Eufy owners privacy breached for an hour, app showed wrong cameras

Posted:
in General Discussion edited May 2021
In a major security and privacy lapse, for an hour on Monday morning, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of their own, and settings could be changed by those granted bogus access as well.




Many connected cameras bought for security offer app-based viewing and playback of video feeds for convenience. On Monday, it appears that there's a problem with the app, in that it shows feeds of cameras that aren't owned by users.

Initially spotted on Reddit, Eufy cam owners are reporting that attempts to log into the app provide complete access to another camera setup, seemingly in another country. As part of this access, the users are also able to see and change settings on the account and connected hardware, turn lights on and off, and also retrieve details like the camera owner's email address.

Users have expressed concern about the problem, declaring it as a major breach in security and privacy for users. Some posting to Reddit are worried about who may have access to their cameras, and for the safety and privacy of their children.

Some miscreants are taking advantage of this access. They are modifying settings for accounts, and there are reports of some talking to children on the other side of the camera.

It is unclear how many people are affected by the issue, as not all of tests by AppleInsider manifested an issue. One UK staffer saw no issue, and one US editor is having the problem.

HomeKit Secure Video is displaying the right camera, but the wrong camera in the app. There is some speculation it could be a regional issue, though more data is required to confirm that to be the case.

AppleInsider recommends Eufy camera owners turn their cameras off if they are concerned about their privacy, until Eufy responds to the complaints to their satisfaction.

Update: In a statement to AppleInsider and other venues, Eufy claimed that the a "server upgrade" induced the problem for 0.001 percent of its users. The company also said that identified the problem at around 5:30 AM Eastern Time, and fixed it by 6:30. AppleInsider staffers saw it as late as 6:51 AM Eastern Time before disconnecting cameras, but can confirm that the problem is now fixed.

The company confirmed that the issue was geographically limited to the US, Australia, Mexico, and New Zealand. Users in Europe were not impacted, the company said.

Update 12:58 PM Eastern Time with Eufy response.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 13
    How is this possible? Eufy is a load of crap!
    dysamoriawatto_cobra
  • Reply 2 of 13
    GabyGaby Posts: 190member
    This just highlights the potential dangers of WiFi connected Cameras and other smart IOT devices. This kind of lapse is far more serious I would argue than to be described as a ‘concern’ and the fact that Eufy haven’t immediately restricted servers to take the network offline until they have at the least some sort of explanation is quite irresponsible I would argue. I have been slowly and cautiously adding more IOT to my home over the years and I know nothing is perfect but I have been limiting myself to only HomeKit exclusive devices, as they are at least encrypted by and large with their own security chips. Although I couldn’t speak to the security regarding the newer option of software based verification, still it is likely to be better than a lot of these other services available. As for cctv I think the safest option is to have them record locally and upload to ones own private network/server. HomeKit secure has more conveniences, but if you are forced to also upload to the developers own network as well then you have issues just such as what is happening now. Quite scary.
    badmonkbonobobwatto_cobra
  • Reply 3 of 13
    badmonkbadmonk Posts: 1,285member
    Agree, between this, malware, ransomware, identity thefts, assorted hacks etc etc, Apple’s stance on these issues seems to wiser with each passing month.  Agree if no HomeKit, count me out.

    And the people in the government who ask for an iOS backdoor, clean up your own house first—they are doing little to fix these problems and are often the worst victims.
    edited May 2021 bonobobStrangeDayswatto_cobra
  • Reply 4 of 13
    focherfocher Posts: 687member
    I swapped out a Eufy doorbell for a UniFi G4 just yesterday. Fortunate timing on my part. I got tired of the Eufy app constantly marketing to me for referrals and selling more cameras to me. 
    edited May 2021 watto_cobra
  • Reply 5 of 13
    I haven't seen the issue. I don't have HomeKit Secure Video turned on. Possibly related?

    Without it on it's my impression that the video and camera feeds need access to your host device on your. network.
  • Reply 6 of 13
    darkvaderdarkvader Posts: 1,146member
    I have one very simple rule that eliminates this problem:  NO internet connected cameras inside my house.

    I don't have any security cameras inside my house.  The outside cameras don't upload to somebody else's computer, storage is on my hardware.
    muthuk_vanalingamboxcatcherdocno42beowulfschmidtexceptionhandlertwokatmew
  • Reply 7 of 13
    boxcatcherboxcatcher Posts: 267member
    Ya, if you have Eufy definitely turn on the HomeKit setting where it’s only allowed to communicate to your HomeKit Hub (and not the internet).

    I bought some of their low def cams that support HomeKit Secure Video, but realized they still streamed data out to Eufy … super sketch.
    StrangeDayswatto_cobra
  • Reply 8 of 13
    This is what is wrong with current home security systems: They are not controlled by you or your server. They rely on some third party company server. This means that if that third party company server has a security issue then your private data is exposed. The way it should work is that your cameras only talk to your own home hub server. It could be on your property or one you rent at another location. The smart home will never take off in a big way until they work from a real home hub. That includes features like voice recognition and definitely includes home cameras. You don't want some hacker to have access to that data.
    edited May 2021
  • Reply 9 of 13
    docno42docno42 Posts: 3,755member
    This is what is wrong with current home security systems: 
    Maybe the ones you use, but mine is on a box in my house and the data stays in my house.  They are out there - you just need to care enough to prioritize finding and only buying them. 
    watto_cobra
  • Reply 10 of 13
    StrangeDaysStrangeDays Posts: 12,844member
    This is what is wrong with current home security systems: They are not controlled by you or your server. They rely on some third party company server. This means that if that third party company server has a security issue then your private data is exposed. The way it should work is that your cameras only talk to your own home hub server. It could be on your property or one you rent at another location. The smart home will never take off in a big way until they work from a real home hub. That includes features like voice recognition and definitely includes home cameras. You don't want some hacker to have access to that data.
    You can do this today. Buy a NAS with a CCTV app, plug-in your own POE cameras, all footage is stored locally on the NAS and you can review it with an app. 

    I’ve been meaning to try this combo:

    https://www.synology.com/en-us/products/DS220+

    https://www.trustedreviews.com/how-to/how-to-use-synology-surveillance-station-3665761
    edited May 2021 watto_cobratwokatmew
  • Reply 11 of 13
    Waiting for the US government and the Internet Outrage machine to turn on Eufy Apple because of this horrendous privacy breach...
    watto_cobra
  • Reply 12 of 13
    dysamoriadysamoria Posts: 3,430member
    Gaby said:
    This just highlights the potential dangers of WiFi connected Cameras and other smart IOT devices. This kind of lapse is far more serious I would argue than to be described as a ‘concern’ and the fact that Eufy haven’t immediately restricted servers to take the network offline until they have at the least some sort of explanation is quite irresponsible I would argue. I have been slowly and cautiously adding more IOT to my home over the years and I know nothing is perfect but I have been limiting myself to only HomeKit exclusive devices, as they are at least encrypted by and large with their own security chips. Although I couldn’t speak to the security regarding the newer option of software based verification, still it is likely to be better than a lot of these other services available. As for cctv I think the safest option is to have them record locally and upload to ones own private network/server. HomeKit secure has more conveniences, but if you are forced to also upload to the developers own network as well then you have issues just such as what is happening now. Quite scary.
    “Nothing’s perfect”, people keep saying... Hell, nothing really works! Sure as hell not consistently or reliably.

    I haven’t bought a single IOT type device and I don’t see any reason to start. I miss the days when general purpose computers weren’t embedded in every damn appliance, products did mostly one thing, did it correctly, all the time.
  • Reply 13 of 13
    darkvader said:
    I have one very simple rule that eliminates this problem:  NO internet connected cameras inside my house.

    I don't have any security cameras inside my house.  The outside cameras don't upload to somebody else's computer, storage is on my hardware.
    A thousand times this.  I can accept the risk of things being on a private network where I can control what goes in or out via firewall rules or vpn, but to have devices that require a “cloud” connection to work? No way.  Someone breaches that cloud infrastructure, you’re now exposed or at risk. By having it only local, it’s physically constrained, meaning, that have to be in range of your house.  There’s always the risk of an attacker getting through the firewall, but that doesn’t have the same yield as a “cloud” service provider.  Someone would almost have to be out to get you for that to happen.
    muthuk_vanalingam
Sign In or Register to comment.