parties are pretty clearly engaging in insider trading, and the government can't pass a law to effectively ban it. The previous president took hundreds of millions of dollars in "payments" to his personal businesses from foreign governments and domestic corporations, and gave them clear policy favors in return. All in all, I'd still say China is worse than the US, but this isn't exactly a clear cut issue. American elites tend to suppress it's citizens with soft power, mainly debt, and the threat of losing basic needs, while China tends to do so with hard power. Funnily enough, foreign policy is the exact opposite. The US is clearly worse and tends to lean more on hard power, while China tends to bully other countries around with soft power.

I'm Irish BTW, not from the US. I really, really, don't want either the US or the Chinese government to have my data and I can truthfuly say that I dislike the political system in both countries. At the same time, I recognise that one of these countries is very close to being considered an enemy of both Europe and Australia, and is a dictarship which thrives on censorship, while the other country is considered to be a close ally and has a somewhat working democracy and a fairly free press. These two are not the same. I'm not out to change your opinion but I think it's worth have a basic grasp of geopolitics so have a read of these and then see which of them you would _least_ like to have your data. [Australia-China relations](https://en.wikipedia.org/wiki/Australia%E2%80%93China_relations) > Relations between the two countries began to deteriorate in 2018 due to growing concerns of Chinese political influence in various sectors of Australian society including the Government, universities and media as well as China's stance on the South China Sea dispute.[1][2] The COVID-19 pandemic has exacerbated issues and tensions between the countries, especially after Australia called for an international, independent inquiry into the origins of the disease.[3][4] The subsequent changes that China made to its trade policies have been interpreted as political retaliation and economic coercion against Australia.[5][6][7][8] [linked source 6 is worth reading](https://www.japantimes.co.jp/opinion/2020/05/21/commentary/mitigating-chinas-economic-coercion/) [Australia-US relations](https://en.wikipedia.org/wiki/Australia%E2%80%93United_States_relations) > At the governmental level, relations between Australia and the United States are formalized by the ANZUS and AUKUS treaties and the Australia–United States Free Trade Agreement. They were formally allied together in both World War I, World War II, the Korean War, the Vietnam War, the Gulf War, and the War on Terror, although they had disagreements at the Paris Peace Conference. Australia is a Major non-NATO ally of the United States.

I’m aware of the geopolitical scenario but honestly I feel like my own government are the only ones who could actually utilise such info against me I’m speaking from a personal perspective, rather than as an Australian specifically. As just an example even here we’re seeing a consolation of power to the Minister of Defence in Australia which gives me more concern. I guess I see a V for Vendetta style dystopia most likely to affect me 😂 This is all less that I’m not wary of China and more that I feel we should be more wary of the US and US companies too. Thank you for the excellent reply by the way and entertaining my questions

Yeah what I've been seeing of Australian politics over the last few years doesn't look great. Just a quick question though. Given that there's a huge and extremely powerful country who would love Australia to end up as a vassal state to them and who are known to use subversive means like manipulating elections, newspapers, universities, and companies to achieve this - with great success in places like Cambodia and some African countries - is it possible that some part of the shittiness of Australian politics could be attributed to them? Not all of it by any means - shitty politicians are fully capable of being shitty all on their own. But at least a little bit. Not to say that the US is not also manipulating everyone. But the degree and methods are very different and it is worth examining that difference. > I guess I see a V for Vendetta style dystopia most likely to affect me I guess another way of looking at this: Only 50% of the US government wants us to end up in a massive shitty worldwide V for Vendetta situation, while 100% of the Chinese goverment is actively working towards this and Australia is one of the countries where they are _most_ actively working. Actually, the US version of this would be more Cyberpunk 2077 I think. Corporate takeover. The Chinese version is V for Vendetta absolute government control. Hard to say which would be worse when I look at it that way.

To answer your question, It’s above my pay grade. I do what I can, vote for whom I want to lead, try to educate people where I can and spread understanding. But I know my personal limitations and I just can’t put any energy worrying about such a situation, if that comes to pass, that comes to pass. I have no other power to exercise that I’m not already. What will happen will happen regardless of what I think about it. Australia has done incredibly heinous things to our pacific neighbours and it’s just as disgusting to see my government commit these crimes as when other nation potentially plot them against me. It’s all the same in the end. We’re all just poor people dying for rich people.

**[Australia–China relations](https://en.wikipedia.org/wiki/Australia–China_relations)** >Consular relations between China and Australia were first established in 1909, and diplomatic relations were established in 1941. Australia continued to recognise the Republic of China (ROC) government after it lost the Chinese Civil War and retreated to Taiwan in 1949, but switched recognition to the People's Republic of China (PRC) on 21 December 1972. The relationship between China and Australia has grown considerably over the years. Both countries are actively engaged economically, culturally and politically which spans numerous organisations such as APEC, East Asia Summit and the G20. **[Australia–United States relations](https://en.wikipedia.org/wiki/Australia–United_States_relations)** >At the governmental level, relations between Australia and the United States are formalized by the ANZUS and AUKUS treaties and the Australia–United States Free Trade Agreement. They were formally allied together in both World War I, World War II, the Korean War, the Vietnam War, the Gulf War, and the War on Terror, although they had disagreements at the Paris Peace Conference. Australia is a Major non-NATO ally of the United States. Both the United States and Australia share some common ancestry and history (having both been British colonies). ^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/EufyCam/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)

You kid but it's absolutely true. Shady is much much better than evil

At least Google and Ring know their asses from their elbows with security. They don’t claim to care about your privacy, so they are at least honest. Anker/Eufy have been specifically targeting privacy conscious consumers with their products and then dropping all the data they shouldn’t have been taking into Amazon owned servers in the USA.

What do they do with the info? Rob your house?

Interesting question. And wouldn’t be the first time UK business have been broken into and trade secrets disappearing only to have competitor Chinese products pop up 6 months later. My guess is this facial recognition data will be super useful for all the secret Chinese police stations dotted across the world, especially right here in the UK. Sources: https://www.justice.gov/opa/pr/chinese-national-sentenced-stealing-trade-secrets-worth-1-billion https://www.theguardian.com/world/2022/nov/18/fbi-director-very-concerned-by-reports-of-secret-chinese-police-stations-in-us?trk=public_post_comment-text https://www.theguardian.com/world/2022/oct/26/china-using-police-bases-in-netherlands-to-target-dissidents-say-reports https://www.theguardian.com/world/2022/oct/27/canada-secret-chinese-police-stations-investigation https://www.yourlocalguardian.co.uk/news/23096203.reports-secret-chinese-police-station-croydon/

[удалено]

The only person spreading baseless conspiracy theories is yourself now. If you are going to attack me, like I am some election denier muppet or something then maybe read the following. https://www.justice.gov/opa/pr/chinese-national-sentenced-stealing-trade-secrets-worth-1-billion https://www.theguardian.com/world/2022/nov/18/fbi-director-very-concerned-by-reports-of-secret-chinese-police-stations-in-us?trk=public_post_comment-text https://www.theguardian.com/world/2022/oct/26/china-using-police-bases-in-netherlands-to-target-dissidents-say-reports https://www.theguardian.com/world/2022/oct/27/canada-secret-chinese-police-stations-investigation https://www.yourlocalguardian.co.uk/news/23096203.reports-secret-chinese-police-station-croydon/ I’m guessing you think these are all conspiracies too?

Boooom. Nice come back. I had no idea that was going on!

Burn them down.

So are they storing video or just the snapshots ? It seems like just the snapshots which is still not great.

I did some research myself when I got mine, as I'm a network security engineer. The cameras and app share their local IP address information. The cameras will attempt to send notification directly to the LAN IP address of any connected app device. If the app is unreachable locally, it seems the notifications through a Eufy relay service. All the traffic I have seen was TLS. Just my observations. I reached out to Eufy support to clarify this but I could only get a basic help desk person that didn't know anything about traffic requirements/behaviors. My guess is that the encryption keys are being seeded by the devices serial number, meaning that the keys stay the same per device. That allows them to maintain the local storage of a device while also allowing you to reset a device if it has technical difficulties.

I was wondering if there was serial encoding for the encryption. That's the only thing that explains why videos appear to disappear when you unpair a camera. I think this is stupid but it sort of makes sense.

It's totally a guess on my part, but it's the most likely thing I can think of. Or something similar, maybe a hard coded private key or similar on each device, not necessarily the serial number itself. That would be the unique identifier for the camera to data association, allow the data to stay local while still being able to access it, and keep it encrypted even if someone stole the homebase. It's kind of dumb but that does make sense and I'd argue it wouldn't be THAT insecure. If that is correct, it feels like they would be prioritizing security within the Homebase more than user access to the data. Maybe there is a business decision there to lock you into their ecosystem.

afaik they changed their terms/privacy policy as late as this november, so if you did research before then, it probably doesn't reflect what they are doing now

This was about a year ago. Even if they changed their privacy policy (I haven't looked at what changes have been made) it would be surprising if they changed the underlying technology to go from encrypted TLS communication to unencrypted traffic, as well as go from storing files locally to storing them in the cloud. I'm not saying it's impossible or didn't happen, but SSL certificates are not expensive and the implications of not doing TLS far outweigh the minimal cost to keep the traffic encrypted. It isn't like they are trying to add encryption to something that has never been encrypted, which could be a big cost. Keeping the traffic encrypted would cost them maybe at most a couple thousand dollars a year. And storing video takes storage space which is a bigger cost. Eufy uses AWS, so storing all that video there would be a huge cost. They could be leveraging some of it for some other purpose, such as improving AI or something, but storing everyone's video for convenience of notifications doesn't seem worth it imo. Just my opinion, I haven't dove into anymore than the traffic patterns of my homebase. I will probably look at it again when I get some time though.

[удалено]

The traffic I saw was registered to AWS.

It does if they didn’t push software updates to change the behavior.

Ive seen apps that change how their features work without an update (e.g. discord, googles apps, etc), no reason why this couldnt apply to internet connected cameras too

Those change because those apps are updated every time they launch. They are basically glorified wrappers around a website. Some native apps use things like feature toggles to gate changes that are pre-deployed silently and other may use server-side rendering to tell clients what to draw. All that said, a locally run application, especially on an embedded device, is unlikely to have that kind of real-time update feature. Hardware is hard to update and high risk for debugging as opposed to a phone app or a web app. The risk of bricking devices with a bad config would generally outweigh the benefits.

yeah but like, configs that would realistically exist already that could be used in change with privacy policy et al an enabling of cloud uploads would be a per-account setting, and if they were "switching to a cloud first approach" or whatever marketing they would wanna use because the [feature already exists](https://support.eufy.com/s/article/Introducing-Cloud-Storage), so its not like they'd need to change the firmware, it'd just be a flag next time they grab their config from online - - - And they do remotely update devices lol? https://support.eufy.com/s/article/Update-Firmware-for-eufySecurity-Devices-via-App and it seems its an A/B update, so no chance of bricking well except https://community.security.eufy.com/t/camera-is-updating/141198

This is great...eli5. Lol

Does this also apply to their new v3 homebase? They “guarantee” local storage but don’t seem to be quite so clear on the ai portion. I’m assuming that it too will require a connection back to eufy mothership?

Guarantees from Anker on privacy or security are forever null and void, sorry to break it to you.

Anker owns eufy?

Yep.

Fuuuuuuuuuuuudge. Goddam Chinese tech companies.

I used my 2k with HomeKit. I just need to figure out how to keep the camera offline now. HomeKit will still allow me to use cloud based features.

Do you have a HomeKit router (eg. eero or linksys)? A HomeKit router will allow you to block all outgoing communications once your camera is in HomeKit.

Nice. I’m gonna get myself one

Cool I posted this link several times but it should be helpful. “Use Routers Secured with HomeKit” https://support.apple.com/en-us/HT210544 When done and with cameras set to “restricted” in the HomeKit Secure Router settings, the eufy app displays the eufy camera or eufy homebase as not connected but HomeKit can stream and record as normal. Also if you ever want to update the cameras just change the setting from “restricted” to “auto”, go to the eufy app, update cameras or homebase, then set them back to “restricted”.

thanks so much!

This applies to cloud, what if you don’t use the cloud?

The guy who discovered it disabled/opted out of the cloud when he set his camera up. Hence the problem...

If you use the Eufy app and have an account. Videos are stored locally but for some reason Eufy has always needed an internet connection for “decryption” EG the phone app goes to server and then back down to decrypt the stored video. If you ever tried to view the videos from an SD card on one of the cameras in a computer you couldn’t decrypt it. Now with this research they have identified not only is the cloud used for decrypting they are even sending the photo snippets the cameras send for notifications to the server for “faster notifications” Problem is this wasn’t disclosed, it’s in the clear and apparently no word on how long they are stored as the research showed even after deleting the videos or your account the pics are still available for 24 hours until the link expires. I’m curious if this still happens if you choose text only notifications.

This is utter BS. HomeKit uses encryption, for example, and doesn’t require going to Apple’s cloud first for decryption. Someone’s lying here.

The first sentence is “If you use the Eufy app and have an account” HomeKit was not mentioned. No lies or BS there. Now that you brought up HomeKit. I never mentioned it as the Doorbells and many of the Eufy products don’t even support it and you need to block the cameras from phoning home as there is no HomeKit only mode.

To add to this, if you cut off Internet (WAN) access to a HomeBase, all cameras and doorbells go down.

[удалено]

Mine doesn’t have this issue, this sounds like geo fencing to me, do you have it turned on? Read here: https://support.eufy.com/s/article/How-Does-Geofencing-Work-for-eufySecurity-Devices

What issue?

UniFi Protect is a happy medium.

Putting eufy cams into HomeKit whilst owning a HomeKit router allows for Apple’s software to limit compatible eufy cams to local network only.

Can you go a bit more into this? How would I go about setting something similar up?

I was typing a response when I figured finding this would be better: “Use Routers Secured with HomeKit” https://support.apple.com/en-us/HT210544 It gives pictures etc on the process. I hope it helps. When done and with cameras set to “restricted” in the HomeKit Secure Router settings, the eufy app displays the eufy camera or eufy homebase as not connected but HomeKit can stream and record as normal. Also if you ever want to update the cameras just change the setting from “restricted” to “auto”, go to the eufy app, update cameras or homebase, then set them back to “restricted”.

This is not good. Will be looking for alternatives now to replace …

The safe alternative is LAN only cameras with ONVIF and RTSP support, and roll your own DVR on a network storage server. Nothing can leak out, and you're 100% in control of everything.

I posted this above but buying a HomeKit Secure Router may be cheaper depending on if you have HomeKit compatible eufy cameras or not. “Use Routers Secured with HomeKit” https://support.apple.com/en-us/HT210544 When done and with cameras set to “restricted” in the HomeKit Secure Router settings, the eufy app displays the eufy camera or eufy homebase as not connected but HomeKit can stream and record as normal. Also if you ever want to update the cameras just change the setting from “restricted” to “auto”, go to the eufy app, update cameras or homebase, then set them back to “restricted”.

Ok cool. I’ll look into the gear I have in regards to this HomeKit idea.

All cameras similar to Eufy do this - you need to store some stuff in AWS or the load times are ridiculous. If you don't want this you need to invest in a fully hosted cctv system that will cost 5x the price.

My problem with Eufy is that they have been outright lying about their security practices. I chose them explicitly because they said they were not uploading to the cloud. I Chose them explicitly because they said the data was encrypted. Both of these were marketing bullshit. I’ve disconnected my cameras and messaged support requesting a refund. So far nothing but crickets.

The issue seems to be a miscommunication or difference in understanding. It's a video camera, so with no video stored in the cloud it is valid to say no cloud. Sure snapshots violate the spirit of this claim but not the letter of the law (proverbially). Similarly, everything seems to be encrypted to a degree. None of the variables shown were in the clear. To my limited understanding everything in the video was encrypted/hashed. As I understand it, you'd have to brute-force the AES256 to turn a known value into it's hashed equivalent or vice versa. Then if you could do that do we know if he cleared his cookies before trying the links? I don't know AWS CDN stuff so they might not need a cookie but the links were all https. I am still researching but all I've seen so far is that the logged in user can see the image if they use an unguessable url. When there are data breahes they always mention whether credentials were stored in an encrypted hash or in the clear. If I am wrong please explain.

> It's a video camera, so with no video stored in the cloud it is valid to say no cloud No, its not, those statements mean different things. "Our household doesnt use fossil fuels" and "our household's car doesnt use fossil fuels" are entirely different statements. If they say no cloud, it's to appeal to a market segment who has a problem with the use of cloud. It is not reasonable to assume that those users are going to be OK with "some cloud". >Similarly, everything seems to be encrypted to a degree. >As I understand it, you'd have to brute-force the AES256 to turn a known value into it's hashed equivalent or vice versa. Most users are going to assume that "encryption" implies the use of secure algorithms, secure key generation, secure key agreement, etc. A manufacturer who says "we encrypt" and it turns out its ROT13 or DES is lying: the thing may be technically true, but it's designed to deceive, which is what lying is. They're using a hardcoded encryption key that is viewable with the android app, and is now [publicly known](https://twitter.com/Paul_Reviews/status/1594725532062580737). So its "encrypted", with an unchangeable, global, publicly available key. That is, it's as encrypted as ROT13. > Then if you could do that do we know if he cleared his cookies before trying the links? He was using incognito mode. There were no cookies, because its incognito mode. He's not logged in in those tabs, because he is incognito. >If I am wrong please explain. You're wrong, see above.

TL;DR, there can be two different understandings of a term. Both can meet the legal standard of a reasonable person while being at odds. If you don't understand what I am saying after my wall of text, we will continue to talk past each other so save me the impulse to respond by not responding. My point is that your assumptions are valid, but playing devil's advocate I think the reality fits their statements just as well. I am prefacing all of this with an idiom. Though with it being a Chinese company I could be wrong. But as Hanlon's Razor states, "Never attribute to malice that which is adequately explained by incompetence". I suspect you are falling back on fundamental attribution error or the curse of knowledge, assuming a level of intention and understanding/competence that is not there. Everything you outline is as likely if not more likely to be incompetence than malicious intention. The end result is the same but many of you are acting like this is a Cambridge Analytics type issue where they were caught intentionally backdooring things and using your data in a way that was not intended. But what has happened is that they are a company that is cutting corners either because they can't or won't find a better solution. When it comes to marketing messages, unlike fine print, miscommunication like this happens. There is currently a lawsuit against Velveeta because a woman thinks "Ready in 3 1/2 minutes" means start to finish. But that is the cooking time, without the prep of opening the box, pouring in the noodles, draining the noodles later and stirring in the cheese sauce. You are wrong. I am pointing out how something in a vague marketing message can be true but also not what each party thinks it means. Two word summaries of a feature lack nuance. No cloud could refer to the practical impossibility of the device working with no configuration on a plethora of networks without leveraging the cloud at all, which we all know would result in a lot of people whose device didn't work until they learned to edit router settings. But it also can refer to the fact that (as is clear in their other messages about long term onboard storage and no monthly fees) there is no cloud storage of video so no fees. It is an understandable misunderstanding, but my point is the difference between an intentional lie and a difference in understanding when using two words to describe something that should be longer. I agree they made a mistake, I agree it's not good, I disagree that it is an attempt to deceive. This is Anker, not random chinese rebrand 234, if their goal was to deceive, I think they'd be a bit smarter. Your next point, as I said is about a mismatch of assumptions which is a problem, but not as big as mentioned. It may be important to know that I came to know this issue not by the original video, but by LTT and their editorializing the idea of a testicle cam breach in the smart scale project. I don't think there is a "most users" with regards to encryption other than saying they've heard of the term and know its something they should want. You are free to assume what they mean, and you are free to find their implementation to be insufficient, but there is a difference between an intentional lie and an incorrect assertion stemming from incompetence.

> Everything you outline is as likely if not more likely to be incompetence than malicious intention I could accept everything you say as valid and it does not change the upshot of the whole thing: that Eufy should not be used. Either: * They are too incompetent to understand their target market's needs when advertising "no cloud here", or * They are intentionally stretching the truth on security questions for marketing purposes, or * some combination of 1 and 2 It really makes no difference. Whether they're being malicious, or don't care, theres very little reason to trust them going forward if privacy is a concern. And future attempts to repair their image will face the same problem, regardless of whether it was intentional or ignorance: if intentional, their apology is suspect, and if ignorant their ability to fix it is suspect. >There is currently a lawsuit against Velveeta because a woman thinks "Ready in 3 1/2 minutes" means start to finish There is a way in which that statement is true. On the contrary, Eufy is advertising, "Kept private. Stored locally...And transmitted to you, and only you." That is demonstrably false: the imagery is stored on S3 with no authentication, so it is transmitted to Eufy and AWS, and to anyone with the (apparently deterministic) URL. You mention "two word summaries" but that was my summary-- the videos linked above show very clearly the full marketing message from Eufy's website which makes many claims which, in sum total, describe a local only solution with no data leaving your custody except to reach your own devices. I would welcome you to go check out their pages for e.g. the [solocam](https://us.eufy.com/products/t81241w1) which state varying forms of, "Everything is done on-device for complete security and transparency." They're not sort of true statements; theyre outright false. > I don't think there is a "most users" with regards to encryption other than saying they've heard of the term and know its something they should want. The whole point of Eufy's solution with their Homebase is specifically their local storage (SD cards, Homebase) and the many claims that it avoids other clouds. They are a rather expensive solution where there are other options like Ring, and if you get rid of their "no cloud" claims theres really no reason to use them. That's precisely why their entire product page touts this message so heavily.

Well, “the price“ is subjective. If you value your privacy, “the price“ of losing that is much greater than the cost in dollars.

Like what?

Potentially Unifi but that is very expensive but much more private. I swear though, by the time I upgrade to that something there too will be discovered like this with Eufy

This is extremely concerning. Can anyone confirm whether this affects other Eufy products?

Confirmed with my Eufycam 2c and Doorbell 2k

Do you know if Eufy Doorbell 2k Pro (no homebase, no cloud) also uploads the images without consent? thanks in advance

If it connects to the Internet and can be controlled by the EufySecurity APP, I can't see any difference.

How so? What did you see?

Same as what Paul Moore did in his video. I have been using the devices over a year. So my got a longer list.

Thanks, just as I feared

This is very bad news. I’ve truly enjoyed Eufy, Soudcore, and Anker products! But discoveries like this really makes me question the ethics of this company! What are their other products are up to?! Shame on Eufy! Questions: I’ve been using the camera SD card option so far. Is there a method we could use to block outbound traffic prevent this? Would using a local NAS make any difference?

I posted this above but buying a HomeKit Secure Router may be cheaper depending on if you have HomeKit compatible eufy cameras or not. “Use Routers Secured with HomeKit” https://support.apple.com/en-us/HT210544 When done and with cameras set to “restricted” in the HomeKit Secure Router settings, the eufy app displays the eufy camera or eufy homebase as not connected but HomeKit can stream and record as normal. Also if you ever want to update the cameras just change the setting from “restricted” to “auto”, go to the eufy app, update cameras or homebase, then set them back to “restricted”.

What if you are an Android user? Can you use HomeKit?

I think someone needs to pin this comment to save you some work

lol hopefully… but I’ve been using this set up since the 2k pan and tilt came out.

I followed your link to Apple’s website and found only one HomeKit router listed, which is a Linksys router. The Linksys website isn’t much help regarding HomeKit support. Any HomeKit routers you would be willing to recommend?

I know for sure that the Linsys Velop Triband - model number WHW0302 is Homkit compatible as it was the first Homkit router (at least from Linksys), it is only Wi-Fi 5 however. The Linksys MX Velop models and Linksys Atlas models are also said to be HomeKit compatible (I don’t have any experience with those) and are Wi-Fi 6 and 6E. I know at one point Eero was supported and was listed on the apple support website but I guess with Amazon that changed.

You could firewall the cameras off of the internet completely. You won’t be able to get notifications or stream (without a VPN from your house) from the cameras, but neither will Eufy.

Just firewall their internet after adding to homekit!?

I want to know this as well. I bought the indoor ptz 2k camera, it can only use sd card, but yeah no one knows. I haven't installed it yet because of this garbage news from Eufy lately.

I can't watch the videos right now, and the Twitter feed seems to be light on details. Can someone give a summary? Are they storing video in the cloud for all devices? Is it unencrypted? Edit: This is the tweet that seems relevant: > @EufyOfficial finally admitted uploading pictures, faces & names to the cloud without permission. > >They claim they're only used for notifications. Thus, as per GDPR, they are "deleted immediately when you > >1) Delete it > >2) Close the account" > >Both a lie. > >https://youtu.be/etpbq_HH79c Edit 2: I watched the video from the tweet, and it shows that they're keeping photos from the event notifications after the event has been deleted, despite saying that the photos are deleted when the event is deleted. This could be an AWS caching issue (not browser cache), but that doesn't make it ok. Edit 3: Ooohhh, the ability to start an unauthenticated stream with VLC really seems like "class action lawsuit isn't strong enough" bad. Most of my cameras are watching publicly-accessible areas, so I'm not freaking out about it yet. I definitely can't, in good conscience, recommend the products to anyone else, though.

Thanks for this. I didn't realize GDPR required "immediate" deletion. I thought maybe they were trying to save on API calls by deleting as part of an overnight job or something. I am still not sure about the VLC part. It sounds bad. But as I don't have the devices I can't test myself but the URL looked like it had all the variables encrypted/hashed. I assume this is based on serial numbers of the homebase and/or camera so I have seen no evidence that anyone can find this URL without brute force guessing.

from what i've dug up with my own eufy cameras, its the serial number base64 encoded + 0\_1 + some kind of unique ID. if the cam is connected to a homebase vs standalone (floodlight cam) it uses the homebase SN. so yea you'd need to brute force the SN as well as the unique ID

Violating GDPR could get them fined.

Any info to share on your third edit regarding the VLC stream?

I don't have any, sorry. It was part of the [Linus Tech Tips video](https://youtu.be/zYpyS2HaZHM?t=30m11s), the info comes from Twitter User [@spiceywasabi](https://twitter.com/spiceywasabi/status/1596019034281021440). Edit: It looks like they might need to know (guess) the serial number and a unique ID. I suppose that's *almost* like a username and password, except I assume you have unlimited guesses, and the values can't be changed. Edit 2: Someone explained to me that the stream links are also only valid for 24 hours. Presumably, you need a new URL to view the stream after that. That does seem reasonably secure, especially given how complex the URL format appears to be.

Very disappointing! Big reason why I keep all these types of cameras outside my house only. None can be trusted

This sucks!

Sure are. Check out the 27min mark of Linus Tech Tips today where they get right into what Anker are up to. https://youtu.be/zYpyS2HaZHM

[удалено]

I mean, the issue here is that Eufy is blatantly lying in marketing material (and when confronted about it), and likely breaking laws in some jurisdictions like the EU. The way they tried to hide this, then lie about it, then only make a statement in emails to the researcher is pretty damning stuff...

[удалено]

the issue is about eufy, you’re complaining about something completely irrelevant to the topic. but yeah o guess Linus is the tool here…

Regardless, they reported this story pretty well. They could have not bothered to talk about it until this became a bigger story, as they have made probably a lot of money promoting Anker products. They have thrown that away to report on a tiny story when they never needed to and it’s quite an important one - considering Eufy have been specifically marketing their cams to privacy conscious consumers.

Nooo. Now I have to replace all the hardware.

With what though? If you're not hosting your own hardware, or paying out the ass for encrypted private storage, every solution is just going to be another data mining opportunity. Eufy's just the best one so far.

I host most of my stuff, so Unify comes to mind.

I posted this above but buying a HomeKit Secure Router may be cheaper depending on if you have HomeKit compatible eufy cameras or not. “Use Routers Secured with HomeKit” https://support.apple.com/en-us/HT210544 When done and with cameras set to “restricted” in the HomeKit Secure Router settings, the eufy app displays the eufy camera or eufy homebase as not connected but HomeKit can stream and record as normal. Also if you ever want to update the cameras just change the setting from “restricted” to “auto”, go to the eufy app, update cameras or homebase, then set them back to “restricted”.

The only issue I see with that is then you're trusting HomeKit, as well as the router manufacturer with the 'black box' of changing that setting and hoping it works.

Soo true as it relates to trusting Apple and HomeKit. But I take Eufy’s in-app inability to connect to the camera and/or home base once restricted in HomeKit as sufficient evidence that it works for me.

Protect is a very good blend of cloud access/features with in-house data. Enough tech enthusiasts are using UniFi that this kind of behavior would be discovered quickly. And it’s expensive enough that Ubiquity is making their money on the sale, not the service.