To our eufy Security Customers and Partners

December 19, 2022

RE: Recent security claims against eufy Security

To our eufy Security Customers and Partners:

At eufy Security, we are taking a new approach to home security. Our security solutions have been designed to operate locally and, wherever possible, avoid using the cloud. This includes storing user video footage locally and managing key processes like facial recognition and identity biometrics directly from the chip in the user’s device. Not the cloud.

This is a very different approach than others in the home security industry, where the cloud is a central part of their security solution and business model.

Our security technology model has never been attempted, and we expect challenges along the way. But we remain committed to the millions of consumers worldwide who have chosen eufy Security to help protect their security, privacy, and identity.

Several claims have been made against eufy Security over the last couple of weeks. We know the need for more straightforward and timely communications on these issues has frustrated many customers. However, we have been using the last few weeks to research these possible threats and gather all the facts before publicly addressing these claims.

Moving forward, we will need to better balance our need to get “all the facts” with our obligation to keep our customers more quickly informed.

Below we will attempt to better separate fact from fiction and provide more details on any changes we’ve made to our policies, processes, and security solutions.

eufy Security Uses the Cloud to Send Users Mobile Push Notifications.

This is true. As mentioned earlier, eufy Security is committed to reducing the use of the cloud in our security processes wherever possible. However, some processes today still require us to use our secure AWS server.

For example, in the case of security push notifications - when the user has chosen to include a thumbnail with that security notification - a small preview image of the security event is sent to our secure AWS server and then pushed to the user’s phone. This image is protected through end-to-end encryption and is deleted shortly after the push notification has been sent. This process also complies with all industry standards.

We have updated the eufy Security app with a more detailed explanation of the different push notification options and which options require using our secure AWS server. This will help our users make a more informed decision.

We understand this isn’t enough. As a company focused on reducing the use of the cloud, we must be more clear about which of our processes are done locally and which require using our secure AWS server. This includes a revised Privacy Statement on eufy.com, which we will publish later this week.

Moving forward, this will be a significant area of improvement for our marketing and communication teams and will be added to our website, privacy policies, and other marketing materials.

eufy Security 's Live View Feature on its Web-Portal Feature Has a Security Flaw

First, no user data has been exposed, and the potential security flaws discussed online are speculative. However, we do agree there were some key areas for improvement. So we have made the following changes.

Today, users can still log in to our eufy.com Web portal to view live streams of their cameras. However, users can no longer view live streams (or share active links to these live streams with others) outside of eufy’s secure Web portal. Anyone wishing to view these links must first log in to the eufy.com Web portal.

We will continue to look for ways to enhance this feature.

eufy is sending Facial Recognition Data to the Cloud ?

This is not true. This is a key differentiator for eufy Security - all facial recognition and biometric processes are completed locally on the user’s device. This information is never processed in the cloud.

The steps detail what occurs when users wish to add a new person to their eufy Security facial recognition system.

• The user must first share an image of that new person to their security device using their eufy Security app.

• If that user is on the same Wi-Fi as their security device, that image is sent through a secure local connection (LAN) from the eufy Security app directly to that security device.

• If the user is not on the same Wi-Fi network as the security device (or not at home), then the image is sent securely from the eufy Security app to the security device using a direct P2P connection via the internet.

Previously, the eufy Video Doorbell Dual did utilize our secure AWS server to share that initial image to other cameras on the user’s local eufy Security system. Today, eufy’s Video Doorbell Dual has been upgraded to utilize the same LAN/P2P process outlined above.

We are committed to and will continue to work hard to uphold our community’s trust in our products, services, and processes.

Thank you for your patience and understanding.

The eufy Security Team

Have additional questions? Please contact the eufy Security customer service team directly. This can be done via chat in our eufy Security app , by emailing us at support@eufy.com, or by calling us. More details can be found here: Contact eufy: Get In Touch for Support & Inquiries - eufy US

What is with the issue, where the recordings can be deleted from the Homebase by pressing the sync button on the camera for 10seconds or remove the camera from the wifi connection area of the homebase?

Maybe it was the translation from one language to another or something, but I couldn’t find where they apologized.

The only thing you seem remotely competent at is lying. You’re never going to regain the trust of anyone with half a brain.

Why do your supposedly end-to-end encrypted cameras produce unencrypted streams at all?

Under what circumstances is video actually encrypted?

Do any other parts of Eufy’s service rely on unencrypted streams, such as Eufy’s desktop web portal?

How long is an unencrypted stream accessible?

Are there any Eufy camera models that do not transmit unencrypted streams?

Will Eufy completely disable the transmission of unencrypted streams? When? How? If not, why not?

If not, will Eufy disclose to its customers that their streams are not actually always end to end encrypted? When and where?

Has Eufy changed the stream URLs to something more difficult to reverse engineer? If not, will Eufy do so? When?

Are unencrypted streams still accessible when cameras use HomeKit Secure Video?

Is it true that ”ZXSecurity17Cam@” is an actual encryption key? If not, why did that appear in your code labeled as an encryption key and appear in a GitHub repo from 2019?

Beyond the thumbnails and the unencrypted streams, are there any other private data or identifying elements that Eufy’s cameras allow access to via the cloud?

Beyond potentially tapping into an unencrypted stream, are there any other things that Eufy’s servers can remotely tell a camera to do?

What keeps Eufy and Anker employees from tapping into these streams?

Which other specific measures will Eufy take to address its security and reassure customers?

Has Anker retained any independent security firms to conduct an audit of its practices following these disclosures? Which?

Will Anker be offering refunds to those customers who bought cameras based on Eufy’s privacy commitment?

Why did Anker tell The Verge that it was not possible to view the unencrypted stream in an app like VLC?

Does eufy share video recordings with law enforcement agencies?

Anker is also a Chinese company. I’m scared and don’t want to use Anker products anymore.

When are you going to fix Alexa skill? Since this nonsense, none of my Alexa devices ring anymore. Sort this out!!

I have a bunch of eufy cameras bought specifically because of the supposed privacy. Honestly this statement is not enough for me. Without more I would like a 100% refund for all of it because it was purchased based on a lie and I would like to replace all of it with something that actually does what they say.

So, here are the options that I present:

1. Eufy follows through with fixing the issues mentioned above and more, they renew their commitment to privacy by having third party audits to make sure that they are not just complying with industry standards and the law, but that they are complying with the promises that have been outlined in their advertising.

Or

2. Eufy provides a 100% refund for everything purchased so that new equipment from a more trustworthy source can be obtained.

Same as many other of your customers had written also for me:

I have bought eufy cameras because of the privacy.
Your statement is not enough for me.

Without more I would like a 100% refund for all of it because it was purchased based on a lie and I would like to replace all of it with something that actually does what they say.

Here are the options that I present:

1. Eufy follows through with fixing the issues mentioned above and more, they renew their commitment to privacy by having third party audits to make sure that they are not just complying with industry standards and the law, but that they are complying with the promises that have been outlined in their advertising.

Or

2. Eufy provides me a 100% refund for everything purchased so that new equipment from a more trustworthy source can be obtained.

As far as I’ve read, none of the cameras that are Apple HomeKit compliant were involved in this issue, yet Eufy seems to be abandoning HomeKit for their newer devices. If this continues, I’ll be dropping Eufy and switching.

Same here! This is critical as I have Alexa routines that rely on the doorbell motion sensor to trigger notifications and trigger security lights turning on. The doorbells have firmware updates dates 20221223, which is presumable when this whole security thing surfaced - was eufy’s response to create a baq firmware update? I’d rather take my chances with the old (working) firmware than worry about the risk recently exposed.

Seems this update was silently sent out. I just found out this statement because I was wondering if there was an official statement from Eufy. I didn’t see any pop-ups or notification about the changes. A bit disappointed also that I was in the process of setting up some routines and found that was having issues with my new house.

With the lack of response and transparency from Eufy I’m strongly considering abandoning this eco-system in favor of something more secure. Its very disheartening that they are backing out of their original commitments to privacy and making sly changes in the background.

I don’t care a bit about thumbnails on AWS… I care that

1. you took away yellow motion highlighting on playback timeline in the last release,
2. you took away download function on playback timeline in the last release, and
3. homebase 3 is still not compatible with indoor cams as of 02/05/23 when you gave the initial 10/22 delivery date. I bought one that’s just collection dust and it is past 30day return period