Eufy Cameras Caught Sending Local-Only Data to Cloud Servers

The camera manufacturer apparently did it without user knowledge, even when cloud storage was disabled.

David Anders Senior Writer

David Anders is a senior writer for CNET covering broadband providers, smart home devices and security products. Prior to joining CNET, David built his industry expertise writing for the broadband marketplace Allconnect. In his 5 plus years covering broadband, David's work has been referenced by a variety of sources including ArcGIS, DIRECTV and more. David is from and currently resides in the Charlotte area with his wife, son and two cats.

Expertise Broadband providers, Home internet, Security Cameras

See full bio

David Anders

Nov. 29, 2022 3:22 p.m. PT

2 min read

In light of privacy infringements and security flaws from home security camera companies such as Wyze, Ring and Google in recent years, we've recommended treating your camera as though it has already been compromised. Most recently, China-based electronics manufacturer Anker and its popular security and doorbell camera brand Eufy have reinforced that point.

According to a 9to5Google report published Tuesday, some Eufy cameras, including the Eufy Doorbell Dual and the EufyCam 3, send data to Eufy's cloud servers, despite the manufacturer's promise of "local storage for your eyes only" -- even when cloud storage is disabled. Furthermore, the report claims, the data isn't immediately removed from Eufy's servers after the footage is deleted from the Eufy app.

"Some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server," a Eufy spokesperson told CNET, adding that, "it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud."

Security researcher Paul Moore first exposed the vulnerability and offers "irrefutable proof" of his claims in the brief video below.

In the video, Moore shows that thumbnail images of videos are indeed sent to the cloud along with facial recognition and user identifier information.

"So unfortunately this 'entirely local, it's private to you and only you' is utter nonsense," Moore comments. Not only that, but the same data was apparently accessible from a separate Eufy account, homebase and device.

If that wasn't bad enough, Moore claims in another tweet that it's possible to view unencrypted live streams using the open-source media player VLC without need for authentication.

Ah well, the cats out the bag now... so may as well tell you.
You can remotely start a stream and watch @EufyOfficial cameras live using VLC. No authentication, no encryption.
Please don't ask for a PoC - I can't release this one.
Heads up @TechLinkedYT @LinusTech https://t.co/sU3FyRaELX
— Paul Moore (@Paul_Reviews) November 25, 2022

In response to the cloud storage claims, a Eufy spokesperson told CNET the company is "revising the push notifications option language in the Eufy Security app" and "will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials."

That would explain and rectify, in part, why thumbnail images and identifying user data would be sent to the cloud. However, questions remain, including about Moore's claims of potential security vulnerabilities. We've reached out to Eufy to follow-up on those claims, and will update this post if we receive a response.