/>
X
Tech
Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.

Close

Anker admits Eufy security cameras were not natively encrypted

It's been a few months since customers learned Eufy had been uploading data to cloud servers without user permission, and now the company is changing its stance.
Written by Maria Diaz, Staff Writer
Eufy camera with speak no evil emoji
DALL-E/Maria Diaz/ZDNET

Eufy Security has remained mostly silent since security flaws were uncovered in its system, which made a lot of users understandably unhappy and many began wondering if they could even trust Eufy security cameras. But now, that's changed.

This week Anker Electronics has finally acknowledged that, yes, Eufy Security cameras did produce video streams for the web portal, with no encryption, according to The Verge. Anker is Eufy's parent company. 

Also: The best security cameras

In the fall of 2022, the smart home devices manufacturer was caught uploading user data to cloud servers without consent

On top of that, customers claimed that someone could use a link from Eufy's web portal to view the camera's livestream using a media player, in this case VLC. 

Anker says that is no longer the case.

"Today, all videos (live and recorded) shared between the user's device to the Eufy Security Web portal or the Eufy Security App utilize end-to-end encryption, which is implemented using AES and RSA algorithms," said Anker's global head of communications, Eric Villines, who responded to The Verge's inquiries after weeks of the company remaining silent regarding these issues.

As far as what gets uploaded to the cloud, Eufy has made clear disclaimers on the mobile app explaining that some data must be uploaded to cloud servers when users turn on features like video previews for push notifications.

From my point of view, the problem is not uploading screenshots to the cloud, as most smart security cameras do the same. The problem is that Eufy was aware that this was happening and still led customers to believe the opposite. 

Review: EufyCam 3 and HomeBase 3: Why I'm not getting rid of these cameras yet

For as long as it's been selling security cameras and the HomeBase, Eufy had also been claiming that all your data is kept completely local. There's no need to worry, everything will be safe and sound right in your HomeBase's built-in storage drive, or any HDD or SSD you choose to add to it if you have the latest version.

In its emails to The Verge, Anker apologized to customers for the lack of response and is voicing a commitment to doing a better job in the future. One of the ways it's doing so is by working with an independent company to perform security and penetration testing in an effort to audit Eufy's system and practices. 

EufyCam 3 and HomeBase 3 on a shelf

The pictured EufyCam 3 and HomeBase 3 already use WebRTC.

Maria Diaz/ZDNET

The goal is to "conduct a comprehensive security risk assessment of our products and eliminate potential risks," Villines explained.

The company is also committing to ensuring that all video stream requests from Eufy's web portal will be end-to-end encrypted and is updating all Eufy cameras to use WebRTC, which the HomeBase 3 and EufyCam 3/3C already use. According to Anker, only about 0.1% of current daily users use the web portal.

The firmware updates to the remaining Eufy cameras began rolling out last week. 

Also: Eufy Edge Security System hands-on: The most advanced security cameras yet?

Users of the Eufy Security mobile app can rest assured that their footage and camera feeds were already end-to-end encrypted, and this was done locally either on the camera or HomeBase, according to Anker. 

The Eufy Security web portal, which requires users to log in before accessing, was not originally designed with end-to-end encryption, which Villines admits it should have been from the beginning. It is the only video streaming process that did not use encryption.

Going forward, the company has put in place new protocols and procedures for features that may be developed in the future, ensuring that all data going from users' devices to the Eufy Security mobile app or web portal must use end-to-end encryption.

"There are several normal processes that require the use of the cloud such as account setup, push notifications, initial device setup, device OTA, etc.," Villines said. 

Screenshot of Eufy's "Proof of Privacy" on its website

Screenshot of Eufy's "Proof of Privacy" on its website at the time of the incident that has since been edited.

Screenshot by Maria Diaz/Eufy Security

Eufy also denies that it ever sent facial recognition data to the cloud, but it does mention an update was done for the Video Doorbell Dual, which was the only one that used AWS cloud servers to send an initial facial recognition image to other cameras, but now uses LAN/P2P process to do so. ZDNET still hasn't heard back from Anker about any of these issues. 

The company is also planning on launching a microsite with information on which of its key processes are done locally and which require the use of the cloud, and is promising to provide "more timely updates in our community (and to the media!) to keep consumers better informed on any updates to these strategies," with one of those updates coming in early February.

So, can you trust Eufy security cameras?

Every so often, we hear about cybersecurity flaws and data leaks from companies that have gained user trust -- this isn't new. Each time it happens it seems people with opinions sort into three general groups: one that thinks it's all overblown, one that can't believe people aren't more outraged, and one that remains neutral. 

Generally, I try to stay in the neutral field. I try to take the bad with the good, and to recognize how hard it is to build a completely impermeable system and then throw it into a hurricane and hope for the best. Throughout the past few weeks, however, I've shifted between all three positions.

Having a number of Eufy devices all over my home, I think the company has a long way to go to regain consumer trust, and though these new processes seem promising, it'll take time for that to happen.

Regarding an apology, Villines said, "An apology should come with more details on what happened and the corrective steps we've done to make sure this doesn't happen again," and I think that's one thing we can all agree on.

Editorial standards