Eufy cameras under criticism
Eufy cameras under criticism
Surveillance cameras are used in public spaces, in many companies, but also in private households. Those who purchase this type of technology primarily expect greater security. Hardly anyone would think that the surveillance cameras themselves could be a security risk. The manufacturer Eufy has been confronted with this accusation since the end of 2022.
Live streams freely accessible on the Internet
Surveillance cameras from Anker subsidiary Eufy have been the subject of criticism since the end of 2022. A British security expert put the technology through its paces and discovered some explosive details. According to the report, the live streams from the cameras could simply be called up via a web browser without requiring authentication in advance. This means that after entering the corresponding URL in the browser search field, every Internet user worldwide could track the recorded video material in real time. Example: A user from Chicago could theoretically ‒ assuming the technical know-how to find out the URL ‒ see in real time when a bank customer enters and leaves his branch in Zurich.
Image transfer to the cloud ‒ even with the function deactivated
In addition to the live streams, which were freely accessible to everyone, Eufy cameras attracted negative attention with another security-relevant function. The cameras transmitted data to the company's own cloud, even if a user had deactivated this function in advance. This data included preview images of people ringing the doorbell, for example, and images of people recognized by the artificial intelligence.
The British security expert had checked the functionality of the Eufy cameras with a self-test. He switched off the storage medium, in this case the Eufy HomeBase. This meant that the camera was not authorized to upload images to the cloud on its own. He then took a photo with the Eufy camera and was able to access the recorded material even hours later, although there was no registration for the use of the cloud service and the photo had long been deleted from the app.
Eufy only sees communication problems
Anker subsidiary Eufy initially reacted to the accusations with a tight-lipped response. Instead of an apology, they referred to the communications and marketing departments, which had insufficiently described the functions of the monitoring technology. As a result, passages in the privacy regulations and various promises regarding data protection were simply deleted. Communication with the cloud is no longer categorically excluded if the function is deactivated.
Eufy describes the mandatory nature of this function as follows: If a visitor rings the front doorbell, the owner of the security technology is informed via the smartphone by means of a preview image (thumbnail). This thumbnail is sent to the cloud and from there arrives on the recipient's cell phone.
Live stream only after registration
With regard to the live streams that are freely accessible to everyone, the company has reacted and made a change. According to the information, only people who have previously registered via the Eufy web portal can now watch the live video broadcast. This also applies to shared links, which no longer show a live stream without registration.
Website completely revised
At the beginning of December, the parent company Anker began with an extensive revision of the website. Numerous privacy passages have been removed. Promises such as "No one else can access or read this data" also disappeared from the homepage. The FAQ section was also affected by the deletion orgy.
What could arouse massive distrust among users is the fact that a crucial statement has been deleted without replacement. This states that Eufy may only pass on videos and images to law enforcement authorities with the express consent of the users. Will any police authority now be allowed to view the recordings on request without a court order? ‒ The company did not comment on this.