Guys and gals, if you have any Eufy cams Indoors or out please check your accounts and or shut the cameras down for the time being. There are numerous reports of a security breach where other users are gaining control over others cameras and can see them as well as talk and control them.
Please shut it down. @AnkerOfficial please get the word out to whoever is in charge to shut the systems down.
Thanks for the heads-up, I investigated Eufy’s security and decided to not procure…
They have a server based architecture meaning if anyone controls their server they have access to all cameras which use those servers.
Also note that the maximum revenue gain for the naughty people is from stealth, accessing compromising photos / videos and waiting til ransom to not release them, so a breach may just be the revealing of historical access.
You’d also think there would be money to be made to sell remote deletion / disable for physical thieves to preempt a local event, but that’s less likely to be done by stealth as more people (the physical thieves) know.
And just to emphasise how the naughty people operate, it’s often now a business, it’s not bragging rights so much, so they’d be seeking to extract money from this. Money from Eufy and/or money from individuals to not share photos. E.g. your mistress’s visit when wife away. When a ransom is paid then none know, if not paid then it’s made known about for maximum brand damage so the next one they ransom sees reasons to pay.
A server based architecture is primarily vulnerable to outages, which is the most common critique but it also represents a single point of vulnerability to security.
You can either get an accidental error or malicious. Malicious are the stealthy ones now, they don’t let anyone know until they’ve gathered plenty of information, like downloaded lots of user’s videos, then extort for money (ransom) which is not paid then is made public.
This one was not made public by bad people, it just happened, so it feels like an admin’s error, accidental. Whoever they are (servers seem to be based in Seattle) it’s 6am their time and time to wake up…
It’s 11 months since they had a large unplanned outage.
For Eufy, the data is stored in your camera / base. Metadata is stored on the server, login, credentials, notifications, etc.
This significantly lowers costs.
It also means you can exploit any vulnerability in the network to then reach back to the property and access someone else’s information, the only protection from this is a perfect admin of a perfect system all fully patched, and monitored by a NOC (Network Operations Center) 24x7 who then leap to action in minutes…
Been checking mine on/off since the reports and so far have not received anyone else’s cameras (though whether anyone else has got mine at some point remains to be seen )…both my homebase’s have dropped offline for a few minutes though several times throughout the day.
Luckily they only cover the front / back gardens, so if someone has got mine today they will likely only see the grass getting a nice watering from the rain showers we are having
Will be powering them down though until some official response is given…
The issue was due to a bug in one of our servers. This was quickly resolved by our engineering team and our customer service team will continue to assist those affected. We recommend all users to:
1.Please unplug and then reconnect the home base.
2.Log out of the eufy security app and log in again.
Contact firstname.lastname@example.org for enquiries.