Earlier today, some owners of Eufy security cameras were able to access both live camera feeds and recordings for other Eufy customers — the nightmare scenario for many smart security camera owners. The Anker-owned company blames the security failure on a "software bug" that happened during a server upgrade. In a follow-up email, Eufy tells us only 0.001% of customers were affected. The company claims the issue was fixed by 6:30 AM EST, and customers should reboot their hardware and log out and back in on Eufy apps.
Affected customers were able to access full control for the cameras attached to other customer accounts, and that included the ability to view prior recordings and live feeds for cameras, as well as setting off alarms and talking over speakers. Some customers claim the latter even happened to them, with unknown third parties setting off alarms in the early hours and strangers speaking over their cameras.
A software bug occurred during our latest server upgrade at 4:50 AM EST today. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST.
We recommend that all users:
— Eufy (@EufyOfficial) May 17, 2021
A few hours after the issue started (at 4:50AM EST, according to Eufy), the company issued a statement claiming that the issue was fixed around 6:30AM and advising that All Eufy customers unplug and reconnect their devices and to log out and log back in on the Eufy app.
Those of us with Eufy hardware here at Android Police didn't observe any issues ourselves checking after the reported fix had been deployed, but a writer at 9to5Mac claims they were able to see "all details, recordings, live" as if they were logged in under someone else's account. The early hour of the issue may have reduced the impact of the issue, and though there are reports at both the Anker forum and product-associated subreddits, the volume of reports is small.
Eufy's privacy claims on its website don't jibe with today's events.
The technical reason behind how this issue occurred hasn't been disclosed outside a nebulous "bug" during a server upgrade. Eufy says its camera feeds are end-to-end encrypted and "only you have the key to decrypt and watch the footage," a claim that clearly wasn't correct earlier today.
If this story sounds familiar, that's because this sort of thing happens a bit too often. Last year Xiaomi had a similar problem displaying strangers' camera feeds on Google Assistant-integrated smart displays, leading Google to temporarily yank the company's platform privileges. In 2019, some Alexa-connected Wyze cameras had a similar issue. Ring cameras were also found to be revealing precise customer locations for those using the Neighbors app (meant to share data with law enforcement) in 2019, and a hacker also gained access to a Ring cam in an eight-year-old child's room.
We reached out to Anker and were told that the issue affected a limited number (0.001%) of users in the United States, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina. Customers in Europe were unaffected, and we're told that Eufy Baby Monitors, Eufy Smart Locks, Eufy Alarm System devices, and Eufy PetCare products were also unaffected. Customer service representatives will be contacting those who were impacted. The company also provided us with the following apology to customers:
We realize that as a security company we didn’t do good enough. We are sorry we fell short and are working on new security protocols and measures to make sure that this never happens again.
Customers with further questions are invited to reach out to Eufy's support team.
On May 19th, Anker expanded its original statement with steps it's taking to keep this from happening again.
All of our user video data is stored locally on the users' devices. As a service provider, eufy provides account management, device management, and remote P2P access for users through AWS servers. All stored data and account information is encrypted.
In order to avoid this happening in the future, we are taking the following steps:
We are upgrading our network architecture and strengthening our two-way authentication mechanism between the servers, devices, and the eufy Security app.
We are upgrading our servers to improve their processing capacity in order to eliminate potential risks.
We are also in the process of obtaining the TUV and BSI Privacy Information Management System (PIMS) certifications which will further improve our product security.