Editing Eufy (section)

==Incidents==

===Leaking data to the cloud without user consent===
In 2022, security researcher Paul Moore found out that images and videos were uploaded to Eufy's servers for their notification service without informing the user.<ref>{{Cite web |author=Moore |first=Paul |date=23 Nov 2022 |title=Eufy leaking your "private" images/faces & names... to the cloud |url=https://www.youtube.com/watch?v=qOjiCbxP5Lc |via=YouTube}}</ref> This was the case when the HomeBase was offline, which is the local device where the video footage is usually stored. According to Eufy, the HomeBase 3 is does not have to use the AWS cloud server as the "high-performance database" on the device should be sufficient.<ref>{{Cite web |author=Diaz |first=Maria |date=1 Dec 2022 |title=Eufy's security cameras send data to the cloud without consent, and that's not the worst part |url=https://www.zdnet.com/article/eufys-security-cameras-send-data-to-the-cloud-without-consent-and-thats-not-the-worst-part/ |website=ZDNET |ref=Diaz-article-1}}</ref> But the notification feature wants to store a video thumbnails and pictures of faces if those are in the recordings, for which it used the cloud without giving the user the option to disable this behavior. Moore found that the images remained on Eufy's AWS servers, which Eufy claimed to be deleted automatically. This led to several sponsored entities, such as YouTube channel ''Linus Tech Tips'', dropping Anker as a sponsor.<ref>{{Cite web |author=Linus Tech Tips |date=29 Nov 2022 |title=Why we're dropping this sponsor |url=https://www.youtube.com/watch?v=2ssMQtKAMyA |via=YouTube}}</ref>

In response to the incident, Eufy pushed an update to the Eufy Security app disclose this behavior of this feature, under an opt-in toggle to use this feature. Eufy patched the notifications service to only include text by default, and inform with disclaimers that cloud services are temporarily for the thumbnail feature. <ref>{{Cite web |author=Diaz |first=Maria |date=5 Dec 2022 |title=Eufy responds to camera security concerns |url=https://www.zdnet.com/home-and-office/smart-home/eufy-responds-to-security-concerns/ |website=ZDNET |ref=Diaz-article-2}}</ref>

Shortly after this incident, it was discovered that the security of the video URLs used for streaming the video footage were lacking, were unencrypted video feeds if you were able to brute force the URLs.<ref>{{Cite web |author=Purdy |first=Kevin |date=2 Feb 2023 |title=Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul |url=https://arstechnica.com/gadgets/2023/02/ankers-eufy-admits-problems-with-unencrypted-video-access-pledges-overhaul/ |website=Ars Technica}}</ref> The encryption scheme on the URLs also seemed to lack sophistication. Moore discovered that it only had 65,536 possible combinations to brute-force (a four-digit hexadecimal value), "which a computer can run through pretty quick."

In response, Eufy increased the amount of combinations needed and increased the security such that guessing the URL was not enough for playback.<ref>{{Cite web |author=Hollister |first=Sean |date=19 Dec 2022 |title=Read what Anker’s customer support is telling worried Eufy camera owners |url=https://www.theverge.com/2022/12/19/23517250/anker-eufy-security-camera-answer |website=The Verge}}</ref>