Server glitch allowed Eufy owners to see through other homes’ cameras

Eufy’s home security camera
Image: Anker / Eufy

Last night, a number of Eufy home security camera owners discovered they were able to access smart camera feeds and saved videos from users they had never met, due to an apparent security glitch. First reported by 9to5Mac, the issue came to light in an extended Reddit thread, in which users from around the world detailed their experiences.

“Basically I could see every camera, their front door and backdoor bells, master bedroom, living room, garage, kitchen, their motion recordings, everything,” one Eufy owner noted. “I was wondering what was going on as it still had my email and name as signed in and noticed that some unknown email, I’m guessing of the Hawaii owner, was in my shared guest account.”

Some reported that signing out of their account and signing back in resolved the behavior; by now, whatever problem caused the behavior appears to have been fixed. Still, many users are left concerned that their own cameras and feeds might have been exposed without their knowledge.

“For a security product to become completely unsecure, it’s pretty worrying,” the users continued.

Eufy did not respond to a request for comment from The Verge, but told Android Police that the problem lasted only an hour and did not affect baby monitor products. On Reddit, users higlighted a message sent to customers attributing the issue to a server error:

Dear user,
The issue was due to a bug in one of our servers. This was quickly resolved by our engineering team and our customer service team will continue to assist those affected. We recommend all users to:
1.Please unplug and then reconnect the home base.
2.Log out of the eufy security app and log in again.
Contact support@eufylife.com for enquiries.

There’s no indication that specific individuals were targeted as part of the bug, but it’s still a troubling behavior for a service that often monitors private homes. Eufy also makes an Echo Dot-style voice assistant called the Genie, although Genie products appear to have been unaffected by the bug.

Update 1:54PM ET: Added Eufy statement to Android Police.

Comments

Or maybe some nasty security practices sometimes get revealed as "bugs"…

Haha this is pretty bad…

pretty bad? This should tank sales.

I doubt that it would have much effect as one of the prime reasons to purchase Eufy security products over their competitors is no need to pay for subscription service. According to other sources, using Eufy cameras via HomeKit Secure Video did not have the same privacy breach.

Hell no. Adding internet-connected cameras around the house is an inherently risky thing to do, and it’s up to the home owner or renter to asses their risk level… why would anyone buy a camera from this company now knowing that users logged into their app/service and could see a complete stranger’s camera?

I’m in the market for a HomeKit-connected outdoor security camera and while Eufy was high on that list for me, it’s completely off that list now.

why would anyone buy a camera from this company now knowing that users logged into their app/service and could see a complete stranger’s camera?

Personally? Because they’re cheap and they work fairly well (at least with their own app, I’ve heard mixed things about Homekit compatibility)

I wouldn’t put them in my bedroom or living room, but aren’t too worried about exterior cameras.

‘Basically I could see every camera,’ the Chinese government reported

This is absolutely untenable. It should never be possible for something like this to happen.

I’ve got a handful of these cameras and haven’t had any issues, though I don’t subscribe to their monitoring system or cloud storage. They’re also all outside pointing at various locations around my house, so if anyone wants to watch my neighborhood they can feel free to knock themselves out.

Most Eufy cameras now support HomeKit Secure Video. It’s a good idea to only buy a camera which supports such a protocol, turn it on, and disable everything else, even though HSV probably won’t support the full resolution.

I’d love more information. None of the reports I’ve seen mentioned if the accounts were cloud-connected or not. Cloud-connected accounts allow feeds and live footage to be viewed from a web page and I can definitely see that getting messed up. If the cameras were just recording to local microSD or HSV, that would be problematic.

View All Comments
Back to top ↑