• Last Updated:
  • May 18th, 2021 4:24 pm
[OP]
Deal Addict
Nov 3, 2003
2072 posts
290 upvotes
GTA

Eufy app security issues

This morning I opened my Eufy app (Android) to check my two indoor pan and tilt cameras, and to my shock and disbelief, I was able to see someone else's Eufy doorbell! It seemed I had full control of someone's account; I could see the history and even delete the email address from the Share Device option. I immediately contacted Eufy, and they replied with the following:
This is Wendy, a Customer Service Manager at Eufy Technical Support Email Team. Your case has been brought to my attention because we know this can be a worrying situation, so I wanted to personally address it with you.

Sorry for your inconvenience with it and this is definitely not what we want our customers to experience. You've put your trust in Eufy, and I understand how disappointed you must feel. Although the issue was corrected very soon, words can't express how deeply sorry we are for this.

We are so sorry that a software bug occurred during our latest server upgrade at 4:50 AM EST today. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST. You may experience being logged out, but this is a normal situation. Just log in.

Once again, our apologies for this mistake which should have been avoided from the start. We assure you that there will be no such case in the future. And thank you in advance for your great understanding and great indulgence, we wish you a great day!
Does this make any sense? When I opened the app after receiving this reply, I did have to re-login and everything seemed okay again. Should I trust Eufy at all after this? I'm particularly worried because these are indoor cams, but I got them to monitor my cat.
15 replies
Member
Feb 9, 2008
344 posts
288 upvotes
Vancouver, BC
Could happen with any cloud-accessible camera due to human error, bugs or hacking.
You can search Wyze, Yi, TP-Link/Kasa, etc. and find issues.

Eufy blames software 'bug' for breach that exposed users' video footage to strangers

The only way to minimize security/privacy issues is to use a local-only IP camera. If you need it to be accessible over the internet, use a VPN into your home network to view the camera.

Eufy seems to have a track record of bad practices.
Eufy: We found two vulnerabilities in the Eufy T8200 video doorbell, one of which exposes account information, such as email addresses and WiFi passwords. Eufy told CR that it has released an app update (v1.76) to fix the account information issue. If you own this doorbell and use an Android device, update to the latest version of the Eufy Security app.
[OP]
Deal Addict
Nov 3, 2003
2072 posts
290 upvotes
GTA
zerod wrote:
The only way to minimize security/privacy issues is to use a local-only IP camera. If you need it to be accessible over the internet, use a VPN into your home network to view the camera.
Thanks for your reply. Would the VPN prevent this from happening again? Or would it only encrypt traffic?
Member
Feb 9, 2008
344 posts
288 upvotes
Vancouver, BC
You would need to block the Eufy cameras from internet access, preventing anyone from accessing your cameras.
The simplest way to achieve this would be parental control options on your router.
This is the part that prevents someone else from viewing your cameras from the internet.

If your cameras are still accessible via the app when connected to wifi, then the VPN option should work.
Some routers have built-in VPN, so you would need to figure out how to set that up and get your phone connected.
This makes it so you can access your home network and cameras. The encryption is a bonus.
Personally, I have a Raspberry Pi running PIVPN to access my Amcrest cameras.

I don't have Eufy cameras so I can't confirm this setup works, but I've read Amazon reviews and other comments that the Eufy cameras start having issues if you block off their internet and don't let it phone home to China...
You might be better off with different cameras.
Deal Expert
User avatar
Apr 16, 2001
15972 posts
2581 upvotes
Remember, the 'S' in IoT stands for Security.
Automatic down-votes: D-Link, TP-Link, Newegg, Canada Computers, any Chinese-owned cellphone, laptop or IoT device.
Deal Addict
Sep 16, 2013
3279 posts
2008 upvotes
SW ON
Gigi wrote: I was able to see someone else's Eufy doorbell!
Did it happen between 4:50am EST and 6:30am EST?
[OP]
Deal Addict
Nov 3, 2003
2072 posts
290 upvotes
GTA
zerod wrote: I don't have Eufy cameras so I can't confirm this setup works, but I've read Amazon reviews and other comments that the Eufy cameras start having issues if you block off their internet and don't let it phone home to China...
You might be better off with different cameras.
I just tried enabling parental controls on my router (eero), and unfortunately it doesn't allow any access to the cameras at all.
[OP]
Deal Addict
Nov 3, 2003
2072 posts
290 upvotes
GTA
alpovs wrote: Did it happen between 4:50am EST and 6:30am EST?
Yep.
[OP]
Deal Addict
Nov 3, 2003
2072 posts
290 upvotes
GTA
JAC wrote: Remember, the 'S' in IoT stands for Security.
What do you mean?
Deal Addict
Sep 16, 2013
3279 posts
2008 upvotes
SW ON
Gigi wrote: Yep.
Then I would believe the customer service and hope the issue has been fixed.
Deal Addict
User avatar
Aug 21, 2009
2279 posts
1471 upvotes
North Vancouver
JAC wrote: Remember, the 'S' in IoT stands for Security.
But there is no S in...oh.
Frisbeetarianism is the belief that when you die, your soul goes up on the roof and gets stuck. (George Carlin)
Guns don't kill people, people kill people. And monkeys do too - if they have a gun. (Eddie Izzard)
Member
Feb 9, 2008
344 posts
288 upvotes
Vancouver, BC
Gigi wrote: I just tried enabling parental controls on my router (eero), and unfortunately it doesn't allow any access to the cameras at all.
Seems like other Eufy users just have the camera plugged into a smart plug/outlet and power off the camera when they're home (via Siri, homekit, Alexa, etc.)
Member
Mar 1, 2015
214 posts
134 upvotes
Toronto
Shoot I just recommended the door bell to my sister when it was on sale
Deal Expert
Aug 2, 2004
33994 posts
7634 upvotes
East Gwillimbury
Gigi wrote: Thanks for your reply. Would the VPN prevent this from happening again? Or would it only encrypt traffic?
How would a VPN prevent this? If you VPN back to their server (they need to support this) it would only encrypt the traffic. If you use one of those VPNs advertising privacy, all that would do is log into your account from another country or location.

Your app logs into their cloud server. Using a VPN will still log you into the same cloud server.

You had access to someone else's account. The question is, who was watching / controlling your cameras?

I always tell everyone, stay off the cloud when it comes to home automation. Just build your own server at home and take control of your privacy
Member
Feb 9, 2008
344 posts
288 upvotes
Vancouver, BC
Gee wrote: How would a VPN prevent this? If you VPN back to their server (they need to support this) it would only encrypt the traffic. If you use one of those VPNs advertising privacy, all that would do is log into your account from another country or location.

Your app logs into their cloud server. Using a VPN will still log you into the same cloud server.

You had access to someone else's account. The question is, who was watching / controlling your cameras?

I always tell everyone, stay off the cloud when it comes to home automation. Just build your own server at home and take control of your privacy
I was suggesting blocking the camera from accessing the cloud/internet, and setting up a VPN server on their home network to access the cameras (not VPN into Eufy's servers).

Top