The Internet is WRONG about Eufy. (Mostly)
Вставка
- Опубліковано 10 вер 2024
- You need the rest of the story about the Eufy cloud scandal.
Paul Moore's Video: • Eufy leaking your "pri...
LTT WAN Show: • Why we're dropping thi...
Local Control Doorbell Setups: • Local Control Video Do...
Visit my website: www.TheSmartHo...
Follow me on Twitter: / thehookup1
Join me on Facebook: / 473812443269387
Support my channel directly:
Patreon: / thehookup
Music by www.BenSound.com
Support my channel:
Patreon: / thehookup
Music by www.BenSound.com
I watch your channel because I find you are:
1) Exceptionally well informed
2) Very intelligent
3) Open about the things you don't know
4) Sincere
5) Calm
Keep up the good work.
+1 Need more people like Rob on YT, and in the world (disclosure, no clue how rob is in real life... but "no one wears a mask forever" or however that saying goes) :)
Rob should totally have a monthly news segment on @breaking points ... They need a tech guy
Unfortunately, outrage is easier to sell these days. And selling is the name of the game.
@@zxbc1 not if we collectively stop falling for it. ¯\_(ツ)_/¯
This is why I am a sub on this channel and not Linus.
Eufy should have allowed users to turn off any feature that ships data to the cloud or at the very least notify users directly (not in the fine print) that some features will send personal information to a third party services/server.
When it comes to recording devices in private spaces I think people would like the option "privacy" or "convenience".
You cannot say, hey we will never upload anything to cloud and then do the exact opposite, and then consider that it's ok because of something.
I'll reserve judgement on the technical implementation as I haven't thought it through yet. I can however very clearly state that this doesn't fly with GDPR. I hear you saying "implied consent" and that's not good enough. GDPR is very clear that the consent has to be explicit.(Saying this as a CiSO in the EU area who has had the GDPR as part of my job for a number of years).
Rob has no clue. He's just posting this content for clout. He's an idiot.
Finally a video where someone thinks first and focusses on the actual security situation instead of overdramatizing a hype or click-bait.
Yeah, this makes LTT look pretty bad, Luke is leading a software company these days. He should've known better.
Having a long random string as part of the URL is just as safe as any other form of authentication, as long as it's all over https. Whether you send a password as part of a POST body, or have a token in an authorisation header, or have it be part or the url itself... It's all going in the same request anyway. Where you put the secret really doesn't matter.
This is a messaging problem. Just stating in their privacy policy that for notifications to work that they need to be stored briefly in the cloud and won't be used for any other purposes would've circumvented the issue. Maybe it's even in there.
I'm very anti-cloud when it comes to many things. But honestly this is how I would've solved it for my own setup as well.
I couldn't have said it better myself.
It's not click bait or hype. There are valid claims here and they've been verified by other reputable outlets such as Ars Technica. Eufy lied, video streams are accessible via web and their end to end encryption key has been leaked.
@@martyb3783 then don't
Agreed
This video is a fair rebuttal but I still think Linus was right to be outraged. Eufy is clearly in the wrong for advertising themselves as a cloud free option and not making it crystal clear that images from their doorbell camera would be uploaded to the cloud. They should have informed their users during the set up process and given them a chance to opt out.
No disagreement from me there.
Just like kraft mac and cheese done in 3 1/2 minutes lie...
@@publicmail2 🤣
Except the feature is opt-in. So they're "opt-out" by default. You have to go and change from the default "text-only" notification, to the thumbnail notification.
@@davinchewk Where was the explicit consent for images to be sent to the cloud...?
The other issue I had with Paul's video was that he used chrome with an authenticated session for the web app in the same incognito session as he tested the links. Incognito still shares session data across tabs even if you have multiple incognito windows, it's all one session. I run into this with pentesters frequently who submit findings about privilege escalation or unauthorized access, but don't realize the session was shared.
While I agree with what you say as to the reasons they may have built it like this, the actual issue here is how they market the products as being fully local. If cloud storage is required to serve rich push notifications, they should make it clear that in that scenario, it’s not fully local in their advertising for the product. Paul specifically points this out in his video as the main issue he has.
Do they?
@@sethtenrec yes. This is from the main description from the product page of their doorbell on Amazon UK: “Your Data Securely Stored: Every moment captured is stored locally on the Wi-Fi Video Doorbell Wireless Chime inside your home with advanced encryption. (Requires micro-SD Card) Note: The warranty on this product is 12 months.”. There is no mention of it leaving on the cloud at all in the main description / product information.
@@Liam-js6di “main description” … so you’re holding this company to a higher standard than say McDonald’s. Their main description doesn’t tell you that their food is going to kill you. And that applies even more to places like Outback.
Do you want this to be the one company that’s honest?
@@sethtenrec it doesn’t list it anywhere on the product listing page. I simply quoted from the main description since this is a short form UA-cam comment - you’re welcome to check the full listing page yourself before you criticise the reference. To use your analogy it would be like a fast food restaurant advertising their product as containing only vegan ingredients but then including a piece of bacon too in the actual product. There’s no “higher standard”, it’s simple consumer law that a description can’t be misleading, and in this case it is
@@Liam-js6di you’re gonna have to show me the law that says a description can’t be “misleading”.
Disneyland “the happiest place on earth” 💩
De Beers “a diamond is forever” 💩💩
Fox News “fair and balanced” 🙄
liberty mutual “only pay for what you need”. 😂😂
Advertising world is nothing but BS and misleading.
This is the most accurate take on the whole situation that I've seen so far. I'm also a LTT fan and thought their conversation was more fear mongering than factual. Thanks for helping clear the air on this.
Welp this aged poorly
@@laloajuria4678 why do you say that?
@@laloajuria4678 what happened
Wait isn't this guy a hard salesman for Eufy products. Would take it with a major grain of salt. He seems to have total faith in ccp agents
Watching from the Netherlands here... explicit consent for GDPR based content is required. We're funny that way. I happen to have a Unifi Doorbell and yes... I have to give EXPLICIT content before ANY data is sent... And I mean ANY data. Else the doorbell will only work when connected to local wifi (on phone) or connected to VPN locally at home. I feel you're right regarding the importance for rich notifications, however... No consent means no data sharing.
You have to enable the rich notifications if you want them. Otherwise they are text only.
@@RoofusKit Enabling something is unlikely to count as giving consent unless it is very clear what the implications are from a GDPR perspective. The average user couldn't reasonably be expected to know that rich notifications means they now have data stored in the cloud.
kan je het in het nederlands uitleggen
Ars Technica validated the vlc stream claim. They also found out that the 64 char key is actually a base64 encoded 16 digit serial number. They also found the encryption key for video footage.
It's my understanding that there is a base64 encoded 16 digit serial number + token + 4 digit hex for the VLC stream. Are you saying the token is the same for each image? It's not, you can see that in Paul Moore's videos, each image has a unique auth token.
@@TheHookUp Did you see theverge coverage? They were able to change the token to a random string, it apparently does nothing.
@@iamatestuser2 what this guy said this is just not a good way to do things
@@TheHookUp that doesn't change the fact that it's a complete violation of user privacy when advertised as "no cloud." a freaking live stream of my doorbell on the internet is not something I consented to.
@@iamatestuser2 what he is saying is that the auth token used in the url for the images is different from the base64+token+4digit used in the video stream url. Each image has a unique and secure token
The way Rich notifications were implemented here is, imo, the true problem.
Eufy wasn't upfront on how this data was being used, and caused this controversy themselves. If they had been upfront on how this stuff was hosted for rich notifications and hasn't marketed themselves as such an alternative to Ring/Nest (and as the best 'locally' hosted security system).
But additional data has come out about how their encryption works, and it's just not good enough
When you include a static decryption key in a git repository there IS no encryption.
@@repatch43 exactly! Like Eufy's problems go far further than what was originally though. While I understand the gist of this video, I would argue that new information has sort of undone the good will given by this video imo.
By Chinese law, CCP / NPC mandates free access to all data of all Chinese companies government-owned or not and the must comply. Reminder here they are a dictatorship basically the same as North Korea, Russia as are so many other countries. The USA is quickly itself going down that path with an oligarchy and is in a quasi-oligarchy state. Corporations are the USA's dictators. The only possible discussion here is how derelict Eufy or any Chinese company are with your with your data. My advice is to trust no one and especially dictatorship run countries with your privacy.
@@DJaquithFL May I suggest a change there? The CCP or the government of China can be used to not conflate the people that live in the country of China and the despotic totalitarian governmental style of the CCP. And as far as businesses go I don't think anyone has beaten Microsofts records for number of security holes and the damage they cause. So I would say businesses at large rather then just Chinese businesses. Otherwise the EU as an example would not have to have so many restrictive laws on business behavior. Just my take
@@samualaddams705 .. I'm not conflating anyone. I don't conform to the knuckle dragging crowd on UA-cam. I don't have a problem with Chinese people other than those who are brainwashed by their government. Yeah those people suck. Ditto with Trumptard followers.
_As a footnote, people have to drill it in their other heads. The Chinese are not a race, they're just one aspect of the expression of Asians (Mongoloid). It's like me saying that I don't like that I don't like Putin and the Russian government, or for that matter any totalitarianism._
No, I thought it was pretty clear. The Chinese government, the CCP requires full access to any technology company whether the company is government-owned or in any way located or headquartered in China. It's their law. Search for it yourself.
This would only be legal under gdpr if people would directly agree to it. There is no mention of that. It’s as easy as that, and there is no mention that video streams are available without encryption to anyone (with only a short Id and prefix timestamp)
Eufy is marketing their products as local only when it is in fact not local, especially when you've decided to opt out of such a service. I really don't know what other explanation/excuses is required for this aspect of their marketing.
The thing is they do not, and have never marketed them as "Local Only" they say your video is stored locally, which is 100% the case. Just because some thumbnails are cached for internet based notifications, doesn't mean they don't still store the video locally like they say.
"assumed consent" is bollocks too. GDPR requires explicit and informed consent
@@daninmanchester GDPR doesn't always require explicit and informed consent. Consent is just one of the legal bases, but there are others. Legitimate Interest, for example, can be used to process or store a data subject's personal data without needing to first obtain their consent. Also Recital 44 concerns contract performance and doesn't necessarily require consent.
True there are other lawful basis. But in this context it was "assumed consent because you clicked on something and you should have known". assumed consent is not a thing for good reason.
Legitimate interest would require a creative lawyer in this context. You have said that you do everything local, but have now decided it is in their best interest to move their data to the cloud. For a push notification. I would hope that would be laughed out of court because if not, we're on a terrible slippery slope.
For one, legitimate interests are overridden by the right and freedoms of individuals.
And if we put the legalities aside, .... if you are a privacy centric company who declares we process everything locally, it's terrible to then do anything slight of hand, without explicit and informed consent.
With transparency comes trust. Eufy just lost all trust. I think they can rebuild it, and their intentions are likely good, they just f'ed this one up.
I contacted TP-Link directly about such matters some time ago. They have similar problems. They claim to respect your privacy, but they are phoning home. It's a HUGE industry problem and further regulation is going to be needed.
We should not be blase about it. Our future depends on it.
@@daninmanchester I don't disagree with what you've said, and I especially agree that in this case Eufy have eroded some of their customers' trust considering they make such a point about using local storage. Was just pointing out more broadly that GDPR doesn't have to always require a data subject's consent for their personal data to get processed - it's something of a pet peeve of mine as I often see it said by people online.
I have a degree in Network Security and I am working on a Master's in Cybersecurity; I would call this a breach of security. First everything on their site states local only, which to anyone with a networking background would think that means no cloud. I can understand if a specific feature requires cloud, but if I am looking for security, I also expect to be fully aware of where my data goes and for how long. If it hits an S3 bucket, and it is not just a link in a CDN that dies after 24 hours, then my data goes to the cloud. I do think Linus is doing the right thing by pulling away from Anker. They need to do better and properly inform users when data hits the cloud and fully state the data retention policy.
Also a secure key was transmitted via plane text, not sure what that key is for, but if you send an encryption key over the internet in plan text it is no longer secure.
A few small points:
• What you are describing is a breach of trust or agreement, not a breach of security.
• When you say "transmitted via plain text", you need to remember that Paul Moore was the HTTPS endpoint for those API calls, so they weren't sent over the internet in plain text, they were sent via HTTPS.
@@TheHookUp One Small point:
< Disclaimer: I'm a Eufy Camera owner for several years now >
There is another glaring flaw in Eufy's security design for their cameras. The video is encrypted on the local homebase per-camera. Neat, right? WRONG!
The encryption is tied to the camera. So, if I break into your home, take a bunch of stuff, and take the camera and push the reset button on it? It restricts the access to the footage from the homebase as well. It's no longer viewable! - The footage is still on the homebase and can be viewed when the removed cam has been paired with the homebase again, but this won't happen if the cam has been stolen.
This has been a known issue with Eufy for at least a year now, and their answer is "Works as designed." So, if thieves know to steal the camera as well as everything else, you have no footage of them doing so. Not a useful camera at that point.
community.security.eufy.com/t/stolen-devices-policy/811901
ua-cam.com/video/l1uCyyhDWBw/v-deo.html
@@HansMeissner-jw3db Yes, that is a flaw that I point out whenever recommending Eufy products: ua-cam.com/video/Cj7Fwu_d1yc/v-deo.html
@@TheHookUp It may be via https, but the key is still sent via plain text; SSL can be striped from secure sites, or better yet a bad guy can learn of this, buy a camera system get the key and use it how they see fit; if you rewatch the LTT video you can also note that the key is uploaded to a GitHub repo as well, so https doesn't matter. This is a company I will never do business with and will recommend my firends and family never do business with.
@@sheldongroom18 From what I understand no one has even figured out what that SSL key is for, it looks like a relic from the development process.
Yeah if a company tells me that a camera is not going to transfer photos and videos outside my local network, and then it does exactly that (for whatever reason and for whatever duration) then they have done a major wrong
It can be as secure as possible (like a hypothetical perfectly secure system) I would still be upset because I was promised that I would not need to care how secure the system is and now I do because they falsely claimed photos / videos would never leave my network
This is and has always been a technical channel. In this case I spent the video stating facts, and clarifying technical details that were misrepresented by Paul Moore and misunderstood by Linus. My focus was on those things that are likely to be misunderstood by the average consumer (CDN vs S3, Auth vs Signed, etc).
I didn't spend a lot of time talking about the fact that they advertise "Local Only" because in my mind that is an irrefutable blunder that doesn't need any further clarification because it's plain for anyone to see that those statements were incorrect and borderline fraudulent.
They advertised "secure local storage." Not "never outside of local network."
The fact that you needed an active internet connection and a login into an app to view the photos/video, it should have been obvious that there was web transmission of data. People's ignorance of technology is their own fault.
@@kayak_homie You should never blame the consumers for believing something, that in plain english, would be simple to understand and could be misconstrued. They also never said it leaves local, now they do. You believe everybody should know everything about every thing they ever interact with? Or just he ones you're familiar with? Next time you buy beef, pork or chicken, I hope you reflect on why it's important to hold companies accountable. Imagine they never stated it's not technically what you thought it was.
@@0Rookie0 I agree with you, but where we disagree is that I don't see it as something that could be misconstrued. Their marketing made it obvious that the memory for storage exists in their device. They made no claims beyond that. I own multiple Eufy devices for my house and nothing presented is this video is a surprise to me.
Now if I did a teardown of a Eufy doorbell and there was no memory in there for storage, yes at that point I would be upset because they would be lying, but given the current situation, I do not feel they misrepresented themselves.
@@TheHookUp bang on point the problem as you said this is a tech channel and the average consumer may not care and that’s my problem and your analysis is making the average consumer even more confused . As you have rightfully agreed that it is a blunder on eufy to market it wrongly but the consumer needs to know and then make an informed decision . Again as u said it was a big mistake from eufy but I have to say it was intentional hence fraudalent and here is lies the problem
I'm glad that you're giving an alternate view. However there were further poor security practices by Eufy worth highlightinv e.g using device serial number as a large part of their address. So while not malicious they weren't following best security practices
You make a good point here and that they are better than most other Easy to use battery cameras. That being said At the end of the day they did perform a bait and switch on customers. They marketed their camera as local only. Their camera is not local only. so customers who bought the camera on the premise that it was local only, only to find out it’s not very much have the right to be mad and Should have been offered either a refund, or at the very least a free upgrade to the third GEN homebase that increases privacy. Instead, they just swept it under the rug and updated the marketing. That is where the problem is.
I ordered you eufy under the premise of local only. And refuse to get any more of their cameras after the bait and switch. However I have still recommended them to my non-technical friends as they provide more privacy than most other options. But I still make sure to warn them about the fact that it is still a cloud tied system.
Thank you for NOT jumping on the haters train and taking the time to give us the other side of the story
If Eufy is storing records locally and sharing them with a cloud server without obtaining user consent, it could be a violation of the user's privacy and a breach of trust. Under the GDPR, companies are required to obtain user consent before collecting, processing, or sharing their personal data. Users have the right to know what data is being collected, where it is being stored, and how it is being used. If Eufy is not transparent about its data processing practices, it could face legal consequences and fines. It is important for companies to prioritize user privacy and be transparent about their data processing practices to maintain user trust and comply with data protection laws.
This video is missing quite a lot of the new stuff that The Verge found out. Hopefully we see a part 2 soon.
Like what?
@@experiment54 Ars Technica and Verge have both verified the VLC stream being publicly available. They also found out the video encryption key has been leaked, and that 64 char key isn't mathematically impossible to guess its actually just a base64 encoded 16 char serial number number. I agree with OP I'd like to see a part 2 soon.
@@bradkriss5925 LOL I thought it looked like some part of base64. That just makes the situation absolutely horrible.
The verge? The same guys who tried to do a 'build a computer' guide. Yehh no thanks
@@bradkriss5925 it seems that eufy should be giving everybody who has a base station 2 an upgrade to base station 3?
Portforwarding isn't a security risk by itself. Serving only an image isn't a security risk when it's done properly.
You can absolutely do port forwarding securely, but I think the overlap between people who use secure VLANs and people buying wireless cameras is probably pretty small.
@@TheHookUp This has nothing to do with VLANs. Your router forwards a port to the cam and the cam serves static content. If your router can't do port forwarding safely you're already fucked. If the devs of the cam can't figure out a way to securely serve static content you're already fucked.
Your understanding of network security, vulnerabilities, and attack vectors is poor.
"even though that image could theorically be accessed by anyone with the link. That doesn't make it insecure or a data breach".
Security through obscurity is no real security. This is definitely insecure.
Amazon CloudFront is very secure and used by thousands of companies to deliver content you consume every day.You can read about Amazon CloudFront signed URLs here: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
It's still pretty bad though.
• Advertised as not connected to the cloud, but is.
• I disagree on implied consent. Normal users are not going to know cloud services are needed for the features.
• You can invalidate CloudFront cache, and they aren't. That might be perfectly legal (not familiar with GDPR) but it's not impossible for them to remove it, like you made it sound.
There's been updates to this situation, it seems ut is actually possible to cross reference face recognition IDs between users. Also researchers allegedly found public accessible root adresses with multiple users images.
This is more than false advertising I believe, closer to real security and privacy issue for those who care
Not everyone does care of course, which is totally up to individuals
Has there been any other source for this other than Linus mentioning his "Anonymous Source" in his notes? It's hard for me to respond to something like that which has no evidence or even a clear accusation.
@@TheHookUp You're righr, no to my knowledge hence the allegedly. But the first part of the story and the non apology are enough for me to never consider the brand short of a massive proof of good behavior, like external auditing.
Good side of this is it made me find your channel and I'm kinda binge watching 😉 cheers!
If they just straight up lied about how their product functions I think its completely reasonable for a company to shut down any advertising deals on principle alone. In the case of LMG, a company which publishes videos on the technical side of electronics and publishes videos calling out tech companies lying about function, it would be an especially bad PR/financial decision to continue to work with a company that lied about the function of their product. It doesn't matter if the camera is still a good product or not.
I still think their advertising is so out of pocket that they deserve this "it aint local" outrage from the enthusiast community.
This is and has always been a technical channel. In this case I spent the video stating facts, and clarifying technical details that were misrepresented by Paul Moore and misunderstood by Linus.
I didn't spend a lot of time talking about the fact that they advertise "Local Only" because in my mind that is an irrefutable blunder that doesn't need any further clarification.
@@TheHookUp You might not talk about local only but they do and thats the problem
just because you see this claim in the same way I know Red Bull doesn't give me wings doesn't mean average normie consumer does
@@TheHookUphi
@@TheHookUpthing is to me once a company loses trust, the technical goes out the window because at the end of the day idk what exact code is running on the camera/server so no trust = no go.
@@TheHookUp I mean, you titled the video "The Internet is WRONG about Eufy" when 90% of the reason the internet is outraged about Eufy is the "it's not 100% local claim".
And while I appreciate the effort you put into explaining the technical details, it's really confusing how you make it seem like reasons behind this blunder should make us stop being angry at being lied by Eufy.
Overall, nothing about your video changed how I viewed LTT or the Internet's reaction to the Eufy scandal. And regardless of the use of our Data by Eufy, nothing will change the amount of lost trust from the incident. And I'd be worried about anyone still recommending their products by defending their "technical reasons for their breach of trust".
Because they have a certification saying that they are GDPR compliant doesnt really mean much. Discord was sued a few days ago for violating the same thing.
So in short
Eufy: claims fully local only storage.
Eufy: records and stores your data. Post data deletion, post account deletion, linked with your account name.
You: are claiming this is not the issue.
GDPR requires that consent is explicit, not implicit. For Eufy to do this legally in Europe it would require them to state it as such within their T&Cs.
At best: its a legality derp and these images whilst required, were taken without consent.
At worst: its exactly as described.
"Eufy: records and stores your data. Post data deletion, post account deletion, linked with your account name"
Where you getting that information? Do you mean the cache persisting for the remainder of the 24 hours? That is expected behavior and not a GDPR violation.
@@TheHookUp The GDPR violation would come from the collection of the data in the first place.
@@lmaoroflcopter Except it is actually in their posted policy. LTT's (and everyone else's) complaint is that their marketing verbiage is contradictory to the policy. That may run afoul of truth in advertising (in the US and a handful of EU countries), but it's not a GDPR violation of any kind. You're very inappropriately making things up.
@@streamerco-op6523 making things up? I've made nothing up here.
The thing is they do not, and have never marketed them as "Local Only" they say your video is stored locally, which is 100% the case. Just because some thumbnails are cached for internet based notifications, doesn't mean they don't still store the video locally like they say.
There is a technical issue with your description of filenames on CDN. The long "random" string is not random, it's a actually a HMAC signature, it is used to verify that the URL had not been tampered with and so the expiry time of the URL can be enforced (this is a standard feature of AWS S3 and cloud front). However this does not guarantee that the file itself is removed from the storage account.
I wouldn't consider this specific element of their system a breach provided the policies on the underlying storage are configured correctly eg a signed request is required.
You are technically correct, it is possible that the file itself is still in the CloudFront cache after the 24 hours, but with no accessible URL. I feel that that point is moot though, since we have no way to determine what their retention policy is on cloudfront or S3 as no evidence has surfaced about those files other than the signed CDN links.
You're thinking you bought a no-cloud product but infact it is possible for this company to share camera image with cops or government or to some entity with money. The important fact here is the possibility, not the absence of indication of them doing something wrong with the data. Cut the BS, it is so easy to add a feature to disable all this stuff and choose a secure but not-so-convenient setup with a single check mark.
The main issue is their marketing is VERY EXPLICIT in saying local only.
And it's NOT.
That's enough for me to lose trust, regardless if their cloud system is secure or not, I don't care, the cloud shouldn't be used for local only.
Edit: friendly reminder you can block internet access for any device at the router level or with something like pihole. My TV, harmony, lightbulb and soundbar are blocked from the internet.
Yes, I always recommend blocking internet access at the router/firewall level. Unfortunately, as I've reported on in my Eufy reviews, blocking internet access breaks 90% of Eufy functionality.
"Temporary theoretically leak" is still a liability you regularly wouldn't accept with your typical local only advice.
I don't know of any companies that don't use their customer database as another source of revenue. Eufy has 30 days to off-source the data to another data mine company, there is no evidence yet because that would be an immediate lawsuit. If any users can test and verify these vulnerabilities, this is going to be a slow investigation behind closed doors as long as they can pay a settlement with NDA. Only once there is a public lawsuit or government investigation/fine will this Eufy investigation details become public.
Problems don't need to be malicious to be serious. The fact that they have already changed their TOS and closed the problems so people trying to replicate the problem can't give enough probability the problems are true. If this wasn't a problem, they'd leave the system just the way it was before Paul came out. You can't verify this because Eufy has made some public changes and most likely other changes they have not publicly announced.
The same reasons why President Jimmy Carter went to the nuclear plant in March 1979. He wanted to understand the problem, before deciding how much "necessary" information they should release publicly, trying to reduce panic. No it wasn't going to become a nuclear bomb, but there was a smallest chance it could have Chernobyl'ed. The government had already lied about the 1961 SL1 nuclear disaster, blaming it on user error. It took decades for the public to be informed about the dangerous design and faculty equipment, long after the public forgot about the disaster and no panic.
Cache busting is a common thing which aws cdn accounts for very easily and is not unreasonable to be expected on event deletion for a service that promotes itself on the privacy aspect as much as eufy has. Account deletion is a bit more complicated but doing that recursively is also not hard. They just decided it wasn't worth it. Which for a company that advertises so hard on being privacy focussed and no-cloud is a major problem.
GDPR certification in and of itself is not a thing. They claim to have ISO 27001 and 27701 certification. Which focuses on policies and processes, sadly less on adherance to said policies and processes. GDPR is only really tested by ICOs when potential breaches have happened. And the reasonable expectations and the no-cloud advertising definitely will have an impact on that. But I guess we'll have to wait and see.
Altogether this is fatal to my trust in Eufy due to actions not being in lines with words.
Since I ain't using Eufy I never asked them this, but maybe someone should ask them about their ISO 27001 statement of applicability, because an ISO certification is worth nothing without knowing on what policies and processes the certification is about.
I don't think Anker, with all of their innovative strengths, could have made a more clear and concise video explaining this and you did it with the limited knowledge that the public has on how the data is actually processed behind the scenes. I'm thoroughly impressed, absolutely fantastic job.
If Anker had released a video just like this, people wouldn't trust it. Even though all the facts shown here are correct and should make some people stop and think about exactly how much of a big deal this actually is. Larger companies have gotten away with much worse and this will largely be forgotten about next week. I personally won't be ditching my eufy cams anytime soon
You're almost right. GDPR requires companies hosting or handling your data, to provide a data processing agreement, which they don't. And data shouldn't go outside the GDPR protected countries due to exactly this.
And there's no thing as implied consent. You can't even pre-check a 'Sign up for our newsletter' checkbox.
In that case it will probably come down to what was in the EULA when signing up for an account.
@@TheHookUp'm not completely sure you are allowed to put it inside the EULA (you can't hide a newsletter sign up inside the terms and condition in a web shop either)
@@TheHookUp I'd be careful venturing into GDPR specifics, many of the people who wrote it don't fully understand it's implementation. But the OP right, under EU law there is no such thing as 'implied consent' when dealing with GDPR. It has to be clear and explicit.
@@TheHookUp A EULA may prevent a user from suing Eufy, but it won't stop the EU/ICO from fining them. Also having checked it out, Eufys EULA is light on anything around data/data processing/consent.
What this really means (in the future), is that a window will popup when you turn on notifications, which basically everyone will click on 'Accept/Yes/whatever' and proceed.
EUFY probably hasn't done the right thing for EU customers up to now though....
The video stream, which you brushed aside, was the most worrying aspect, and at the end of the day, the response of the company rather than the vulnerabilities itself is how I judge a company, and their response was just pitiful and just trying to dodge any fault.
This.
He brushed it aside because at the time he made the video only a single person had made claims that were largely unsubstantiated.
Yes, I added the overlay because the Verge article was published after I had exported and uploaded the video but before I set it to public. I re-exported and uploaded to add that it was an ongoing thing.
Your response is "Yeah, they lied and deceived customers, but here is why they did so."
That isn't a valid response to "Hey, I have a problem with this company lying to and deceiving customers."
To be clear: I don't think it was okay for them to deceive customers. This video was about clearing up misinformation and helping the general public understand that a CDN cached image is not the same as China compiling a facial recognition database for every American.
@@TheHookUp If the point you wanted to get across was "Eufy deceived customers and that's not okay" then you would've made a video about that.
But you didn't.
If you actually wanted to get into anything technical, we could pick apart the video's problems, like how you pretend that a malicious actor has to find one specific picture--when that's not the problem at all. You don't need to guess a specific string because you aren't looking for one single image. You just need to hit on ANY string to stumble upon someone's picture.
I've liked your videos in the past, but this one just feels like you wanted to be contrarian and defend Eufy. The reasoning behind making the video seems myopic and the execution of the video itself is poor.
Maybe that isn't your intent, but to one insignificant viewer in a sea of meaningless UA-cam comments, that's how it comes across.
@@midgman8421 That's not the point of the video that I wanted to get across. The point I wanted to get across was "Information is being misrepresented by people calling themselves experts, and this is what is actually happening". Your point about stumbling on a single image is not correct. If you aren't targeting a specific image and user then the brute force becomes significantly more difficult since you go from 64 characters of variability to 130 meaning the search space is now 2.15 x 10^202. If we guess that Eufy has 10 million customers each with 1 million images (both are overestimates), and we ignore the fact that the URLs are only valid for a day there are still only 1 x 10^13 correct URLs in that search space, and counterintuitively (2.15x10^202)-(1x10^13) is still 2.15x10^202 of invalid URLs.
@@TheHookUp Good point.
To anyone thanking this guy for providing "clarity" or "details". I'm a software engineer and former Amazon cloud dev. A lot of the technical stuff he said are factually incorrect.
Instead of posting completely unhelpful shit, why not provide corrections? If you know better than me more power to you.
@@TheHookUp Classy rebuff. Flawless pinpoint logic. Plenty of comments have already addressed the technical ignorance this video spreads . It may take more reading than it probably did to make this video, but if you go through this comment section, you'll find plenty of technical professionals, each rebutting a different part of this video. Even with a UA-camr brain, you would realize a retraction video would only earn you more views.
@@edincanada Actually, the vast majority of comments from people in the industry are in agreement. Again, you chose to respond with completely vague and unhelpful bullshit instead of posting a single correction to the video. My guess is you actually know zero about this subject.
Many thanks - very insightful and very differentiated - something seldomly found today
Feels like a Eufy defence post... at the end of the day, they make a BIG deal about its private, local is important, they don't store your images. If the functionality THEY provide requires them to do the OPPOSITE of what they are saying is important for the device they are selling, then they are 100% lying about one or the other (in this case we know its the local\privacy of the device). Also some of the information here has already been proved untrue, a short link is pretty easy to brute force and even worse, its a head directory that has images of multiple users. Also the argument of consent is ridiculous, when their page on the device is telling you its local to you and private, there is no reason to think you are consenting to cloud cache\storing of an image. Its also been proven you do not need cloud cached images to provide rich notifications pure and simple.
I would like to add, it is a shame to see someone who is a trusted source for smart home information, have such mute points towards why what Eufy have done is ok. This video may not be sponsored but it sure feels like its a, "hey linus isn't working with you guys anymore but im still here for your products in future". which is really disappointing as there isn't that many good, trusted sources specifically in smart home tech, at least that I have found.
"Also some of the information here has already been proved untrue, a short link is pretty easy to brute force and even worse, its a head directory that has images of multiple users."
Ah yes, the anonymous source who was able to do those things, but doesn't want to be named and can't provide any evidence. This channel is based around facts, so if and when information is released I will respond to it. As Hitchens's Razor says "That which can be asserted without evidence, can be dismissed without evidence."
By the way, I have no disagreement that Eufy needs to rework all of their marking claims, and should be held responsible for "Local Only" misrepresentation. I didn't spend a lot of time talking about the fact that they advertise "Local Only" because in my mind that is an irrefutable blunder that doesn't need any further clarification. Instead I focused on the technical issues that were being misunderstood.
Is it worth a followup on this? Have they fixed the issues or clarified their information at least?
Anker throws a lot of sponsorship money around. There's going to be a lot of UA-cam apologia. They won't sponsor the actual apology or defenses of anker, But they will support these channels in other videos. I'm already noticing the people that rely the most on Anker are claiming this has been debunked -- Even though the brand itself has apologized.
I'm not sure I'd call it "Debunked", but there have absolutely been misrepresentations by Paul Moore and Linus. Also... I don't rely on Anker at all.
The technical details of why Eufy operate like they do are not really the issue for me. The issue for me is one of policy, honesty, and trust. Eufy, like Wyze before them, have been caught being at best evasive, and at worst outright dishonest. I for one will never, ever put one of their cams in my house.
Can any cloud company be completely trusted? Of course not. But that's hardly a defense of such behavior. If we don't hold companies accountable for this then we deserve what we get.
Are you sure notification images need to be hosted without authentication? I don't know the answer, but that doesn't sound right. At least from what I know of android, no idea about Apple.
Pretty sure, yes.
@@TheHookUp not accurate; there is no technical reason to not have the images behind authentication. Besides that it is against industry best practice.
@@Casey.Hillman What you've said makes no sense. Authentication baked into a plaintext URL is functionally *identical* to an unguessable URL with no authentication.
@@sjwright2 apologies if I my comment conveyed that I meant "Authentication baked into a plaintext URL" should be done.
If the images to be include in the rich notification are sensitive, then the developer should not be using a plaintext/direct link to download them.
Alternatively, they should add a step on the app/client side to authenticate and download the image over a secure connection.
@@Casey.Hillman Push notification services controlled by Apple for iOS and Google for androd does not work in this way. The messages between app and google (or apple) ARE encrypted. But the resource in which google (or apple) needs access in order to perform the push must be accessible by them (and therefore the public).
Local ain't 100% local if anything at all goes on the interwebs. #FalseAdvertising.
You are wrong about the need to store the images on the server. The image is NOT required to be stored once the receiving device confirms that it has been transferred. At that point, it should be deleted. Furthermore, there should be no capability to obtain the images from the server by any API request. The mechanism should be that the image is buffered on the server only for the length of time necessary to successfully transfer it to the intended recipient. The transfer is done immediately if the recipient device is connected, the transfer takes place immediately. If it is not, then it is transferred at the time that the connection is established. The availability of the connection and not an API request should be the triggering event. The only technical necessity for the way that it has been done is that they are either too clueless about how data communication works under the hood and are just using an equally clueless or unsuited development tool to create the code or they just don't care. Please stop defending the indefensible.
So you are saying you want them to invalidate the CF cache after every checked notification? Security/privacy wise what is the advantage? The amount of extra compute that would require is insane.
@@TheHookUp The advantage is that the image is not there to be accessed through an API that should not exist and thus keeps the image in the cloud only for as long as it is needed to complete the transaction. How they do it is up to them. Perhaps CF cache is not the best way if it is too expensive to remove the images from it immediately upon completion of the transaction. The point is that you select a solution based on requirements, not the other way around.
Just FYI, when you say "an API that should not exist" what I'm certain that you mean is "an API that should not be public". The API must exist for the app to work, cloud or not. Most people consider public APIs to be helpful because they allow integrations with programs like Home Assistant, but I agree, we wouldn't even be having this conversation if the API was encrypted in the first place.
@@TheHookUp Let me be a bit more specific. An API function that should not exist. As I described earlier, the APP does not need to pull down the image through an API call. All that is necessary is a secure connection between the app and the server. The reaction by the server to the connection is to push any buffered notifications for that client. If the client uniquely identifies itself to the server as part of the connection handshake, there is no need for an API call to request data. The API is a result of not well thought out design decisions and not any technical necessity.
@@WatchesTrainsAndRockets the behavior you are describing is exactly what an API is.
Huge respect for making this video, you've opened my eyes to this entire situation. Keep up the amazing work!
Unify does not require cloud login. It can be managed 100% locally. Although cloud is needed for initial setup AFAIK.
Also, that's not what I said. I said you need a ui.com login to access unifi protect remotely.
I think the main story here is not that Eufy uses CDN cache or that rich notification image is "public" on internet (I mean every manufacturer needs to have it publicly accessible, it's just a question of how hard it is to find). I think the main problem here is that Eufy is very hardly marketing those cameras as "local only". And yes if I'm going to buy local only product I wouldn't expect it to upload anything whatsoever to the cloud (no matter GDPR or what policies are in place). I'm aware that marketing claim is not a legal claim, but that is another topic.
So at the end I stand with Linus - uneducated user would think that the problem is some public JPG address when real problem are made promises from manufacturer. If there are features which can't work without cloud - okay - just turn those for users off - so it would be the "price" for having local device. But yes, I guess no company want's to have "dumb" device.
i agree
local only means no cloud
If they claim it's local only and lie about that then what else are they lying about? I know, I'm a pessimist and like to think worse of people and companies but then again, we have seen many S3 buckets configured with wide open access....
I hope Eufy can clear this up.
It's a feature, one of many avaliable. They aren't advertised always local no matter what feature is used. They function local and/or offline just fine. If you want to use an advanced feature that's offered that will require this than that is your decision. This is no different than just about any other IP Camera, you can operate them without connecting to the internet but if you want to use the app or push notifications you obviously have to connect to the internet....
@@TheRickJames it’s simple they lied! They never said you choose they said local!
@@TheRickJames yes, the first thing is that they never said that you have a possibility to choose if you are opting in in the cloud notifications, for example. And what you are saying is not true you can achieve local only face detection and notifications. For example, if you use Home Assistant or any other solution which is out there, there are many companies who are leveraging maschine learning on chip.
you are without a doubt taking a risk in making this video.
all the more kudos for making it.
ive always liked your videos and this makes me respect you even more.
what risk really ? for people to unsubscribe because he has a point, then those people shouldn't be subscribing in the first place. This whole "Risk for my carrer" is over stated I think.
I'm open to your thoughts on the risks @TheHookUp
@@remyb833 Linus has a massive viewerbase of not super critically thinking people. The "risk" here can simply be of harassment.
@@remyb833 fair question.
yea i think it’s because while he has done his research, he could potentially be wrong on one or two points which could then blown out of proportion and.be used to discredit him and his channel, even though the rest of the content is perfectly valid.
and as soon as you put your head above the parapet and expound any unorthodox view you suddenly acquire a band of haters from the other side who will snark from the sidelines.
@@martinsherry risk? for anyone who doesn't live out their lives via UA-cam subscriptions there's no risk at all. I'm more likely to unsubscribe from Linus for the pitchforks and mob mentality than I am from this more in depth take.
Lost respect for Rob here defending a company that's clearly in the wrong
But since this company is based in China, do not expect your data to be private.
even if its not hosted in china thats not something you can write off, the largest data collecters are in the US. even if ones like google dont ostensibly sell your info to 3rd parties they use it and retain it.
As a Eufy customer with my whole house setup with them, this news really annoyed me. The reason being, that "no cloud storage" claim was the absolute selling point for me. To now find this is only half true has left me with a bad taste in my mouth. If they've bent the rules with that huge claim, what else are they hiding?
anker's pockets run deep with youtube creators
Great point. Eufy should have been alot more HONEST with their marketing and claims. NO need for them to be so out there about features and specifications that do not exist. Their products are good and we have enjoyed utilizing the Eufy Security App which has been very easy to use. Too bad, they have made claims that are embarassingly untrue. Hopefully they will be more transparent from now on since they have been called out on several platforms about being so misleading.
Eufy is awesome it does not really bother me because i know someone would need 100yrs to access my camera.
@@Michael-vf5idWhat's with eufy themselves? You know that they are Chinese
I agree with you on most things. However, the photos being uploaded to eufy servers is not under implied consent. Implied consent is given with any REASONABLE(knowledgeable) person. In technology the only reasonable people are us nerds who understand what is going on. The neighborhood grandma cannot give implied consent on something she doesn’t understand.
That is a good argument. Of course, this is all up to the courts now.
First off, I love your videos and appreciate how clearly and calmly you present information. I think you have a really level-headed view on the situation, but I do think you are overlooking the bigger issue here, which is that Eufy made bold claims of End-toEnd Military Grade Encryption and not storing any user data in the Cloud. To add insult to injury, multiple Eufy high-up representatives have stated that none of the claims made by Moore and others are true or even possible. Brett White, a senior PR manager at Anker, said “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC" Other Eufy representatives have denied all claims have any merit....which makes no sense because they clearly do store your data in plain text, unencrypted in the Cloud.
I'm sure we will know more as the dust settles, but there are a multitude of very concerning claims such as
1) They aren't or weren't encrypting their API calls and/or the encryption keys that are part of those API calls
2) Cameras RTMP streams can be remotely started and viewed without authentication or encryption (multiple independent 3rd party sources have confirmed this)
3) The camera stream URLs are mostly comprised of a camera's serial number in base64 encoding, which is easily reversed in seconds. Serial Numbers are almost always on the boxes which make this one even more concerning.
4) Encryption that is being used is weak and not military grade as promoted by Eufy
5) For encryption that is used they are using a compromised hardcoded encryption key that is publically accessible in plain text on Github
Edit: fixed the more obvious spelling and grammar errors...because I'm that way
Is either right or wrong. 'Military-grade encryption' and thats kind of misleading to me. Also the 'sync' flaw, what kinds of a 'SECURITY' cameras this company made.
Hope eufy comes up with a discount after this so I buy more 😅
I can't believe this video is still up, and you're still claiming you're "clarifying technical details" when you're actually just referring back to Eufy's website. Someone who actually tested the equipment found the URL only has around 65k combinations, so how do you claim it would take 'ten times the life of the universe' to find one you want? What a disgrace. You're obviously getting kickbacks for your 'reviews', which make them worthless. And just to be clear, that's just me clarifying a technical detail.
You are confusing the RTMP URL (not discussed in this video), with the still image URLs. It would absolutely take "ten times the life of the universe" to brute force an Amz-Signature.
As for the RTMP URL (again, not discussed at all in this video), there are a few things that The Verge omitted in their coverage:
1. Cameras only had an RTMP stream available when they had previously been accessed through the web portal. If you were like the 99% of Eufy users that only used the phone app, then there was no RTMP stream on your camera.
2. If you wanted to brute force those 65k combinations, you would need to make sure the camera was constantly "awake", as you couldn't initiate the stream, you could only view it.
3. There were ZERO successful attempts to brute force an RTMP stream even with the weak encryption, everyone who was able to view an RTMP stream of their own camera did so by scraping the URL from the Eufy web portal.
4. Shortly after the 65k combination "vulnerability" was reported, Eufy added additional security to the URL to make people feel better: twitter.com/spiceywasabi/status/1602401940666650624
I made a whole follow up video but never uploaded it, mostly because of people like you who have no idea what they are talking about, but were still posting accusatory garbage in the comments section and "thumbs downing" the video, which isn't good for my channel health.
while i totally agree with what you said and support you, i think you understated the biggestproblem here. Eufy advertised “no cloud”. that alone makes this a story that they should take a ton of heat and impact for. we cannot allow companies to lie like this and get away with it. they had every opportunity to say something like mostly cloud free unless you want rich notifications. then people would be opting into the cloud.
even if is is amazingly secure they deserve the backlash for claiming no cloud. this needs to be a warming to all companies. be transparent from the start.
Don't disagree that Eufy shouldn't have been advertising their products as No Cloud, however it's been obvious for a long time that some sort of cloud service was in use to get these cams to work.
Rob called it out here and he's called it out every time he's had a eufy cam in for review.
Sure Eufy shouldn't have been advertising as No Cloud as it was oversimplifying their offering. The fact they did say that has allowed channels like LTT to make what is already a fairly big screw up, sound far worse than it is.
What does "no cloud" mean to you? To me it means my video footage is not saved onto other people's computers. This is still the case with Eufy. But if your definition of no cloud is "no internet access at all", then yeah, Eufy fails this definition. But I would much rather have a globally accessible video stream by giving Eufy the ability to proxy/restream my camera feed when met with an authorized requests (ie: when requested from my phone app) than to have a LAN only security system.
@@davinchewk The thumbnail was stored on the cloud. It failed the no cloud definition from there. By the way, you can stream using your own internet connection, Plex does it automatically by using a simple UPNP request to the router. If that fail, it will proxy it through their server, but it will still do it in a secure way using end to end encryption. I still hope that's what Eufy is doing for videos, but sadly, the thumbnail for sure wasn't done that way, add to that the fact that it seems like the recognition was done on the server (which is scarier but that's beside the point here), there's not much trust left.
@@dwild92 What exactly is insecure with Eufy's implementation? It's a URL that expires after 24hrs and is only accessible when given the correct security token (as a query string in the URL). The only way anyone can get access to this URL is if you open chrome inspector (like this paul guy did) and share it with other people.
@@davinchewk I didn’t said it was insecure, but one thing that happens quite often are misconfiguration of a bucket that make its listing public, so that one possible insecurity. Employees also have access to the images, which for some is a big issue too.
The real issue though is the lie of saying no cloud while still involving a cloud. When you advertise something and it turns out false, what else may they be lying about?
No cloud means no cloud. It’s simple.
The problem isn't that it connects to a cloud. It's that all the marketing suggests fully local.
did you read the verge article about vlc issue?
Yes, I'll definitely be investigating that further.
Thanks for this, it's really helpful in terms of understanding the current complaints. They made compromises, but I think it's really helpful to understand those compromises and how those align (or not) with use case.
Wow mad respect for making this. As a privacy advocate I was in arms about this-- but your explanation makes perfect sense.
I DO believe users should have been informed about the events prior to them happening, especially with facial recognition - However the way they handled notifications makes sense that they would not want to inform users of every tech procedure - which is admittedly against convenience. As an example I could see many people denying the allowance for this them complaining that notifications were not functioning. A very interesting story and a excellent job relaying the other side of the systems.
'if we do this right people won't understand' is not a good justification for doing things in a suboptimal way
I'm not sure 'the end users won't understand about notifications' is going to be an effective defence when the various EU information commissioners start looking at possible penalties for this.
You think all these platforms and services you use "inform" you on how all the technology works and behaves? Your TV is probably doing more to take advantage of your privacy and you have no clue what it is doing. You continue to use it though. That list is endless. Besides, it's probably covered in agreements you make when using the application(s) which you don't bother to read.
@@JustSomeGuy009 You're using language so vague as to be meaningless.
@@JustSomeGuy009 Well, I make sure my TV is never connected to the internet, precisely because I have read its privacy policy and know how hideous it is from a privacy perspective, but I appreciate I am probably not the typical user.
My point is that from a GDPR perspective, there is a requirement to publish an easy-to-read privacy policy that highlights the key information processing procedures. You can't bury stuff like this on page 217 of the T&Cs anymore.
Manufacturers don't have to choose between "easy" and "advanced", they could instead leave that up to the user. "Easy" (= cloud shenanigans enabled) would be the default, but the if the user so wishes, "advanced" (= no cloud shenaningans unless explicitly allowed) could be enabled.
I'd be in the "advanced" crowd. To me, Eufy's cloud shenanigans is not even REMOTELY ok, I don't agree with you at all, to me it's not a matter of breaking laws, it's a matter of breaking trust. If they wish to store ANYTHING in the cloud, I don't care if it would just be a random sequence of bytes of zero significance, they'd have to ask for my EXPLICIT consent. And I would deny it. Always.
Know what's wrong with your video? It's the mostly. If a customer used Eufy's product because of their "Local-only" claims, then that's what...50%, 75% of the reason they went for Eufy. So your "Mostly", is really just "A little bit".
But that's not what the video is about. The video is about clearing up misinformation about CDNs, selling user data, and authentication. I'm not making the argument that Eufy marketing "local only" is somehow okay.
Dude it literally says it's all local storage then they are sending things to the cloud.
THANK YOU. Finally a fair and accurate representation of the facts. I also saw the recent Wan show about this Eufy “issue.” This is not the first time Linus has jumped on a story without researching the relevant facts and been burned by the revelations that his statements were wrong. I don’t remember the video but it was a while back I think about PS5 or something. He ended up making an apology video about it too. Thank you for taking the time to actually go through all the provided info about this story. I am not a programmer and would have no idea how to tell if these claims by the original guy or Linus where accurate or not. I GREATLY appreciate when someone is willing to take the time to do this. I’ve been watching for a while now and videos like this make me want to continue supporting the channel. Thanks again.
So Eufy are not storing images in the cloud then, despite their marketing saying 'No cloud'....? - Linus might have jumped the gun a little, but he was not wrong.
@@dougle03 cloud storage is used as part of Eufys normal operating procedure to provide facial recognition and other features. As per the GPD compliance they have an amount of time to delete any gathered images which doesn’t constitute a breach of operating procedure. Nothing said by the original guy who first voiced this problem or from Linus clearly determined that Eufy was violating this. Yes, using the terms “no cloud storage” as an advertising point gives a certain impression to the customers but you could easily make the point that Eufy is, in fact, following that claim by not storing things on the cloud past the allotted time limit. They could have been more clear in advertising but no company is going to put a paragraph explaining how their facial recognition feature works on the box. Linus has a history of shit mouthing a product or company (not just the one example I used but multiple times) where it came out what he said was completely inaccurate and wrong. Millions of people watch him and his words can cause big problems for a company when he convinces his subscribers to follow his lead. He should hold himself to the highest possible standard when disseminating ANY information.
@@millbean13 But their advertising doesn't restrict itself to "GPD compliant". Using GPD compliance here is sophistry. Things may not have been as bad as implied by Linus, but they are worse than this video implies.
@@millbean13 If you say 'no cloud storage', then it is reasonable for an end user to conclude that their data is not being transmitted to any cloud storage providers, for any period of time.
There's nothing in GDPR which says 'yeah, you can send stuff to a cloud provider without consent for a short period of time'. That's... not how it works.
It's Eufy's responsibility to state - explicitly and clearly - how their features work. Again, that's a basic GDPR requirement.
All it would have taken is a little notice in the app when people enable rich notifications along the lines of 'This will send images from your camera to our cloud services. Click here to confirm you agree.'
@@millbean13 You're attempting to excuse EuFy for sharing personal information in the cloud without the users explicit consent. It does not matter what it's used for or how long it's there, the fact is they lied and did not get explicit prior consent from the customer to store their personal data in the cloud. Rob can excuse EuFy's behaviour all he likes, but the facts are as stated. The EU will undoubtedly prosecute Anker for a serious and substantial data breach, and rightly so. Companies need to learn that our data is protected.
Thank you. I had got worried about privacy after all the money I spent. 👍
I am tired of being duped by Eufy!!!! I bought HB3 when it was released because they promised backward comparability with most other cameras, specifically dated Oct 2022! Well it is now Jan 2023 and still nothing but them keep on switching the dates with NO communication to the loyal customer. I wasted my money on this upgrade, as HB2 was working just fine. To boot, their support community is terrible! I will be searching for another security company in the future.
Imagine the following situation: I don't have a degree in computer science, I don't work in IT and I'm no programmer. My day job has nothing to do with computers, but I'm enthusiastic about self hosting and home automations.
If a company boasts how they don't collect any data, everything is stored locally and no one else has acces to my data - how I'm supposed to know their lying or despite them saying they don't - sending captures to their cloud servers? I don't know how android notifications work, I'm no mobile Developer! It took a literal security expert to find what eufy is actually doing.
By saying "oh, you're stupid because of course they need stills (with user ID attached) for the notifications" you basically tell normies that they have no place in home automation, and that realy secure and local HA is for experts only.
Saying
my dude totally missed the mark..... they are saying they do complete local storage and thats just not the case. Its not a thing of "ahh its because features".... they LIED to the costumers.
Lots of assumptions, non-SLA validation, and non-hacker statements about what needs to happen to get data. If you are transmitting data without encryption you are open to exfil with scripts and basic cyber attack TTPs. Lastly, machine learning/ai and higher efficiency systems cupeled with state actor money and capabilities, users biodata is as good as exfiled. S3 buckets traffic goes though BGPs hosted in other countries not under EU regulations. Just saying.
The Verge confirmed the VLC streaming bit, and also was able to reverse-engineer the links and identify the source of parts of the URL path, which seems to reduce the security of the links. I'd be interested in your take on their findings.
I'll be investigating further, but part of the process that they went through was pulling the token from the web interface after authenticating. Hardly seems like an exploit and more "this is how an RTMP stream works".
@@TheHookUpAs a streaming engineer… all of this makes me laugh. These are basic content delivery principles; nothing is being exploited here. 😂
@@adroxx_ I went and looked up the Verge article. I read it as "could be better" but is isn't insecure.
@@adroxx_ The base station could have very easily encrypted the stream with a key that only the mobile device could access. There's no need for Eufy to have access to the data here.
@@ericesev So you want to host and serve your own notifications? That is not reliable, and would negate the purpose of the device.
thank you very much for the insight, and providing some nuance to the discussion. Perhaps I'll get one after all
Beyond dozens of basic severe infosec issues, this seems to be the crutch of the legal complaint:
From EUFY itself
"On-Device AI
Everything In-House
Our super-smart AI is built into every eufy device. It analyzes your recorded footage without the need to risk your privacy by sending it to the cloud.
Local Storage
For Your Eyes Only
Home is where your data belongs. With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone."
"your private data never leaves the safety of your home"
Yes, that is a blunder for sure.
@@TheHookUp that is an unforgivable blunder, that you are defending.
@@nomen.nescio No, he isn't defending that. The video is here to correct false or misleading statements made by others. Criticism of bad actions should never rely upon perpetuating falsehoods.
It's also worth noting that whether a cloud is involved or not, the stated feature of rich push notifications sent your smartphone when you're not at home *by definition* requires private data to exit your home network.
@@sjwright2 yes, he is defending it. And I've not seen him prove ANY of the statements "false". He just shows a complete lack of understanding security.
GDPR is opt-in and not opt-out... thus not complaint.
This was a very helpful video. I was looking at Eufy as a security camera provider and his helped ease my concerns. I appreciate that you thought through this and shared a level-headed response rather than trying to make a quick buck by hyping a nothing burger.
There is one additional thing that I was hoping you would cover. It is when you depress the reset button for more than 10 seconds on a camera, the video recorded from that camera is hidden where it was stored. So in effect, the recordings are gone. Currently it is being called a “feature” by Eufy/Anker however, smarter folks than me think otherwise.
So, I’m thinking if someone knows this “feature” they could walk up to a camera, then press and hold the button for 10 seconds. It deletes the audio/video and unpairs the camera from the base. They could then just take the camera to prevent the recovery of the files. (Apparently, if you re-pair the device with the base, you can access the hidden data/audio/video)
I have covered that in my other videos about Eufy products. However, I have heard reports that Eufy pushed a new firmware to prevent the factory reset of cameras that are already associated with an account.
I’m sticking with Eufy. They’ve always been super solid cameras and customer service has been on point too. Yes they messed up but I’m not dumping all my Eufy gear to switch to what? Ring? Simplisafe? No thanks.
Paul's video had me questioned until I watched it. As someone who works with data, I see many points made from a standpoint of fear and lack of knowledge on how things work.
Eufy doorbell footage isn't 100% local.... Oh well - if you want online notification, the data can't be completely local. Thumbnails and photos... Maybe a bit concerning.... but to be fair there are much more of my photo available online anyway.
Read the article by The Verge, Eufy / Anker actively and definitively lied about the ability to access live streams of videos.
I dunno. They authenticated the stream in the web interface and then just opened that stream in VLC. That's not particularly surprising behavior and is how RTMP typically works.
The Wan Show have responded to your video - are you going to respond back?
Probably not. Unfortunately the comments section of this video is mostly garbage from people who didn't even watch my video, but came as part of the LTT angry mob. The purpose of the video was to clarify technical details that were being misrepresented by Linus and Paul Moore and that has unfortunately been spun into me being a some kind of a shill.
The most disappointing thing was that Linus doubled down on last week's WAN show, not only ignoring the main focus of this video about CDN URLs, but also suggesting that port forwarding would be a better option. He also misrepresented what I said about the CloudFront URLs not being able to be brute forced, and instead spoke about the VLC URL being brute forced which is a completely separate issue that hasn't been investigated.
I understand that Linus is busy, but I question whether he even watched my video.
Well done on calmly examining the issues and providing relevant background information to understand what's going on.
Having said that, Eufy really needs to address this situation properly rather than pretending that everything is fine. Their advertising and their business practices do not currently align, and that needs to be fixed. There are genuine vulnerabilities that need to be fixed too.
I hope Eufy fixes this properly - they make great products and it would be a shame to see them boycotted out of business
Yes, this appears to have uncovered further vulnerabilities that need to be addressed. Not excusing Eufy here, but I think you'd be surprised how many vulnerabilities are actually out there for every company and the cybersecurity industry is basically just getting off the ground.
How to run your smart home 100% locally (btw this works for any smart home tech, not just ip cameras/doorbells)
1. Buy any camera that supports RTSP
2. Buy a raspberry pi for $40 (even better run a linux server on an old computer) and run adguardhome/pihole
3. Block any dns request for your ip cameras
4. Use your favorite nvr to record everything locally (frigate, shinobi, blueiris) and use home assistant to send notifications
Lots of ways to accomplish 100% local, that's definitely one of them. However, it's still inaccessible for 95% of users due to technical knowledge barriers.
@@TheHookUp Would this actually be local though? How does an image in home assistant get pushed to your phone without going through "the cloud"?
@DAVINCHE Usually port forwarding, tailscale, or a cloudflare tunnel.
@@davinchewk if you have a domain name, you can access your home assistant outside your local network. It obviously goes through your ISP and your DNS provider, but it doesn’t rely on any cloud to serve you the content
@@MrAlucardDante I was mainly wondering how push notifications in home assistant works because I do run home assistant, ddns and HAProxy on my router for forwarding.
Thanks for your video. I saw Linus' video, but it just didn't sit right what he was claiming. It makes sense that thumbnails are stored on the cloud rather than having them to serve locally. Some people may not have the best bandwidth and what if someone in the family is uploading a large file at the time you want to check your notifications? When you look at their documentation for storage (they refer to three places: local, NAS, or cloud), they are referring to permanently stored images and videos. It does seem though people have a hard-time distinguishing something which is stored permanently and something which is stored in a transient matter. As you point out, there's no proof there's any ill intent, such as they sent the entire video temporarily in the cloud. Streaming is a completely separate topic/issue and nothing related to storing data in the cloud, so it's too bad there are people mixing the topics.
A couple things to point out though: #1: The way they're handling the "rich" notifications is not uncommon in the industry and may very well be the "best" (most efficient, most economical, etc), BUT, when advertising something as cloud-free, it should probably warn users when switching from text to rich notifications that this means thumbnails may be temporarily uploaded to the cloud for notification purposes. #2: There ARE options for keeping it local (using an internal VPN, using an encrypted proxy "tunnel", etc) that would not have had the need to upload thumbnails to the cloud, but eufy chose not to use those methods because their gen 1 and gen 2 hardware weren't powerful enough to support it reliably/conveniently. That was a conscious decision on their part to save money (or have a lower price) on equipment that involved a trade-off in security. Again, not necessarily a wrong decision, but for some people to say "there's no other way to do it" is not correct. #3: I agree that I don't think there was any ill intent here with how they were doing it, just a lack of communication or clarification to make non-tech people understand what was happening. Most probably would have been OK with it especially with the way CloudFront urls are handled. #4: The streaming issue is the MOST concerning part of all of this since more info has come to light (and isn't addressed in this video). Encryption keys were static and in github, tokens were included in the URLs, but apparently not actually checked by the software rendering them completely moot. This definitely IS an issue because the other methods mentioned in #2 above would be alternatives that could entirely prevent that from happening. Most of our internet security protocols are built around either a private/public key, expiring token, etc. that limits the ability for anyone to just take a url string and copy/paste it to a browser and see a stream. That should NEVER happen unless it's being done by an authenticated user. It also appears that some of it was being transmitted with no encryption during at least some hops in the connection which again should never happen with proper end-to-end encryption. They've since enabled encryption after this was exposed. Now some people are claiming they are doing that to cover their tracks, but I honestly think they're doing it because it IS the correct thing to do so I won't fault them at all for "fixing" it (or at least bandaging it for now). For the TL;DR: They communicated "standard" practices poorly giving users a false sense of "security", but there are other options available to them that they could have chosen that may have involved higher costs or more complicated configurations. It's my sincere hope that they come clean on everything, acknowledge where they went wrong, promise to fix it and have independent auditors come in to verify it. There will be plenty who will never trust them again, but I think if they follow those steps, there will be a light at the end of a very long tunnel for them.
A thumbnail is not a sufficient reason for a non-cloud cam to get access to my data.
I'm glad you included the bit at the end where you acknowledged the "cloud-free" claim issue. I don't know if it just works better for UA-cam content to structure your presentation this way, but you may want to consider restructuring your presentation in the future. Building agreement up-front can make your audience more open to your message. That being said, this was really well done! Congrats.
i think this video missed the point, nobody is saying that there was a data breach. It was deliberate false advertising and false selling feature on a product. "fully local" vs "we upload it in a sketchy chinese cloud server bec we care about you" xoxo are different.
Lots of people including Linus called it a "data breach": ua-cam.com/video/2ssMQtKAMyA/v-deo.html
No the issue is that they lied. They said that it would be local only and that was not the case at all it doesn't matter if it can't really be accessed that easily The point is it was supposed to be local only.
You can create a secure tunnel or proxy to avoid port forwarding but keep things local
Lots of people who know more than me in the comments are saying this will not work for iOS notifications.
It’s alarming how many Eufy and Anker apologists are completely forgetting the fact their selling point is your data is “never uploaded”.
This is and has always been a technical channel. In this case I spent the video stating facts, and clarifying technical details that were misrepresented by Paul Moore and misunderstood by Linus. My focus was on those things that are likely to be misunderstood by the average consumer (CDN vs S3, Auth vs Signed, etc).
I didn't spend a lot of time talking about the fact that they advertise "Local Only" because in my mind that is an irrefutable blunder that doesn't need any further clarification because it's plain for anyone to see that those statements were incorrect and borderline fraudulent.
If it’s uploaded using Amz cloud service, it doesn’t need “101 years” to decrypt. Amz has full access and generates the encryption themselves. They immediately have access.
So you are worried that some bad actor inside Amazon's datacenter is going to hack into your account using their master credentials to take a look at thumbnails from your doorbell camera? Just trying to wrap my head around your argument.
It is hilarious how so many comments are talking about critical thinking and common sense when they have none. Security issue aside, Eufy knowingly lied and misled customers with their ads. It is as simple as that.
The thing is, I'm not refuting the fact that the ads were misleading, in fact I specifically agreed with that.
The point of the video is to point out misinformation being spread by people who are regarded as "Experts".
@@TheHookUpnd this video did that! I was talking about the comments dismissing any wrongdoing done by Eufy. The security issue so far is being blown out of proportions but Eufy does need to fix the ads and be held accountable. Thanks for the great content!
Linus is definitely correct in this matter. The cloud is basically by definition not local. If Eufy didn't advertise it as such, then it could be less of a problem, but that's not how Eufy's advertisement is based on. I am sure many consumers chose Eufy based on their false advertisement. It's not like Eufy doesn't know about the use of cloud. Eufy knows and chose to falsely advertise. If not Eufy, there are plenty of other options to chose from, maybe they also use the cloud, but that does not excuse the false advertisement of Eufy. And based on Eufy's apathetic response, they are not worth my trust.
But with the face ID it's not that hard to think that the Chinese government could easily have a back door to have access to everybody's individual face ID
Did the Internet forget Wyze was made aware of a critical security vulnerability to most of their lineup including complete zero day SD card access in 2019 and didn’t fix it until April 2022? Who cares about Eufy’s thumbnails. Give me a break they are the least of our concerns
I respect your effort in making this video, however I think it is the wrong move to spend the first 9 minutes explaining why eufy needs to do what they do in order to serve their customers, and the last 10 seconds acknowledging that the “No cloud” statement was a bad “marketing move”.
IMO it’s completely the wrong focus! The focus should be on why the cloud is even used, when the customer is promised it’s not. Yes it might mean fewer features, but to many customers that would be worth it. Eufy cannot use cloud services without consent from their users, and to my knowledge their EULA far from covers this. Furthermore GDPR requires explicit instructions from the data owner (eufy customer) to the data processor (eufy) in order to be allowed to transfer the data to third party companies/countries (outside EU), which is a problem as long as the data is stored on servers owned by a company outside EU (Azure, AWS, Google etc).
Regarding storing images for rich notifications on an open public webserver, it could as well have been stored and accessed using the app credentials, it is, after all, the app that generates the notification, right?!
You're building the right kind of community with these sort of videos. Thanks for the additional insight on this fluid topic - I've been using a eufy in our baby room so been keeping my eye out on this.
personally i don't believe there's such things as true privacy anymore and hasn't been for a while. Technology is everywhere and there is no real way to avoid it. Businesses everywhere are caught selling unconsented data all the time yet we still use them. Hell we are all on UA-cam and not too long ago they were sued for collecting information on minors. The only real difference is whether they get caught doing it or not but I'd bet most if not all do in some form. For both good and/or bad reasons.
This is a tough one to take a stand on. I get it, they need SOME amount of data for Rich Notifications to function correctly, but for Eufy to not be completely transparent on how it works is also very wrong. They have cyber security experts and network engineers designing this shit and you're telling me not a single one thought "Maybe we should tell our users that we're doing this"?
For sure they messed up with the marketing. This is definitely not the first time there has been a disconnect between a sales team, marketing team, and engineering team.
This is the equivalent of advertising a meal as "gluten-free and delicious", but putting gluten in it, because "It's the only way it can be delicious. It needs gluten. My hands are tied. My only wrong doing has been communication"