Eufy: Difference between revisions - Consumer_Action

(2 intermediate revisions by 2 users not shown)

Line 10:

'''Eufy''' is a sub-brand of [https://en.m.wikipedia.org/wiki/Anker_Innovations Anker Innovations], and is a manufacturer of smart home technologies.<ref>{{Cite web |title=About Us |url=https://www.eufy.com/about |website=eufy US}}</ref> They are known for their security cameras, with their local storage security cameras marketed as keeping "your data is yours alone and eliminating monthly fees."<ref>{{Cite web |title=Local Storage Security Cameras |url=https://www.eufy.com/eu-en/collections/local-storage-security-camera |website=eufy US}}</ref> Eufy additionally provides a cloud backup system, which uses [[Amazon]] Web Services (AWS).<ref>{{Cite web |title=Privacy Commitment |url=https://support.eufy.com/s/article/Privacy-Commitment-1617358267456 |access-date=8 Feb 2025 |website=eufy US}}</ref>

==Consumer impact summary==

{{Placeholder box|Overview of concerns that arise from the company's conduct regarding (if applicable):

* User Freedom

* User Privacy

* Business Model

* Market Control}}

==Incidents==

===Leaking data to the cloud without user consent===

In 2022, security researcher Paul Moore found out that images and videos were uploaded to Eufy's servers for their notification service without informing the user.<ref>{{Cite web |author=Paul ~~Moore~~ |date=23 Nov 2022 |title=Eufy leaking your "private" images/faces & names... to the cloud |url=https://www.youtube.com/watch?v=qOjiCbxP5Lc |via=YouTube}}</ref> This was the case when the HomeBase was offline, which is the local device where the video footage is usually stored. According to Eufy, the HomeBase 3 is does not have to use the AWS cloud server as the "high-performance database" on the device should be sufficient.<ref>{{Cite web |author=Maria ~~Diaz~~ |date=1 Dec 2022 |title=Eufy's security cameras send data to the cloud without consent, and that's not the worst part |url=https://www.zdnet.com/article/eufys-security-cameras-send-data-to-the-cloud-without-consent-and-thats-not-the-worst-part/ |website=ZDNET}}</ref> But the notification feature wants to store a video thumbnails and pictures of faces if those are in the recordings, for which it used the cloud without giving the user the option to disable this behavior. Moore found that the images remained on Eufy's AWS servers, which Eufy claimed to be deleted automatically. This led to several sponsored entities, such as YouTube channel ''Linus Tech Tips'', dropping Anker as a sponsor.<ref>{{Cite web |author=Linus Tech Tips |date=29 Nov 2022 |title=Why we're dropping this sponsor |url=https://www.youtube.com/watch?v=2ssMQtKAMyA |via=YouTube}}</ref>

In 2022, security researcher Paul Moore found out that images and videos were uploaded to Eufy's servers for their notification service without informing the user.<ref>{{Cite web |author=Moore |first=Paul |date=23 Nov 2022 |title=Eufy leaking your "private" images/faces & names... to the cloud |url=https://www.youtube.com/watch?v=qOjiCbxP5Lc |via=YouTube}}</ref> This was the case when the HomeBase was offline, which is the local device where the video footage is usually stored. According to Eufy, the HomeBase 3 is does not have to use the AWS cloud server as the "high-performance database" on the device should be sufficient.<ref>{{Cite web |author=Diaz |first=Maria |date=1 Dec 2022 |title=Eufy's security cameras send data to the cloud without consent, and that's not the worst part |url=https://www.zdnet.com/article/eufys-security-cameras-send-data-to-the-cloud-without-consent-and-thats-not-the-worst-part/ |website=ZDNET |ref=Diaz-article-1}}</ref> But the notification feature wants to store a video thumbnails and pictures of faces if those are in the recordings, for which it used the cloud without giving the user the option to disable this behavior. Moore found that the images remained on Eufy's AWS servers, which Eufy claimed to be deleted automatically. This led to several sponsored entities, such as YouTube channel ''Linus Tech Tips'', dropping Anker as a sponsor.<ref>{{Cite web |author=Linus Tech Tips |date=29 Nov 2022 |title=Why we're dropping this sponsor |url=https://www.youtube.com/watch?v=2ssMQtKAMyA |via=YouTube}}</ref>

In response to the incident, Eufy pushed an update to the Eufy Security app disclose this behavior of this feature, under an opt-in toggle to use this feature. Eufy patched the notifications service to only include text by default, and inform with disclaimers that cloud services are temporarily for the thumbnail feature. <ref>{{Cite web |author=Maria ~~Diaz~~ |date=5 Dec 2022 |title=Eufy responds to camera security concerns |url=https://www.zdnet.com/home-and-office/smart-home/eufy-responds-to-security-concerns/ |website=ZDNET}}</ref>

In response to the incident, Eufy pushed an update to the Eufy Security app disclose this behavior of this feature, under an opt-in toggle to use this feature. Eufy patched the notifications service to only include text by default, and inform with disclaimers that cloud services are temporarily for the thumbnail feature. <ref>{{Cite web |author=Diaz |first=Maria |date=5 Dec 2022 |title=Eufy responds to camera security concerns |url=https://www.zdnet.com/home-and-office/smart-home/eufy-responds-to-security-concerns/ |website=ZDNET |ref=Diaz-article-2}}</ref>

Shortly after this incident, it was discovered that the security of the video URLs used for streaming the video footage were lacking, were unencrypted video feeds if you were able to brute force the URLs.<ref>{{Cite web |author=Kevin ~~Purdy~~ |date=2 Feb 2023 |title=Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul |url=https://arstechnica.com/gadgets/2023/02/ankers-eufy-admits-problems-with-unencrypted-video-access-pledges-overhaul/ |website=Ars Technica}}</ref> The encryption scheme on the URLs also seemed to lack sophistication. Moore discovered that it only had 65,536 possible combinations to brute-force (a four-digit hexadecimal value), "which a computer can run through pretty quick."

Shortly after this incident, it was discovered that the security of the video URLs used for streaming the video footage were lacking, were unencrypted video feeds if you were able to brute force the URLs.<ref>{{Cite web |author=Purdy |first=Kevin |date=2 Feb 2023 |title=Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul |url=https://arstechnica.com/gadgets/2023/02/ankers-eufy-admits-problems-with-unencrypted-video-access-pledges-overhaul/ |website=Ars Technica}}</ref> The encryption scheme on the URLs also seemed to lack sophistication. Moore discovered that it only had 65,536 possible combinations to brute-force (a four-digit hexadecimal value), "which a computer can run through pretty quick."

In response, Eufy increased the amount of combinations needed and increased the security such that guessing the URL was not enough for playback.<ref>{{Cite web |author=Sean ~~Hollister~~ |date=19 Dec 2022 |title=Read what Anker’s customer support is telling worried Eufy camera owners |url=https://www.theverge.com/2022/12/19/23517250/anker-eufy-security-camera-answer |website=The Verge}}</ref>

In response, Eufy increased the amount of combinations needed and increased the security such that guessing the URL was not enough for playback.<ref>{{Cite web |author=Hollister |first=Sean |date=19 Dec 2022 |title=Read what Anker’s customer support is telling worried Eufy camera owners |url=https://www.theverge.com/2022/12/19/23517250/anker-eufy-security-camera-answer |website=The Verge}}</ref>

==References==

[[Category:~~Video surveillance companies~~]]

[[Category:Anker]]

@@ Line 10: / Line 10: @@
 '''Eufy''' is a sub-brand of [https://en.m.wikipedia.org/wiki/Anker_Innovations Anker Innovations], and is a manufacturer of smart home technologies.<ref>{{Cite web |title=About Us |url=https://www.eufy.com/about |website=eufy US}}</ref> They are known for their security cameras, with their local storage security cameras marketed as keeping "your data is yours alone and eliminating monthly fees."<ref>{{Cite web |title=Local Storage Security Cameras |url=https://www.eufy.com/eu-en/collections/local-storage-security-camera |website=eufy US}}</ref> Eufy additionally provides a cloud backup system, which uses [[Amazon]] Web Services (AWS).<ref>{{Cite web |title=Privacy Commitment |url=https://support.eufy.com/s/article/Privacy-Commitment-1617358267456 |access-date=8 Feb 2025 |website=eufy US}}</ref>
+==Consumer impact summary==
+{{Placeholder box|Overview of concerns that arise from the company's conduct regarding (if applicable):
+* User Freedom
+* User Privacy
+* Business Model
+* Market Control}}
 ==Incidents==
 ===Leaking data to the cloud without user consent===
-In 2022, security researcher Paul Moore found out that images and videos were uploaded to Eufy's servers for their notification service without informing the user.<ref>{{Cite web |author=Paul Moore |date=23 Nov 2022 |title=Eufy leaking your "private" images/faces & names... to the cloud |url=https://www.youtube.com/watch?v=qOjiCbxP5Lc |via=YouTube}}</ref> This was the case when the HomeBase was offline, which is the local device where the video footage is usually stored. According to Eufy, the HomeBase 3 is does not have to use the AWS cloud server as the "high-performance database" on the device should be sufficient.<ref>{{Cite web |author=Maria Diaz |date=1 Dec 2022 |title=Eufy's security cameras send data to the cloud without consent, and that's not the worst part |url=https://www.zdnet.com/article/eufys-security-cameras-send-data-to-the-cloud-without-consent-and-thats-not-the-worst-part/ |website=ZDNET}}</ref> But the notification feature wants to store a video thumbnails and pictures of faces if those are in the recordings, for which it used the cloud without giving the user the option to disable this behavior. Moore found that the images remained on Eufy's AWS servers, which Eufy claimed to be deleted automatically. This led to several sponsored entities, such as YouTube channel ''Linus Tech Tips'', dropping Anker as a sponsor.<ref>{{Cite web |author=Linus Tech Tips |date=29 Nov 2022 |title=Why we're dropping this sponsor |url=https://www.youtube.com/watch?v=2ssMQtKAMyA |via=YouTube}}</ref>
+In 2022, security researcher Paul Moore found out that images and videos were uploaded to Eufy's servers for their notification service without informing the user.<ref>{{Cite web |author=Moore |first=Paul |date=23 Nov 2022 |title=Eufy leaking your "private" images/faces & names... to the cloud |url=https://www.youtube.com/watch?v=qOjiCbxP5Lc |via=YouTube}}</ref> This was the case when the HomeBase was offline, which is the local device where the video footage is usually stored. According to Eufy, the HomeBase 3 is does not have to use the AWS cloud server as the "high-performance database" on the device should be sufficient.<ref>{{Cite web |author=Diaz |first=Maria |date=1 Dec 2022 |title=Eufy's security cameras send data to the cloud without consent, and that's not the worst part |url=https://www.zdnet.com/article/eufys-security-cameras-send-data-to-the-cloud-without-consent-and-thats-not-the-worst-part/ |website=ZDNET |ref=Diaz-article-1}}</ref> But the notification feature wants to store a video thumbnails and pictures of faces if those are in the recordings, for which it used the cloud without giving the user the option to disable this behavior. Moore found that the images remained on Eufy's AWS servers, which Eufy claimed to be deleted automatically. This led to several sponsored entities, such as YouTube channel ''Linus Tech Tips'', dropping Anker as a sponsor.<ref>{{Cite web |author=Linus Tech Tips |date=29 Nov 2022 |title=Why we're dropping this sponsor |url=https://www.youtube.com/watch?v=2ssMQtKAMyA |via=YouTube}}</ref>
-In response to the incident, Eufy pushed an update to the Eufy Security app disclose this behavior of this feature, under an opt-in toggle to use this feature. Eufy patched the notifications service to only include text by default, and inform with disclaimers that cloud services are temporarily for the thumbnail feature. <ref>{{Cite web |author=Maria Diaz |date=5 Dec 2022 |title=Eufy responds to camera security concerns |url=https://www.zdnet.com/home-and-office/smart-home/eufy-responds-to-security-concerns/ |website=ZDNET}}</ref>
+In response to the incident, Eufy pushed an update to the Eufy Security app disclose this behavior of this feature, under an opt-in toggle to use this feature. Eufy patched the notifications service to only include text by default, and inform with disclaimers that cloud services are temporarily for the thumbnail feature. <ref>{{Cite web |author=Diaz |first=Maria |date=5 Dec 2022 |title=Eufy responds to camera security concerns |url=https://www.zdnet.com/home-and-office/smart-home/eufy-responds-to-security-concerns/ |website=ZDNET |ref=Diaz-article-2}}</ref>
-Shortly after this incident, it was discovered that the security of the video URLs used for streaming the video footage were lacking, were unencrypted video feeds if you were able to brute force the URLs.<ref>{{Cite web |author=Kevin Purdy |date=2 Feb 2023 |title=Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul |url=https://arstechnica.com/gadgets/2023/02/ankers-eufy-admits-problems-with-unencrypted-video-access-pledges-overhaul/ |website=Ars Technica}}</ref> The encryption scheme on the URLs also seemed to lack sophistication. Moore discovered that it only had 65,536 possible combinations to brute-force (a four-digit hexadecimal value), "which a computer can run through pretty quick."
+Shortly after this incident, it was discovered that the security of the video URLs used for streaming the video footage were lacking, were unencrypted video feeds if you were able to brute force the URLs.<ref>{{Cite web |author=Purdy |first=Kevin |date=2 Feb 2023 |title=Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul |url=https://arstechnica.com/gadgets/2023/02/ankers-eufy-admits-problems-with-unencrypted-video-access-pledges-overhaul/ |website=Ars Technica}}</ref> The encryption scheme on the URLs also seemed to lack sophistication. Moore discovered that it only had 65,536 possible combinations to brute-force (a four-digit hexadecimal value), "which a computer can run through pretty quick."
-In response, Eufy increased the amount of combinations needed and increased the security such that guessing the URL was not enough for playback.<ref>{{Cite web |author=Sean Hollister |date=19 Dec 2022 |title=Read what Anker’s customer support is telling worried Eufy camera owners |url=https://www.theverge.com/2022/12/19/23517250/anker-eufy-security-camera-answer |website=The Verge}}</ref>
+In response, Eufy increased the amount of combinations needed and increased the security such that guessing the URL was not enough for playback.<ref>{{Cite web |author=Hollister |first=Sean |date=19 Dec 2022 |title=Read what Anker’s customer support is telling worried Eufy camera owners |url=https://www.theverge.com/2022/12/19/23517250/anker-eufy-security-camera-answer |website=The Verge}}</ref>
 ==References==
 <references />
-[[Category:Video surveillance companies]]
+[[Category:Anker]]