Eufy Lied.
ฝัง
- เผยแพร่เมื่อ 4 ธ.ค. 2022
- The Eufy situation is more complicated than it appeared at first, but at the end of the day, they advertised products as local-only when they were uploading (significant) data to the cloud. And that is just not okay.
Watch the full WAN Show: • Why Do I Keep Getting ...
► GET MERCH: lttstore.com
► AFFILIATES, SPONSORS & REFERRALS: lmg.gg/lcsponsors
► PODCAST GEAR: lmg.gg/podcastgear
► SUPPORT US ON FLOATPLANE: www.floatplane.com/
FOLLOW US ON SOCIAL
---------------------------------------------------
Twitter: / linustech
Facebook: / linustech
Instagram: / linustech
TikTok: / linustech
Twitch: / linustech - วิทยาศาสตร์และเทคโนโลยี
Getting an anker ad in the middle of this was the definition of irony and made me burst out laughing
i didnt realize there were still people who dont use adblockers. weird.
@@SkylerB17 People in smartphones
@@masternoel123I just pay for TH-cam premium ❤
@@masondipple2650 gross!!
advanced TH-cam are the best.
It’s even scarier than just cloud storage of your camera pictures/footage. A guy demonstrated that your face is assigned an ID based on Eufy’s facial recognition algorithm. So if your face shows up on SOMEONE ELSE’s camera, the same ID may be generated and now there’s a trace of your location
It gets worse. Eufy is owned by Anker, which is a Chinese company, which means the CCP regulates it and has access to all it's data. So your home "security" camera is actually capable of being used as part of the CCP's facial recognition camera setup.
@@phydeux *is part of the CCP's facial recognition camera setup. -Fixed, lets not kid ourselves here we all know this is a feature and who it is intended for.
Pffwwwbbttt-they are just being histrionic. I mean, it all depends on how you define locally stored, right? I mean, compared to a cloud server on Alpha Centauri, stored on a server here on earth is local! :)
@@phydeux In that regard it's not much worse than having the data stored on cloud servers in the US..
@@phydeux yeah don’t bring that here please
I’m a Bestbuy employee and I will be sure to inform customers about this issue when asked about eufy
god bless you
thank you!
-99 credits score. Bing chilling is coming for you sent by Xi Jinpinga.
pull off the markets immediately.
@@PokePackFireridiculous. They are secure enough and free to use. That little lacking on security is worth less than the savings I save every month by not paying for a service. I just ordered 3 more Eufy cams for my home. They are great!
Eufy had one chance to not have this get any worse, and they blew it.
When you're linked to China you get lead in your baby food.
According to Linus, it's still not too late, so they still have a chance to blow it again (or not).
@@Viewer13128 Being proven a liar and trying to downplay it means that no matter what else you do, nobody has any reason to believe you. It's over. Linus is just being optimistic because he likes "smart home" trash.
Maybe their idea of "Local only" is like the Cell companies "Unlimited data".
“Oh yeah it’s unlimited, but if you’re in a busy area it might slow down unless you’re using our extra or elite plan which gives you either 50 GB or unlimited guaranteed fast data respectively.”
Context: i work in my local walmart trying to sell phones and phone plans to people - other shitty things include marketing prices that you only get if you enable autopay and paperless billing…
i live in eastern europe, and here most carriers supply "unlimited data" which usually is 200GB data and when you use all of it your speeds are limited to like 150kbps
@@AshtonSnapp I've also heard unlimited meaning "5gb a day".
"Of course it's local! All data stays on Earth! Well, within orbit at least."
No it's like when grocery stores advertise locally grown produce. I was in the business for years and have seen places within a 300 mile radius called local.
There's a point at which it becomes worth it to invest in a NAS capable of running a surveillance software suite. Throw in some WD purples (or equivalent), and make sure to put your cameras in a vlan that doesn't have access to anything but the NAS. The sad thing is that we need to become amateur network engineers and storage experts in order to make sure we're not getting spied on by the equipment we use to try to keep us safe.
I've done this for a few years now, I set it up and it just works. Through updates and everything.
Only problem is that decent equipment at a decent price doesn't exist to make this a reality. Ubiquiti pricing and more importantly stock is an absolute joke. So you end up having to compromise with less well integrated, worse build quality, worse recording quality or some combination of the 3. Its a shame
Closed circuit or no circuit.
That's my plan. Though I plan to use Zoneminder as a proxy (and Wireguard for direct access) to the vlan. The cameras can then be whatever cheap Chinese cameras I can get. Who cares if has more holes than Swiss cheese and wants to phone home to the PLA? As long as all direct internet access is blocked and it can work offline, with just Zoneminder talking to it, none of that matters.
This whole thing has me wondering if the time is right for an IOT company that places trust, security, and transparency upfront and center. I think alot of people would pay a premium for 100% open source IOT devices with true cloud optional features.
@@Adroit1911 yeah I was gonna say camera>switch>nvr with no physical connection to your internet connect lan is the way to go for me.
The response from Eufy is a classic example how the wrong response to being called out can make your fault infinitely worse. Just bought some products from Anker - now I’m seriously considering returning them.
Dont consider it, do it.
do be fair: what response could they have given in this case. they directly lied to their customers.
Anker batteries and chargers are awesome, otherwise yeah I don't buy their stuff.
@@kodeytheneko You shouldn't buy anything they make if this is how they act. Even if they do deliver some amazing products, you clearly can't trust them.
Here's what REALLY scary- the non-techie people out there are not seeing this as much of a problem anymore... and... it's really, REALLY unnerving. The fact that not only do they anticipate companies doing what they will with thier info, they welcome it. (or at the very least, do very little to stop it.) There seems to be this mindset that "as long as it's not changing they way I live my life and I'm happy, I don't care." that's going to one day bite many of those kinds of consumers in the rear.
Everyone's priorities and concerns are different. At its price point and features EUFY is my best option. It gets what I need to done. I've tried MANY other security camera options all which have failed me in some ways. So for now, this matter doesn't really bother me.
I was discussing with my mother recently and the conversation turned into something like.
“Mom, how would you feel if some stranger from a company follows you, see what you’re doing and later they send you ads, deals/discounts and stuff?”
“Well that would be handy isn’t it?”
Privacy is long gone on the general public.
I mean some of us live in Australia where this kind of security is complete overkill. We don't have guns to worry about unlike some stupid 'other' countries.
ive been telling my mother about this for as long as we have had these cameras.
i suspected that they were sending everything to some third party server the second i tried to block their access to the internet and they flat out refused to send anything at all, even to devices on the same local network.
even after all this stuff came out she then asks me what to do with the cameras that cost her around $500 and insists that it is fine.
im tempted to just block their access to the internet (that i am paying for) and refuse to fix it for her
Eh, everyone has different standards and what they think is or isn't important. Can't worry about others, just do what's best for you.
I'm so disappointed in eufy. It was a serious competitor in the affordable home security space but now they're a joke. There's no coming back from this.
If it's cheap you are the product
@@crashniels that's not even true. What a stupid comment.
@@crashniels the proper quote is if it's free
If you're about to argue "well nowadays" well that's just you, not the saying
why do you think it was cheap in the first place?
@@GameTimeWhy It's absolutely true, the only stupid comment is the one that denies the reality: it is far more profitable to harvest and sell data than it is to sell physical products for many companies.
I did read the freaking privacy policy and there is no mention about the freaking cloud storage!!
ALSO under the GDPR law. I requested that I get to see ALL personal data Eufy has stored on me and how they have stored the data and how they handle it. This is stated in the privacy policy!
Eufy reply word for word "We do not store your personal data and therefore cannot provide you with your personal data."
This means. They do not have my Email which they did reply. They do not have my purchase information no name no nothing.
I have yet to contact a lawyer about this but I have reported this company to our state wide security operations center
Lol that's an interesting response. If you had access to the URLs that your device is sending the information to, and were able to find their copies of your info, it would be hilarious to reply to the email with a link to it.
would compromise your security immensely, but still would be hilarious.
@@martinshoosterman Might be able to capture something with wireshark to get some information how these things communicate to outside. Gotta try to get as much data as possible if I want some ramification for misleading or at least miss advertising
Totally possible to get that information, not sure if what you actually need is a app to capture api on the mobile app, I think wireshark would only capture if phone internet went through or was captured by computer.
@@jimmypatton4982 Correct; you have to use something like Charles Proxy or mitmproxy. The reason being that Wireshark won't be on the same broadcast domain, and even if it is, HTTPS will obscure the traffic. But if you use Charles Proxy, unless the app developer has taken very specific steps to detect the situation (which they likely will not do), you can decrypt the traffic in the middle. These proxies work by using certificate authorities generated on the fly that you trust via a MDM profile to then issue certs on the domains you want to snoop on, and unless the app is checking certificate serial numbers, it would not know it's not issued by a "normal" CA... and if it checks serial numbers, ACME becomes impossible and you have to update the app whenever you update your cert. Which maybe you do off-cycle due to a leak or something and now you're really screwed because you broke everyone.
GDPR requires 'Explicit consent' for the storage and or processing of personal data in the cloud. This consent cannot be 'implied', i.e buried in an EULA or Privacy statement. Consent must be 'Explicit', in this regard, Eufy breached GDPR rules.
We're moving into our first house next month. I literally had lots of Eufy products in my cart, and I decided to check youtube for info to help me decide on which of their doorbells I should get. Well, now I'm looking for a different company. You just saved us from buying nearly $1k in spyware. Thanks guys!
On Linus's point about being impressed by things just working, I have a Ring doorbell and chimer and it infuriates me to no end that if my WiFi goes down or the stupid thing disconnects itself from the Internet but not the network for some reason as it often does and someone rings the doorbell the chimer no longer works because it has to ping the Ring servers and then they have to ping the chimer instead of just pinging the chimer locally which it knows is there because it has to be on the same network for it to work.
Is there a company doing smart doorbells the right way? Presumably Ring, and such companies, do it that way because they have a contract with TLAs or some such; why else would it be remote server first, surely that's less resilient, less efficient, slower, more costly??
@@pauljefferies5837 I don't think their is or at least not that I know of. Tech companies seem to be largely started by people who have a "good" idea and who want to get rich. The implementation or ethics of the idea doesn't seem to matter as much as the getting rich part so they just throw ethics out the window and get the implementation good enough so it works most of the time on paper so it can be sold to investors. So they seem to be really mainly developing this kind of stuff to collect data that they can then sell on for profit or use to train "AI" models that they can then sell for profit. Whether this is part of the initial pitch or something investors push for before fully investing in the product is something I don't know. Then they effectively lie in the advertising and scream "but the fine print" when called out.
When Linus’s house is done I really hope we get a mega guide on how, from start to finish, with all the hiccups he figured out, all the stuff he used, would be so helpful,, in a more tutorial format than the existing videos which feel more like a showcase
I feel as if we are able to have something like a plex server that we can connect to from anywhere, we should also be able to have a pretty good locally hosted home security service.
Yes - this channel was built on tutorials to help people out. It definitely has turned into much more showcase focused lately. Could use a tutorial or two!
Yes! I'd love to watch that.
Probably will be FloatPlane exclusive.
It just makes sense
Something as big as that wouldn't really work as a tutorial because there's so many variables that would affect how you'd do certain steps. Unless somebody buys the exact same setup as Linus, then a tutorial wouldn't work for them.
They advertise it's local only, they made it not local only. This is false advertising.
Wow such insight, it’s almost like that’s what the whole video said 😂
The phase "false advertising" didn't come up in the show which is the point OP is making. EULA cannot be something that is the opposite of the marketing material and as Linus said EULA does not work that way.
@@hikaritsumi2123 They said it in all but name and you think you’re a genius for understanding the context. Again, nice job repeating what was said and acting like that makes your comment so insightful. 😂
Page they showed said "we offer free local storage". Wouldn't that mean that they give client free physical storage device?
and if they weren't a chinese company, you'd all be refunds n than some for the inconvenience.
I think a bunch of the smart home / security stuff is really cool. But in a world where every company and their dog wants to harvest data of literally every flavor I'm perfectly happy with a thermostat that I need to walk to and physically manipulate in order for it to do anything. Every single time Alexa wakes up completely unprompted while nobody is talking and says "Sorry I didn't catch that.", my skin crawls and I revisit the thought that maybe her convenience isn't worth it.
Eufy was like: we tested our own systems and accusations and found out we did nothing wrong.
Classic CIA if I may say so
Happy that the industry catched on......
@@gandalf_thegrey That's because they did it on purpose obviously.
There should be no internal auditors or ANYTHING like that. It should all be external to prevent shit from getting swept under the rug.
What I hated most about this situation is the story seemed to break during black friday and when I tried searching about it after hearing in the WAN show, google instead showed me a bunch of shopping deals on eufy devices. It was until way later that journalist started to pick up the story and intially in European non English sites.
I hated how long it took for this to come up, I hated how google news tab was not news, I hated how this didn't get the attention it should have intially.
You just found out what many of us have known for years with Google, Yahoo and Microsoft as examples of manipulation of Searches or News.
hmm almost as if google is just an advertising company
Lol, relying on Google News. Hilarious.
Eufy is a company that spend money on advertising, Google is an advertising company. Put the two together and you no longer have actual news....
@@dougle03 and add to that that Google do bend there knees to not upset China, the second or largest economy in the world.
Uefy: When we say locally, we mean on the same planet.
😂😂😂
No No. Local galactic group.
Locally, as in, in the general direction of your universe.
more like... locally in China (as they are required by local laws)
Wow, last week I was so close to buying specifically an Eufy doorbell exactly because of their "local only" promise. Glad that I postponed it till I do a bit better research.
My take on the notification, as a mobile app developer I work with them on a daily basis: Yes, a notification can have images without having to send them to any server, but only if the notification is not handled by Firebase itself on the receiving end (Yes, Eufy and literary every other app uses Firebase), but by the receiving app. By using a "data" notification the app receives the data without a notification being shown, which allows the app to build its own notification, this also allows an app to potentially enrich that notification with local data (if it is available on the device or if the device is locally connected).
So yes, images are possible without having to send them to the cloud, but it comes with some drawbacks (as the phone will not always have access to the local network).
Wow, the thermostat?? The more I keep my house out of the cloud the happier I am with that decision.
I read *house* as *horse* and enjoyed it.
Why are smart houses even a thing? Imagine you get a new door and it turns out you need a monthly ProProtect subscription to be able to lock it. Or a firmware update locks you out of your house. xD
@@MeowtronStar Mercedez already has the subscription-based accelerator so things are just kooky.
@@bakedbeings To be fair, your horse shouldn't be anywhere near the clouds.
@@MeowtronStar but fog tho
do not trust a company, or person, that is only sorry after they get caught. if they can do it, get caught, and youll forgive them for "changing", then theyll get better at hiding it the next time they do it.
They aren't even sorry! That's the worst kind of nonpology denial
They never apologized and are not sorry.
Do not trust a company
Not only are they not sorry, they are refuting the very idea that they got caught.
@@JJCUBER I think they are refuting because they are protecting their business due to them being caught. Admission of this oversight won't benefit the company. The same way Microsoft doesn't even respond to security issues or updates that break basic functions in their products. All of these companies do the same thing and quietly fix an issue with little fanfare. It's been how many years now since the creepy glitch with Apple's home pod randomly giggling or Alex knows everything about your shopping habits or the suspicion that your smartphone is constantly tracking you. Privacy in general is a lie. Even if everyone does what Linus does to secure his internet of things, I'm sure there is a security hole somewhere even he isn't aware of.
If Signal can do end-to-end encryption of messages, Eufy can do end-to-end encryption of images to support push notifications when you're not on your local network.
I specifically chose Eufy for my doorbell camera because of the local only storage. As soon as I listened to last week's WAN show I took it down. I have since destroyed and thrown away the camera because I could not bring myself to sell it to someone who doesn't know all the security risks with this doorbell camera.
So what are you replacing it with? A Ring, where they give the footage to police without even asking you?
@@darrennew8211 you think Eufy wouldn't also do that? even if they don't want it, because they store the footage on their servers, depending on legislation they will be legally compelled to. They lied to you once, why do you think they wouldn't do it again?
@@ilonachan Assuming the footage is actually E2E encrypted, it shouldn't be possible for them to give it to the cops. This sounds more like a "we got lazy about storing things where your phone could get to them" than something sinister.
And no, I don't think Eufy would volunteer to proactively give footage to the cops without a warrant. Ring does that because they want the cops selling Ring for them.
That said, I'm glad this came out now, because I was planning to buy some Eufy stuff next year as my next home improvement project. Now I'm going to again have to find something different.
I really don't understand how you could argue against this.
They promised it's local.
It is in fact NOT.
They scammed their customers and they should be punished.
It's as simple as it gets :D
If you think thats bad, research DIED SUDDENLY on Rumble
Someone richer than me please start a class action. I will join
@@Lawbase you don’t need money to start a class action (from my understanding). Just reach out to some class action law firms and see if they’re interested in taking the case. Given the probably large amount of people affect I’m pretty sure quite a few lawyers would love to take up the case.
@@JC-dx3fy stop promoting anti-vaccination propaganda.
That movie is a complete scam.
The fact they promised it's local and it's not is false advertising, and at least here in the UK, that in itself is a huge issue and exposes Eufy to legal jeopardy.
Here in norway a server for a company that sell electric wall mounted heaters broke down.. and a lot of houses got cold.
Sounds like cloud at its finest.
I am a software engineer and whenever I hear a company wanting to move to the cloud, I am under the impression, that they don't give a damn about their IT - until it breaks or until the data breaks lose.
Honestly, I get that not every company wants or can afford to host a whole network of services, but in most cases going into the cloud is a bad choice, because the people responsible for the IT are dismissed and security is turned down, because of the mostly wrong impression, that the cloud service provider is or will take care of it. They don't unless you configure it properly and unless your application has been hardened a lot.
Man i hate all this cloud connected IoT stuff so much. Because think of what happens when the company takes that server offline in like 5 years or the company goes bankrupt? All of those heaters are gonna be e-waste.
Dear God WHY would you use electric-only heating in Norway of all places?? Even semi-efficient heat pumps don't work below 40F (above freezing) but a wall-mounted unit sounds like a RESISTIVE heater. Norway is the largest producer of fossil fuel in Europe! You guys should be heating with gas. Even here in the States where our electricity is $0.10 per kWh, and in the South to boot (short, mild winters), it's STILL a lot cheaper to fire up the gas most of the winter than it is to rely upon brand new heat pumps below 45-50F.
@@kamikazejs950 oil and gas is forbidden for home heating. they have gone hard on the "CO2" bandwagon here. we also have 90%+ hydroelectric power.. until this year we had low cost energy. now tho they have connected a lot of cables to the eu continent and the prices is up 10-30 fold. it is no longer 0.015 to 0.03$ a kWh as the norm is.
a normal norwegian household use 15-20 000kWh a year. 2/3 of that in the winter month's.
@@kamikazejs950 moste homes DO have heatpumps for the normal background heat. they do need a bit more when it gets cold and that is normally done with resistive heaters in every room. we use 99% resistive heater's on hot water as well.
They could've easily used end-to-end encryption for the notification images and even include that in the promotional material as advantage. The images would be stored encrypted in the cloud, with the key only available to the camera, and the user's phone. There's no excuse for what they did.
I have no idea why they don't do this. They advertise the local storage as being encrypted at rest.
Yeah, it's worse than just being in the cloud. It's poorly protected in the cloud, where it shouldn't even be to begin with.
@@darrennew8211 becsue the CCP has rules for companies concering them having all access to data like your photos on their cloud storage..
China would not allow encryption and they can't sell your data for money if it's encrypted..
@@darrennew8211 I assume because encrypting costs more than not encrypting.
They simply didn't care and didn't anticipate users looking into what they do.
In light of this, I'd be interested in seeing some reviews of alternative products. I had security cameras on my to do list and Eufy was the direction I was headed.
What sucks is that I got eufy a week before it was exposed😢😊
@@humantrash7980 14 day send back guarantee
They are 'surveillance' cameras, NOT 'security' cameras.
@@Microwave_Dave hahaha
If you ever learn about one and have 2 mn to spare, please let me know, I'm also looking for one.
We really should get Legal Eagle to look at this - this undoublty breaks several laws and I'm not even an expert
Not sure if it's the same but doesn't LE work in the US? I imagine they use similar advertising materials as they are using here in Canada (where LTT is based) but it wouldn't be exactly the same legal arguments.
@@th3oryO He's no stranger to researching foreign law. His video on Established Titles is trending right now in fact.
@@th3oryO Yeah, I'm pretty sure LE works in DC and California, so yes the laws that would apply and other specifics would differ. But, eufy also sells their products in the US (no suprise here) and they probably use this scam achitecture there too.
It complies with GDPR. Doesn’t break laws
@@carlossap Are we watching the same video? Or talking about the same topic?
It's also false advertising you dingus
9:18 I think legal eagle just talk about this when he talked about Established Titles. That there are laws specifically against advertising something different from what's in the agreement/fine prints.
There is a point where I start to think, if you really care and want security go with a business system with hardwired Ethernet/poe which typically can be cloud connected or not, use port forwarding or cloud linking, can't be killed by a cheap wifi jammer, tend to be very reliable, often have better quality especially in terms of dynamic range issues and low light performance, but are typically a bit more expensive and being hardwired do need cabling installed.
Reminds me of Vizio's smart TVs. They had an opt-out feature called "Smart Interactivity" that would take a screenshot each second (60 in one minute!) of whatever was on your screen. And did so without telling customers.
So if you're writing an e-mail, checking your bank account, logging into a website, or anything, really -- Vizio grabbed it all. Fortunately, the FTC smacked them down.
What sucks the most is those of us that are pretty heavily invested in the products and they already have our money after being sold on "local storage."
Don't back down, just because brand fans want to justify their purchase, or are cool with careless companies.
It is still valid to continue to talk about the issue here and get to the bottom of this. In hopes that some other companies will learn and take notes or there is a miss understanding from Eufys part. BUT seeing how they handle the situation, it seems eufy and anker is going to take a huge hit
Yeah, speaking of brand fans the Rob guy seems really adamant in defending Eufy no matter how anti-consumer they get, even worse it gives the impression of his misinformed vid on the topic existing just to “go against the big thing (LTT)” to market himself as more credible than he really is, not a good look for a supposedly reputable “technical” channel.
Eufy’s slogan should be “Local storage stored remotely”
Really sucks about Anker. I’ve always bought their stuff from all their brands because I trusted their quality. Idk if I’ll stop buying their chargers but definitely not ever buying any of their connected devices again.
There’s enough high quality alternatives that do you really want to support them are all?
ever since LMG cut ties with anker, LMG has made me buy more ugreen stuff
It was just a misunderstanding bro. Chill 😂 just read the TOS
-eufy
Eufy really don't understand the difference between 'Implied' and 'Explicit' consent. I'm pretty sure the EU's lawyers are on with their expensive education...
By the way there's nothing in the TOS that states use of cloud storage. One user even emailed eufy requesting legal copies of his data and got a response saying 'we don't store your data so we cannot provide it to you.'
@@BrentLobegeier oh no no no… 😂🤣
The biggest clue that the "Local Only" camera wasn't local only was that it didn't work without an active internet connection. Since i got this thing to be able to monitor a room using a battery backup so it would stay on even through a power outage makes me rather irritated that they lied.
What is a good replacement for the dual video doorbell, specifically picked it for no monthly cost and “local storage” just want something safe at this point ?
Eufy should not be claiming anything about "local only" when that's not true, and they should be better securing the things they store non-locally so that unintended eyes can't access them. That's purely false advertising. But if a camera is local only, how would you get its video feed or notifications when you're not home and not on the same WiFi network? Also this is a legit question, not a criticism of their position on the issue.
I guess if the product walked you through router setup, you could have the mobile app set to access a stream from your home Public IP address with certain data encryption/authentication necessary (not that I'm claiming any of this is sufficient or well-done currently)
For starters, don't store the data on the cloud. Just transmit the data to the app through encrypted packages only specific user has the key to open them. Then it's almost local only because only locally recognized devices have access to the feed.
Then it can use local server to process video and only send summary to the phone, which is also somewhat "local only."
But there is no real way to be full local only yet also connect to a distant device.
@@harrytan5579 That's how I assumed it works based on Eufy's description. They literally promise you "you don't have to worry about cloud storage, ... ". When the cloud storage they use goes down, you stop getting notifications because it's still cloud-based, which is the entire opposite of what you're buying the device for - being independent of someone's cloud service.
Local only for devices that don't reside on the same network is quite a tricky challenge. Opening ports at either end is unlikely to solve the problem since most domestic connections (And mobiles) use dynamic IP addresses, and it gets even worse when CG-Nat is also in the mix. There are ways of connecting two devices that have effectively 'No fixed abode' (CG-Nat and or dynamic IP addresses) but it does require an internet hosted directory lookup. This is how Zerotier works. It would be possible for a camera and a phone to 'find' each other to transfer encrypted data via a public lookup directory where the cloud part of that is not storing personally identifiable information. The cloud part simply gives each device a one time direct calling card, but the actual personal data transits directly between the devices using SSL transport.
Where do they claim "local only"?
You're better than this, Anker. Thanks for the update, guys.
This is the exact level I expect of a brand like this.
If you seriously expect to buy a Chinese web-connected product and have your privacy and rights respected, boy do I have bad news for you. Are you also the type that was shocked by the TikTok leaks?
Trust in a company is not something they can "try again next time", though. Once they lied through their teeth, it will hang atop their head forever.
@@4.0.4 - You're kidding right? They'll just shut down "Eufy" and start up against "Happy Sparkle" or "Magic Secure", change the housing design a bit, and carry on as before. China doesn't create anything new. They just run the same shell game over and over again until they find their next scam.
I’ve only bought their chargers and cables. But, I doubt I will buy anything else from them.
@@JeffTiberend Even their cables keep getting more expensive year after year. They used to be great because they were cheap, yet extremely reliable, but now plenty of other Chinese brands are making carbon copies for half the cost. Their chargers are still the best thing they have going for them.
I'm surprised that Linus is not using a ground source heat pump up in Canada, that would be a far better (but also more expensive up front) option as down 20 feet or so there's plenty of heat to pull out.
Obviously wasn’t sent one for free
@@JBR.1974 You wouldn't do it either if you have the same situation ;)
You kind of glossed over the more expensive part. The cost of running any heat pump in Canada is ridiculous. I ran the numbers, the absolute most efficient ground source heat pump on the market would be more expensive to run than my current forced air natural gas furnace. And that's just the running cost not counting installation. That's just the difference between the cost of electricity and the cost of natural gas here. It would be economic suicide to spend that much money installing something that is going to cost you more money every month than the much cheaper option.
Even if they keep the data after the delete request for longer, which there are valid technical reasons for (for example, collecting a lot of delete requests to process them in batches for better storage performance), they absolutely 100% must mark the content as "scheduled for deletion" and make it unavailable to access through the API. There is ABSOLUTELY NO VALID REASON that anybody, even the person who this data "belongs to", should be able to access it after requesting its deletion.
Time to gather the tech-tubers and campaign against cloud based solutions when it obviously isn't necessary for a majority of things. Find an alternative that seems good for things and push them to viewers over the competition. And you don't necessarily have the explicitly say, "Hey pick this over that." You can just not support cloud based BS by not ever showing them in videos.
At a certain point SaaS becomes like manufacturing. They found out a long time ago that you can create superior versions of materials that won’t degrade. To maintain profits Tech companies need SaaS even though these products could be used offline
Are you saying my fridge doesn't need to know my social security number?
Data Notifications? Interesting? Can someone provide me with a link on how to use/implement these server-less data push notifications? I'd really love to use them in my next hobby-app-project!
Highlighting your question, right-clicking, and picking "search on google" returns specific instructions.
Besides getting rid of the cameras, what can I do to keep myself safe? I’ve got two of the outdoor pan and tilt cameras and an indoor pan and tilt we only use for our dogs
As a Network Security Engineer, I would never open a port on my router to a IoT device with questionable software. If that device gets infected, it can be used as jumphost to your local LAN.
Been wondering if we are ever going to see a video about this from Jerryrigeverything considering the entire office for notawheelchair is covered in Eufy cams.
While what you're saying about exposing a local port is true, given how insecure the existing cloud services are, do you really trust them to implement a secure service running on your local network, or one that's full of security holes like lack of encryption, lack of authentication and other glaring security fails?
you should use a ground source heat pump for A/C and heating. the ground is always like 50 degrees fahrenheit at a certain depth underground so you always have a big enough delta for heating even when its super cold.
Is the risk higher if multiple accounts' sensitive data are amalgamated on one public, well known server that they will give you a direct link to if you own their product?
Compared to lots of individuals having your own local solutions with some open public- facing ports, I'd say so.
This, boys and girls, is a prime example of how not to respond to such situation. Eufy is only making things worse for themselves. And as for them being a part of Anker, I would really like to know just how much control exactly does Anker have over them? I like Anker products and it would be a shame if I would have to stop buying their products and search for someone with a similar product and price.
This isnt a brand only thing, its an inteligence-Internet Chinese brand thing, like Tiktok and TP-Link.
Open ports on a router or other system on your network with security issues can allow remote malefactors in. That isn't exactly rare, but it would require you to have an unpatched security issue and someone looking at your network. Then again, when was the last time you updated the firmware on your router?
You're very right, and I think this comes down to what someone's willing to look for.
Is the risk higher if multiple accounts' sensitive data are amalgamated on one public, well known server that they will give you a direct link to if you own their product? Compared to lots of individuals having your own local solutions with some open public- facing ports, I'd say so.
i updated my routers last month, thank you very much
Doesn’t matter if I open a port on my router, I have traffic constantly going through which is opening temporary ports. So an non-updated router is still a security risk.
My ideal is camera is accessible on network only, unless someone sets up port forwarding. If they set it up then they can deal with minuscule risk that a forwarded port either has exploit on other end or router port forwarding can be hacked.
/sigh. When you use port forwarding, the vulnerability is not the router, or a not updated router. The vulnerability point is what the router is forwarding too. If the end point being forwarded to has software written by the usual level of dribbling developer who considers "compiled without too many warnings" (or just turned off the warnings) to be the level of testing and thought required, then you have a potential vulnerability. It's not the router's lack of security, you're by passing the router.
For example, if you had a lock on your door and then bashed a hole in the wall straight into your front room, the lock on your door is not the problem. Nothing wrong with the hole into your front room either as long as you understand that anything in it is at risk and you'd better have another door between your front room and the rest of your house.
Portforwarding is not possible when many customers are on cgnat, i.e. sharing a public IP with other customers.
My eufycam and the storage just stops working when the internet goes out 🤷
So much for an offline solution 🤷
On the topic of „smart home should run locally and just work“: I don’t know if it’s just happening in my circle but most people that I know that have built/renovated a house as a smart home actually don’t use integrated smart systems. They use simatic or similar industrial automations systems, or their downgraded versions like logo!, which will have a much longer guaranteed support window and parts availability.
I almost bought a Eufy SoloCam based on the local only sales pitch for my parents. Like that was the entire reason I was looking at it. I decided against it because the SoloCam couldn't eventually connect to a home base and I wasn't ready to invest that kind of money, and boy am I glad I didn't buy it.
I'm mildly certain that if you bought any of these on any credit card or through PayPal, you could contact your credit card company or PayPal to get a refund based on the product being different from what was advertised.
So eufy does the local storage through the homebase hub my question is does this all still work if your using HomeKit secure video bc my eufy cams are storing through that
So this leaves a n00b like myself with what choice for a simple in home camera? Would s camera that is HomeKit compatible be any safer?
On a tangent, the last Logitech webcam that I used had a feature that let you disable the light when it was being used as a motion detecting security camera. They haven't always been designed in such a way that the activity light can't be defeated.
If Eufy really want to include a picture in the email, they could embed it in-line (base 64 encoded as a string) in the HTML email source code. This avoids the need to store the pictures on their server after the email is sent.
This is why regulations like the GDPR or CCPA are so so so incredibly important for us as consumers. Even though its not a proactive tool, it provides us a lawful request for companies to disclose and/or delete any data they have stored about you.
They also say. The video clips are stored on the HomeBase 2 (like a hub) by default. The HomeBase 2 comes with a non-removable 16GB local storage. It can store 2 months’ worth of videos for a system with 1 camera, or 1 month for a system with 2 cameras (30 motion detections a day and 60 seconds recording each time). The old video clips will be overwritten by a loop when the space is full.
They also lied, have lied, and will lie again....welcome to the slow biol implementation strategy gloBAALly of the Social credit Score....
We need to get Legal Eagle on this. He *just* did a piece about those Scottish Titles thing, and made the point that it is NOT legal to say one thing in big bold marketing, and do the opposite, EVEN when the fine print says "we're allowed to do the opposite."
Woah, I literally ordered a security camera from them off Amazon yesterday. I was wondering why it was so discounted on Amazon😂.
Were they processing the facial recog on the device, or where they doing that in the cloud? I know one of the features on a nest camera was onboard ai so they could run facial recog local
Port forwarding isn’t guaranteed to work anyway. Some ISPs like many here in Australia use an additional layer of NAT at the ISP to conserve the number of public IPs they use. Either customers will need to ask them the also forward the port, ask for the NAT to be removed or have a static IP address be assigned.
Same in America (probably everywhere in the world), the dynamic ip just has to be updated somewhere the phone can access. Even if the device only works locally unless user signs up for something like no-ip it would be better then lying to customers.
There's also the fact that many consumers are not very competent with this kind of stuff so they should not be port forwarding, take this from someone who hosts a ton of services at home.
LOL I love that Happy Gilmore line “Are you too good for you home? Answer me?!” @0:33 😂 Bummed out about Eufy since I was so close to investing in them
In the US, marketing verbiage is considered equally as important as a EULA and similar documents. It creates a customer expectation that informs their buying decisions. Putting fine print that directly countermands marketing material does not invalidate said marketing. Moreover, the bit about "an informed customer" is irrelevant. The assumption is that a purchaser knows only what is on the box before buying. Eufy operating completely counter to what their customers justifiably think they are getting will probably lead to a class action here. I do have a few Anker products and have been completely happy with them. Sucks that a sub-brand has done this. Almost wish I had a few of their cameras, though. lol
on a side note, that totally relates to a lawsuit in the US against Velveeta because their instant macaroni are advertised as "ready in 3 and a half minutes" but don't take prep time into consideration. Welcome to murica.
Luckly i didnt buy there camera and or there doorbel. Is reolink a good alternative?
I feel the same way about the Cox Communication security system. I cannot connect to it from my own network. Sometimes the router for some reason isn't working through the cellular connection which has to go through my home network. It does not happen all the time, but when it does it's infuriating.
Sorry, this is 2022, API calls (over a network) should ALWAYS be encrypted... security 101.
I read a great book about this recently, 'This is how they tell me the world ends,' it's all about tech security, and is really well researched, highly recommend :)
My parents have a home automation system called Homepilot from a german company called Rademacher. The system is a local server, without subscription fees. I dont know if they have camera integration. But you dont have to open it to the web, if you dont want to. The only thing is if you want to be able to access your controlls from outside of your home wifi you need to, but it isn't any less secure than a normal home server, taken the same precautions.
I think the local push notification only works when an app on your phone wants to display a notification at the system OS level, without the data leaving your phone. when an external source, like a server, or a wifi camera wants to send a push notification to your phone, it does, indeed, need the thumbnail to be hosted somewhere on the internet, with an sufficiently obfuscated URL. also this whole guessing URL on amazon S3 key thing is *extremely* hard to brute force, not in a humanly reasonable timeframe. Dropbox actually experienced this same exact problem years ago, where they stored all users files on a single S3 bucket, and were publicly accessible if you were able to guess the URL including the token. This is standard amazon S3 CDN usage. also - "deleting" from amazon cloudfront's CDN is a very slow process. the CDN distributes copies of each file in datacenters around the world, and keeps copies of files in memory all over the place for maximum distribution speed, and minimum latency, so it just takes some time to clear things from this global cache. I still agree the advertising was very untruthful, and there were lies in the marketing, but still - there is no glaring security flaw or leak here. you cant actually hack anyones video feed, I have yet to see any convincing way this can be done. as far as i can tell, the video feed URL can only be obtained with the proper auth token, which requires user login, which is basically mimicking exactly what the eufy mobile app itself does, no more no less, its not a hack. this is just how the internet actually works. all of the engineering practices are pretty standard practice. all the guy did was reverse engineer what the eufy mobile app by observing it. its a little bit like sharing a google doc link where "anyone with the link can view" - this is just how URLs work. a sufficiently unguessable URL is the same as a secure endpoint, even if the URL is "plain text". anyone can painstakingly replicate an app by observing its API calls, but it cant do any more or less than the original app. I can build an instagram clone which talks to the instagram backend and pretends to be the instagram app, but it doesnt mean i hacked instagram. as much as I would like to see a chinese company get caught doing something evil, this is not it. (unlike the WYZE V2 security flaw, where it *was* actually possible to get access to a random persons video feed, and they covered it up). by all means, take eufy down for the dishonest advertising about local vs cloud, but theres no security flaw, im still waiting to see if a real hack comes up.
It is almost impossible for iOS and would be very inefficient for Android to send notifications without a notification service but Eufy could use end to end encryption between sensors and mobile devices in the payload level with an additional layer. And they don't.
I haven't actually seen them say "Local ONLY", they just say "Local storage". That could well mean (and apparently does mean) you have a local COPY. Unless they specifically say they do not upload to the cloud, then you should assume they upload to the cloud. All Eufy say is "No Cloud Fees", not no cloud uploads.
Did you even watch (the beginning of) the video? "What happens in Your Home Stays in Your Home" does mean "...and in the cloud" to you? Unbelievable.
You are right about the seriousness of this issue. I would avoid Eufy. But I would not necessarily extend this to Anker products. I would imagine that different management teams are involved in batteries and cameras.
Doesn't matter. You can't trust a company which subsidiaries do what ever the fck they want. Simply saying "ohhh we didn't knew someone else is managing it" is not sufficient. If you can't keep your management's in check and you don't know what they are doing you are simply lacking personal used to oversee it.
It is either carelessness, which makes me not trust a tech company whatsoever (even when only buying a Powerbank) or can be directly contributed to malice. Since their claims are so obviously fraudulent (you sell me a product that doesn't exist/you don't offer) I would assume the latter and just stay away from the entire thing.
And especially as an influencer that values his advertising influence it's better for him to stay away from Anker even when he wouldn't mind them lying.
If you don’t have notifications setup with images, does it still push everything up to the cloud?
I was so close to jumping in with a bunch of eufy stuff. So glad I have waited!
oh boi the eu is gonna have a field day with this one ;)
So is the ACCC: “local only” isn’t something they can weasel out of. Their marketing is straight up illegal lies.
@@Girvo747as an Australian myself, ACCC will hand them a lawsuit straight up and they will be forced to comply and take out a whole page on the Daily Terrorgraph and SMH once they lose, definitely a huge field day for the ACCC.
This *definitely* breaks the GDPR (assuming they sell this in the EU as well). What 30 day? You cannot collect any data, without the user explicitly agreeing to it (and no, burying it in privacy policy doesn't work either) in the first place! The EU should just straight up bad these for non-compliance.
Yes eufy sells their produkts in the the EU market
I am UK and use a eufy doorbell, I will be keeping a close eye on any potential legal pushes
So what should I buy that is local, battery with solar and no subscription fees ?
...any suggestions for what to buy instead :/ I was just about to buy a eufy home security set up for these reasons so I am glad that this got out before I made the purchase but also kinda bummed that now I'm back to square one.
Probably Annke or Reolink
Diy. Only way to know how it works. Wire up some cams to pi or something.
@@pixelfairy Yeah I was thinking about getting the PI's out and just doing it myself but then I was like...That is a lot of work
I was going to recommend the robot vacuum eufy makes cause of the price. Not anymore. I hope Anker will drop eufy and/or fix this cause Anker chargers and cables are some of my favorite.
Roborock vacuums always has good sales and have great suction power, and I haven't seen any reason to worry about them, yet. Anker needs to drop Eufy like a bad habit, but I feel like they'll just go through some reorganization with a name change, but the same corporate team running things.
Hopefully this does not mean their entire product stack is compromised because I have a Eufy deadbolt and this news has me a little concerned.
Change it. I’ll still rep anker but eufy is dead to me and I’d never consider cloud security anyways.
Does it matter? They've proven themselves to be liars, and unapologetic liars. Nothing they've said or done can be trusted anymore.
@@robparker5525 anker still makes that good good in the battery department, but damn eufy really just took a 50 cal and shot themselves in the foot
I don't think it means that, but it's still something that, if you have the money, you'd want to consider changing.
I also have a eufy deadbolt, and tbh I can’t really think of a reason that this would “force” me to change it. I already spent the money, and my deadbolt can’t really upload any data that would be concerning.
if cameras are set to record to nas(rtsp), they still upload to cloud ? thank you
what if there's homekit secure video enabled for the eufy ?
Even if they had a cache server that temporarily held notification images in case of intermittent connection on either end of the "local" WAN link (home network to cellphone), there's no excuse for there not being end to end encryption, with keys held truly locally so that the cache server just holds encrypted content it can't make heads or tails of.
I'm am unsure of whether I should continue to use Eufy systems at this point as I have hundreds of dollars of their equipment.....I wonder if other protocols are compromised outside of camera monitoring....
You should not. It shouldn't even be a question at this point. They're denying they did anything wrong, or even that there's an issue. There is absolutely no reason to trust their claims for anything they sell. Recycle their equipment responsibly and invest in a company that won't do this.
@@bruwin I'm gonna underscore your second sentence, but perfectly said. It's not like this is an issue of having a vulnerability being discovered, the vulnerability was by design and created in such a way that I'd call it being deceptive to the end-user
Hundred percent send them an email with notes detailing what equipment you have and cost you brought it for. And dictate you want a full refund on the basis. Offer to return equipment in order to get the refund, just be sure they have written that they will do full refund before sending the products.
You relied on the advertising of local only storage.
They knowingly knew data was stored in the cloud.
You wouldn’t have brought it had you known it had cloud storage.
They knew that you wouldn’t have brought it if they represented that it had cloud storage.
I am sure a lawyer could hit the 4 points needed to prove fraud a little better then my off the cuff memory, but this is classic fraud and main recourse is reversal of all agreements.
If you are part of the way into the Apple ecosystem, connecting everything into HomeKit, and then restricting the video service within the Apple Home app uses what’s called HomeKit Secure Video. It blocks Eufy’s servers and only functions through HomeKit. That’s a viable option for those supported devices at least, which is a lot of Eufy’s products. But to get full functions for many cameras, you have to pay for iCloud storage, unlimited recordings if you have the highest tier. And video resolution currently maxes out at 1080p.
I did that from the start, because I trust zero of these Chinese camera companies to develop secure software.
@@quaternio that may be viable. I'm halfway in halfway out of apple as I have an iPad and apple TV but the gf is apple everything except her laptop
how can we test the vulnerabilities? Does anyone have the test cases to do?
Yeah.. Going to offload all my Eufy stuff soon unfortunately.... What should I buy instead? Any recommendations?
If you ever try to set up a device/software and actively block the internet most devices simply won't function. They may say they are offline but are always calling home to look for updates ect. I heard about one security camera that would let you record all day/week/year but the second you wanted to save/export the video they made you pay a subscription.
This made me a bit worried, I have some Kasa smart cameras that I use for 24 Hour recording that is stored locally. After watching the traffic for a couple days it moves about 1.34 MB of data per day. Granted I have notifications turned off for motion.
1MB is not enough for even one photo, it's probably checking for software updates
@@aonodensetsu not enough for one photo? A grainy JPEG can be a 100 KB in size and still show more than enough detail. That makes around 10 pictures a day. Totally possible. And 1.3 MB is a lot for simple requests.
@@PvtAnonymous correct especially compressed thumbnails.
OP you will probably find it is still sending images from your camera in the form of notifications. Turning the setting off only stops the data being retrieved by your phone. The data is still being sent and stored from your camera ready for push to your phone.
Regarding the sending of data from Local -> Device in push notifications. I can entirely see it being possible for a company that large being able to...
Encrypt all images with key XYZ before pushing up to the server. When your images appear on their servers, they're encrypted and useless. When they're pushed from their servers and pulled down to the authenticated device, the device should have a local copy of the decryption key, therefore it can locally decrypt the image.
This is not a feature of Android nor of iOS notifications. Can you code it in your app? Yes. Will it work? No. iOS and Android will just kill your app for using too much battery. Welcome to the walled gardens of smartphone OS's
please your automation code how you built the google assistant in the VM ❣
This is the kind of thing where Rossmann would say "don't accept the premise of assholes." People will use anything to justify their narrative even going as far as denying their own experience in some cases by putting blame on themselves. This mentality just does not make sense. It's scary in a way.
I finally got fed up with my Anker headphones not charging properly and was all ready to upgrade to a newer version from Anker when this news hit.
Not that I think they're bugging my Bluetooth, but it gave me just enough pause to ask why I'd give a company more money for having to replace their broken product.
Wait doesn't it have to go to the cloud to function. How else would you not get feedback at the doorbell? The sound is coming out of the speaker and there is a mic right there, so the sound has to be equalized somewhere? Am I Not getting this right?
I thought the camera light thing was normal? is that not normal? Can my camera turn on and the indication light not be on?