Eufy’s commitment to privacy is remarkable: it promises your data will be stored locally, that it “never leaves the safety of your home,” that its footage only gets transmitted with “end-to-end” military-grade encryption, and that it will only send that footage “straight to your phone.”
So you can imagine The Verge’s surprise to learn you can stream video from an Eufy camera, from the other side of the country, with no encryption at all.
Worse, it’s not yet clear how widespread this might be — because instead of addressing it head-on, the company falsely claimed to The Verge that it wasn’t even possible.
There is some good news: there’s no proof yet that this has been exploited in the wild, and the way they initially obtained the address required logging in with a username and password before Eufy’s website will cough up the encryption-free stream. But it also gets worse: Eufy’s best practices appear to be so shoddy that bad actors might be able to figure out the address of a camera’s feed — because that address largely consists of your camera’s serial number encoded in Base64, something you can easily reverse with a simple online calculator.
What is quite clear though, is that some best practices for security have not been adhered to. An update at the end of the article does state it appears some changes have been made by Eufy. It is probably best though to anyway consider any camera as hackable (my non-Eufy ones are all outside), and to ensure you always have the latest updates installed.
#technology #cameras #Eufy #security #vulnerability