It's Time To Unplug Your Eufy Cameras [Update: Statement]
Owners of Eufy security cameras have found themselves able to see live and recorded video of other, random users, in a huge privacy breach affecting the Anker company. Owners of the affordable cameras began reporting the issue earlier today, with access to other users' cameras – including pan & tilt control on certain models – elsewhere in the world.
Eufy offers a wide range of models, designed for both indoor and outdoor use, along with video doorbells, baby monitors, and floodlight cameras for exterior security. Some cameras support remote pan & tilt functionality, where the lens can be moved to look around the room from the Eufy app.
However when multiple owners tried to view their cameras earlier today, they realized they weren't in fact seeing their own feeds. Instead, they had access to what appeared to be both live and cloud-based saved clips from random users elsewhere in the world. Others could see the list of alerts that cameras had generated over the past day or so.
Owners on Reddit confirmed the problem, as did at least one camera owner at 9to5Mac. While the exact functionality appears to be different in some cases, some users were able to remotely capture video recordings and save them to their own phones from the randomized feeds. Others reported being able to access the Eufy settings on the remote systems, including home network information.
It's a huge concern for those who have bought into Eufy's ecosystem of products, particularly among those who have installed cameras inside the home or to monitor their children. Concerned Eufy users found that logging out of their account and then back in again, plus power cycling the home base, was sufficient to restore access to their own system. However, others have simply unplugged their cameras altogether, which seems like a fairly wise reaction.
Security breaches and privacy lapses aren't uncommon at this point in time, but the impact is always more significant when it's a home security company like Eufy which is impacted. Wyze, another low-cost camera and smart home tech provider, experienced a huge database breach in late 2019, for example, though that didn't see people able to access other users' accounts in the same way as this Eufy issue.
Eufy is yet to comment officially on the problem today. According to a message shared in the official Eufy forum, purportedly from the company's support team, "the issue was due to a bug in one of our servers" which "was quickly resolved by our engineering team." Even if that's authentic, whether it'll be enough to reassure the company's customers remains to be seen.
Update (1pm EST): In a statement to SlashGear, an Anker spokesperson blamed a bug in a server upgrade that was installed earlier today for the Eufy issue.
"Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001%) of our users were able to access video feeds from other users' cameras," Bryan Saxton, Assistant PR Manager at Anker Innovations told us. "Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST."
According to Saxton, only users in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected; users in Europe were not. Eufy Baby Monitors, eufy Smart Locks, eufy Alarm System devices, and eufy PetCare products were also not affected. Eufy's customer service team will be contacting those who were among those included in the privacy breach.
"We realize that as a security company we didn't do good enough," Saxton said. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again." Eufy customers with questions or concerns are advised to contact the company's support team.