Pull the plug on your eufy security cameras (eufyCam) immediately

Disclosure: This post contains affiliate links. If you click through and make a purchase, I will earn a commission, at no additional cost to you. Read my full disclosure here.

The magnitude of the breach

This is no ordinary security breach – other users may have access to your recordings, contact details, and camera names. Disappointingly, eufy has done little to inform its users, despite having their email addresses and regularly sending promotional material. One might expect eufy to log out all users and enforce password changes, but their response so far has been lacklustre, casting doubt on the trustworthiness of the company and its products.

Unravelling the eufy security breach

The breach first came to light on Monday, May 17, 2021, when a Reddit user from New Zealand reported seeing videos from another user's camera, likely located in Australia. The user also had full access to the Australian user's contact information and camera name. Fortunately, the Reddit user chose not to share any videos or images, but others affected by the breach may not be so honourable.

eufy's response was slow, taking seven hours to acknowledge the issue via Twitter. Their tweet mentioned a “bug” discovered at 10:50 AM, which was fixed two hours later, but provided no further details about the cause or the number of compromised accounts. The timing of their tweet also curiously coincides with the Reddit user's post, raising questions about the transparency and accuracy of eufy's response.

Eufy's potential consequences

Should eufy choose to maintain their silence, one might envision a rather substantial fine arriving at their headquarters. As a European, my familiarity lies with the GDPR, which stipulates the following:

1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Art. 33 GDPR

One can't help but wonder if a mere tweet would suffice as a proper notification. After all, it's rather presumptuous to assume that all eufy customers are also Twitter users, especially when eufy has access to their email addresses. The company still has two days to issue a more formal response, and it would be prudent for them to do so. Failing to comply with GDPR regulations could result in a fine of up to €20 million or 4% of their total global turnover, depending on which amount is greater. In light of their current response, or lack thereof, it's difficult not to feel that eufy deserves such a penalty.

A belated call for offline security

In the wake of a security breach, it's common to hear advice from fellow users urging the disconnection of security cameras from the internet, particularly those located indoors. While this sentiment is undoubtedly wise, we must remember that not everyone possesses the technological prowess of Home Assistant users. Home Assistant, after all, remains a haven for tinkerers with a superior-than-average grasp of technology.

For many, the convenience of setting up cameras like those from the compromised eufy and opting for a cloud-based subscription to store recordings far outweighs the effort required to establish a local-only alternative. Furthermore, manufacturers such as eufy often fail to provide a comprehensive and open API, leaving users with little choice but to rely on their services for full control of their cameras.

While there are certainly lessons to be learned for the future, for those affected by eufy's breach, such counsel arrives too late. Thus, I reiterate my immediate course of action: Other eufy users may have access to all your recordings, contact information, and camera names. Unplug all your eufy security cameras at once, delete your recordings, change your passwords, and log out of your accounts. And above all, refrain from investing any more of your hard-earned money in eufy.

About Liam Alexander Colman

is an experienced Home Assistant user who has been utilizing the platform for a variety of projects over an extended period. His journey began with a Raspberry Pi, which quickly grew to three Raspberry Pis and eventually a full-fledged server. Liam's current operating system of choice is Unraid, with Home Assistant comfortably running in a Docker container.
With a deep understanding of the intricacies of Home Assistant, Liam has an impressive setup, consisting of various Zigbee devices, and seamless integrations with existing products such as his Android TV box. For those interested in learning more about Liam's experience with Home Assistant, he shares his insights on how he first started using the platform and his subsequent journey.

1 thought on “Pull the plug on your eufy security cameras (eufyCam) immediately”

  1. The security issue is one thing, but I had a horrible experience trying to install and use eufy 2C cameras and homebase 2 and decided to send them back and uninstall my phone app and the PC app, running on Win11 OS. I could uninstall the phone app, with no problem, but removing the app from the PC that’s an entirely different situation. So far couldn’t find the files anywhere on my computer; searched in Win “add or remove programs”, and the extensions in Firefox and Chrome to no avail.
    Google is of no help either. Do you have any ideas about what to do?
    Thanks.
    Regards,
    Kris

    Reply

Leave a comment

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly