'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
Eufy's claims to keep "privacy in your own hands" have been rendered null, after a researcher caught the security camera company uploading local-only footage to the cloud without user authorization or knowledge. To top it all off, users have also been made aware that you can watch camera streams using VLC without authentication.
Paul Moore, a security researcher, was the first to expose the security flaw in local data being stored in the cloud. He pointed out in the video below that, even though Eufy Security claims to take "every step imaginable" to keep its users' data private and local, it still uploads not only video thumbnails to cloud servers but also photos of the faces of people detected in the video, and user identifier data.
Also: Eufy responds to camera security concerns
Eufy Security, a brand owned by the Chinese company Anker Innovations, touts to keep captured video data in the HomeBase, which is like a smart home hub on steroids. The HomeBase connects to Eufy devices around your home and stores the data within it, so your videos and pictures stay local and you don't have to pay for cloud services like you would with other companies such as Ring.
It's popular among smart home enthusiasts because of this very feature: your videos and any pertinent data stay safely in your home, only saved in the HomeBase's memory drive and/or an added HDD or SSD.
Also: These file types are the ones most commonly used by hackers to hide their malware
Moore tested this by walking to his Eufy Video Doorbell Dual, waiting for the notification to appear on his phone, then unplugging the HomeBase.
Moore pointed out that once his HomeBase was offline, two photos remained in the AWS cloud server: one of the video thumbmail and the other of his face when the doorbell camera detected a person, as well as user identifier information. The video was no longer available on the mobile app on his phone, of course, since the HomeBase was unreachable.
There is an option to enable cloud storage in the Eufy Security app, but Moore discovered the data was uploaded to cloud servers even when the cloud storage was disabled.
Review: Eufy Edge Security System: Why I'm not getting rid of these cameras yet
Eufy responded by admitting to the issue and pointing out that the images are only used for notifications and immediately deleted from the server when the user deletes the events. However, once he deleted the events from his Eufy Security app, the images were still left on the server.
To top it all off, other users exposed that anyone could potentially access a Eufy camera without authentication or encryption by using VLC remotely.
Since these allegations came out, The Verge said it tried this successfully, "proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud".
ZDNET reached out to Anker, Eufy's parent company, for comment but we've yet to hear back.
According to an email from Eufy Security to Moore, the HomeBase 3 is exempt from using the AWS cloud server to upload event screenshots due to a "high-performance database" made on the device.
Unplugging your HomeBase is like disconnecting a USB flash drive from your computer: whatever is on the flash drive is no longer available on the computer when it's removed.
Eufy should have a heartbeat check that, once the HomeBase is offline, any screenshots taken are deleted from that profile. At the very least, a disclaimer should appear when you enable snapshots on your notifications to say that these images would be stored in a cloud server if enabled.
The biggest problem with this situation isn't that users' data is stored in cloud servers; it's that this is being done not only without consumers' consent, but with Eufy publicly touting to do the opposite.
As far as someone else accessing the Eufy camera streams remotely? All I can say is that I'm keeping my Eufy cameras outside my home for the time being.