Tap to unmute

Why we're dropping this sponsor

Share
Embed

Comments • 2 215

  • A Killer Squirrel
    A Killer Squirrel Month ago +21

    The "S" in IOT stands for security.
    IMO the only safe way to have IOT devices is to have them sequestered on a separate network without internet access, then use something like HomeAssistant as a sole point of data ingress/egress

  • metacob
    metacob 2 months ago +14

    They didn't just omit any form of security, they even upload data when you explicitly told them not to.
    This is what companies mean when they say "We are very committed to our customer's privacy!" - without independent reviews, that's meaningless.

  • Silver Cymbal
    Silver Cymbal 5 days ago +1

    Wow I am glad I never worked with these folks, they must have offered me 5 sponsorships. I didn't really care for the product but I could not have predicted this!

  • superfragilisticatexpialidoshmur

    Damn. I would say hopefully they can turn this around, because the products themselves looked great, no subscription fees and local storage of files. I don't think this is something that can be recovered from, though. It's hard to trust after this kind of mistake.

  • DriveAndMaintain
    DriveAndMaintain 2 months ago +4887

    If ever you feel completely worthless, then just know that you're not a cyber security consultant working at Eufy.

    • some prick
      some prick 10 days ago

      Legit lol

    • Scott Merryman
      Scott Merryman Month ago

      SAVAGE

    • Omar Garcia
      Omar Garcia Month ago

      Check out this response: clip-share.net/video/a_rAXF_btvE/video.html

    • The Program
      The Program Month ago +1

      @Nick Ryan I think Stuxnet illustrated how _any_ trusted-but-unverified IC is a potential threat vector. You design the chip in VHDL or verilog, then the fab sends back a chip. It's like an insecure compiler vulnerability. How do you know that the mass-produced chip faithfully implements your design and doesn't have a few undocumented "glitches" placed by some country's three-letter agency or a snooping corporation? Yeah for some chips I can't immediately think of a way it could be abused, but history has proven that there are some very clever and creative ways to exploit seemingly-secure systems.

    • Nick Ryan
      Nick Ryan Month ago

      @NMSLese CNMBese What an insightful response. If you can borrow a brain cell from someone try reading what I wrote before dribbling out something like this.

  • Richard Bartlett
    Richard Bartlett Month ago +1

    When I bought their video doorbell and learned that even though it stores content locally you still needed an internet connection to access the device I was disappointed. This news explains why.
    I don't know what's so damn hard about this. I don't need any internet bullshit on a video doorbell. All the services any vendor could provide and potentially charge me for, I can provide for myself. We're going to have to roll our own video doorbell with some SBC aren't we?
    There just aren't any companies out there who want to make a good standalone product that isn't also trying to collect and sell your data.

  • Dave Publiday
    Dave Publiday Month ago +1

    Instead of fines, a court could just pull the companies charter. This is effectively capital punishment for corporations. Perhaps drastic for violations of privacy, but for cases where there have been loss of life, it should be done. It is a remedy on the books but almost never, ever used, and it should be.

  • Chameleon Scheimong

    I feel like what Luke said at the end there really echoes well with the experience of many other techies, i.e. viewers of this channel. Most average people simply lack the most basic awareness of privacy when it comes to internet-connected sensors in their lives. I've had to explain multiple times to my immediate family, "NO. We are NOT going to have this smart speaker with this always-on microphone in our house. The only place it belongs is the rubbish bin outside."

  • N Rom
    N Rom Month ago

    I hope and pray that there is a class action lawsuit for this with substantial ramifications.

  • Dane Roschen
    Dane Roschen 2 months ago +1676

    6:33 I beg of everyone at LTT/LMG to be lenient on the employee who asked "If Eufy smart scale is sending pictures of my balls and taint, is that a bad thing?" That was the best laugh I have had in days and was actually vaguely on topic.

    • Keilnoth
      Keilnoth Month ago

      I do own a Eufy smart scale and was wondering the same!

    • Felipe X
      Felipe X Month ago

      I wonder what kind of balls recognition software they have over there. Can they balls id you?

    • Dale Earnhardts Seatbelt
      Dale Earnhardts Seatbelt Month ago

      Writers asking the real questions. Are they collecting pic of the ol fruit basket and roast beef?

    • Dane Roschen
      Dane Roschen Month ago +1

      @Bogdan Zadorozhny Felt like Riley or Alex with an edge case of Anthony. Dennis doesn't usually have topics, it's more the writers jobs.

    • Bogdan Zadorozhny
      Bogdan Zadorozhny Month ago

      Dennis?

  • QuietRiverBear
    QuietRiverBear Month ago

    Assume everything you do online is known regardless of claimed encryption. This includes IOT. Users, in general, don’t have time or skill sets to be constantly monitoring the gadgets. Keep that in mind when placing tech, any tech, about your home, work, anywhere.

  • schmickymouse
    schmickymouse Month ago

    This is why I'm building my own off-line security system, I refuse to touch anything that connects to a companies server for my security/personal/private data/info

  • John Williams
    John Williams Month ago

    Wow, and I had actually been thinking about replacing all my Ring cameras with Eufy cameras when the time came to upgrade. No chance now!

  • Infinity
    Infinity Month ago +2

    Eufy never should have advertised it as "no clouds", as that is not true. But this really isn't surprising and is probably the same way Ring and others handle rich notifications (using CDN). Obviously you aren't directly connecting to the doorbell or homebase when outside of your home, as you didn't have to do any sort of port forwarding in your router to make it work outside your LAN. The big issue that was glossed over on this video is the accusation that actual video can be streamed without authentication/encryption. Anyone have any actual evidence or PoC of this?

  • ggg21201
    ggg21201 Month ago +1

    Damn it I have all Eufy security cameras and sensors throughout my home. I normally shy away from Chinese products but they were actually really good products. But when you think about it, the way the Chinese government subsidizes a lot of their industries like solar panels they are 100% probably subsidizing a product like Anker to gain competitive advantages in order to exploit an industry like this. God I was so dumb when I bought this product. 😰 I'm hesitant to even try to sell it as it will just be hurting someone else.

    • j2simpso
      j2simpso 10 days ago

      If the CCP wanted to build an extensive facial recognition database of their adversary (Americans) this would be one great way to do it!

  • fubar totale
    fubar totale Month ago

    Eufey was the brand that I was pretty much settled on.
    Perhaps do a evaluation of all the video doorbell brands and make recommendations?

  • 127.0.0.1
    127.0.0.1 2 months ago +896

    As a mate in the military said "If it says military grade, don't buy it, our own equipment is cheap"

    • Nicolas
      Nicolas 2 days ago

      tHanK yOu FoR yoUr sErVicE

    • Shawn/IO
      Shawn/IO 5 days ago

      yeah thats makes absolutely no sense.

    • dexta32084
      dexta32084 8 days ago

      Military grade = lowest bidder

    • Blondi27
      Blondi27 11 days ago

      @K.G. B ww2 was filled with crappy equipment. They used to make peasants reforge farming tools. It's always been a thing. Wars are fought for money so why would the grubbers spend a cent more than they need to.

    • Osmosis Jones
      Osmosis Jones Month ago

      @Daniel Gonzales always has been

  • MrVegas
    MrVegas Month ago

    I had a Eufy door bell camera in and out of my Amazon cart / wish list for the last 5 months. I just left Amazon and kicked it from my Amazon wish list. I'm done with the company too.

  • KuilowKey
    KuilowKey 2 months ago +2393

    There are many more backdoors like this that are going unnoticed. Hope more attention is given on this and people start researching.

    • Olivia CLTFC
      Olivia CLTFC Month ago +1

      sometimes i feel like i might be a little paranoid for being so ardent in my refusal to get a ring doorbell or an alexa setup, and then videos like this pop up and i feel vindicated.
      there’s another video i saw a while ago of some white hat content creator hacking into some guy’s alexa system because of a vulnerability with the way it handles ip connections over wifi and taking over its speakers to tell him what he did and how to fix it. that’s my nightmare, that my computer is gonna do that one day.

    • L Fork
      L Fork Month ago

      At least if there is a camera on the scale, it means there are a lot of other backdoors getting noticed.

    • Hubba Bubba
      Hubba Bubba Month ago +2

      @Al van der Laan missing the point, expensive tech does this too, they're just better at hiding it

    • Al van der Laan
      Al van der Laan Month ago +2

      People do not care, they want the cheapest and complain only after the fact. People will never research, too much work man, I need the shiny.

    • Hubba Bubba
      Hubba Bubba Month ago +2

      If the Snowden leak didn't do anything nothing will

  • 3D world
    3D world Month ago +1

    Good luck guys in guessing all the ID's stored in the link to the photos... including time of event :) without inside actress. All that is just so funny to hear ;) Looks like somebody didn't look closer how the link is created and stored and how long. And how the push notifications work. I would stay with Eufy... and recommend this - the best option on market with the best local storage solution. And still safe. You can guys jump to Yi or other Chinese brand - no problem... or create your own cameras which would work in LAN.... but no photo push notifications unfortunately.

  • CryOfSolace
    CryOfSolace Month ago

    You guys could start doing security checks on consumer products like this. For example, can you verify that the mute button on an Amazon Echo genuinely makes it impossible for the device to hear you?

  • turd ferguson
    turd ferguson Month ago

    damn it! i love my eufy cams! i dont have the doorbell but have a few other outdoor ones. not that its a huge deal if somebody is able to see my dog using the bathroom in the backyard and my cars sitting in the driveway, but the fact nobody else ever should have seen any of it is awful.

  • Chris Panton
    Chris Panton Month ago

    I'm glad I never actually got around to reviewing their doorbell. Sheesh! There's a reason why something is cheap

  • Daive
    Daive 2 months ago +1931

    Out of every company I've seen, Anker is the only one I've (cautiously) had brand loyalty too and felt like I could trust, and this is coming from someone who believes that no one should have any brand loyalty. Nice reminder that even seemingly great companies in terms of trustworthiness and transparency of products (specs of products being accurate (especially battery life), quality products, good customer support, etc.) can still do shitty things.
    EDIT: Situation is likely more complex than it initially seemed (as most things probably are). It's worth checking out the video from The Hook Up (thank you David Jeffers), The Verge's "Anker’s Eufy lied to us about the security of its security cameras", and Ars Technica's "Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted". Definitely worth following the situation before making any final judgments.

    • Look ItsRain
      Look ItsRain Month ago

      @SHR Modding It depends on the specific license, but overall you cant just copy someone elses code with no attributions or remove license info relating to the original creator. Anker at the moment is refusing providing their source code despite admitting to using cura engine(agpl) meshlab and vcglib.

    • SHR Modding
      SHR Modding Month ago

      @Look ItsRain I probably should. How do they work?

    • Look ItsRain
      Look ItsRain Month ago

      @SHR Modding You should probably learn how open source licenses work

    • SHR Modding
      SHR Modding Month ago

      @Look ItsRain how can open source code be stolen? I mean, it's in the name no?

    • Mike Starkwind
      Mike Starkwind Month ago

      @iDoujin Well, I wonder if that is actually the case or not! I am sure there are ways to ‘re-route’ data through a charger and then upload it to their cloud, while you are connected. Or if you use one of their dongles with Ethernet… And I have both!

  • Christopher Woods
    Christopher Woods Month ago

    I had a gut feeling the Eufy doorbell cameras did something like this, the claim of no cloud is just too convenient to be true when it was almost certainly always a bolt-on to the original design. And I doubted they'd have ever bothered to make some port forwarding or broker mechanism for people to connect back directly to their cameras or Homebase for things like stored thumbnails because it would have made it onerous to maintain two mechanisms. The rest is just pisspoor summer intern coding. None of it is forgiveable. I also noticed on my Eufy pantilt camera that similar things were happening and I was also able to start an HLS stream direct from the camera by URL, but anticipated that stupid stuff like this would always be possible. It's sad that I still expect this to be the norm with these lower priced consumer commodity products. Lazy, inadequate security and platform design undermines otherwise good products. Good on LTT for publicly dropping them.

  • Jahshi
    Jahshi Month ago

    Time to start a new era of LTT where you take apart everything to check if there's malicious hardware/software. Your'e welcome for the best idea of 2022. lol I hope.

  • TheAbc45678
    TheAbc45678 Month ago +1

    After 3 or 4 more scandals like this you guys might actually start to appreciate Apple.

  • bilinas mini
    bilinas mini Month ago

    ...and THIS is why I don't want a camera in every room of my house unless I KNOW that it's wired up physically to something that I control

  • ItsFreakinHarry
    ItsFreakinHarry 2 months ago +1274

    Damn, I have a lot of Anker products and really like their stuff. Such a shame they went down this rabbit hole with Eufy.

    • Io_
      Io_ Month ago +3

      Ha. Like they probably had a choice, PLA were knocking on the door like with Huawei.

    • Sabersz
      Sabersz Month ago

      @Alias Anybody I'm reading your comment while I've got three Anker cables plugged into my outlets. So yeah, it does totally leave a sour taste regardless of if someone's been directly affected or not.
      Shit like brand boycotting needs to really ramp up. Companies have gone off the rails and think they can get away with anything. A sharp dip to profits should bring them back to sanity.

    • James S.
      James S. 2 months ago

      could be a bad decision by a eufy-exclusive director to boost earnings, could not. who knows

    • Hdhd Hshs cbxhdh
      Hdhd Hshs cbxhdh 2 months ago +1

      @Robert Andersson which device description are you quoting "local storage only" from? I have not seen that on their products descriptions; they advertise local storage as a feature (and it truly is local storage as the video remain on device). If you set up to have it notify you and sync data to the phone, it's generally necessary to have the device push certain data to the cloud

    • Robert Andersson
      Robert Andersson 2 months ago +2

      @Hdhd Hshs cbxhdh Its not supposed to upload at all though. Thats the point. It says "local storage only".

  • Goobfilm cast
    Goobfilm cast Month ago

    Take note: ANYTHING can be a camera, microphone or GPS locator

  • Bambam bm
    Bambam bm Month ago

    Now I regret buying my Eufy cameras months back. I really wish I could get my money back from this BS.

  • TwistedMe13
    TwistedMe13 Month ago

    So what companies would you recommend as an alternative to Anker? It's a real shame to lose out on their products as they've had a reputation for making good kit (cables/chargers).

    • Kiekerr
      Kiekerr Month ago

      Ugreen is pretty good

  • thefatmoop
    thefatmoop Month ago

    In Illinois (USA) running facial recognition/tagging without consent is illegal. IL Facebook users were awarded 400$ for non-disclosed facial recognition. Sounds like eufy didn't disclose and will likely get class action lawsuits from IL and similar states.

  • Make It With Calvin
    Make It With Calvin  2 months ago +502

    I feel like this is something for LTT labs to look into on "smart devices" are they as secure as claimed and are they doing detectible nefarious things that go against how it was marketed? This could get very interesting VERY fast.

    • GrimReaperNegi
      GrimReaperNegi 5 days ago

      @Jendrej Sadly I haven't watched it in weeks. If I remember rightly they were joking about the company, and I think to me they were joking too much. Like trying to say, "yeah they paid us to promote them, lol." Atleast that was the vibe I got.

    • Jendrej
      Jendrej 5 days ago

      @GrimReaperNegi I'm sorry, you've lost me, what are they joking about again?

    • GrimReaperNegi
      GrimReaperNegi 5 days ago

      @Jendrej I still don't think they should joke about it. I think it is fine if they don't apologize, but you shouldn't joke about it so much.

    • Jendrej
      Jendrej 5 days ago

      @GrimReaperNegi I think they were promoting different products from the parent company

    • GrimReaperNegi
      GrimReaperNegi 28 days ago

      "Why we're dropping this sponsor" that means they got paid for promoting it before right? If someone bought it due to these guys, and they joke about it!!

  • Arkanium Gaming
    Arkanium Gaming Month ago

    I changed from Arlo to Eufy. In 2019, Arlo pushed a firmware update to my cameras that killed motion detection. You could run past jumping and waving and it will not see you. With Eufy, they sent me the completely wrong system. They told me I had to return the system, wait for a refund, and then buy it again. The only bypass to this is an RMA which I did request and provide several videos of proof showing all cameras having outright broken audio. Needlessly to say, they outright refused to RMA. Their 2C pro camera looks super shitty [mainly frame fuzz] but does pick up 98%+ motion so far. 16GB of video storage somehow only comes out to 12GB. To top things off, I was just [as of typing] logged out of my account and my password no longer works. If this happened several months ago, I would just return it and install CCTV and deal with all that trouble over all this BS.

  • Toumal Rakesh
    Toumal Rakesh Month ago

    If you want more than the surface level anger of "trust me bro" Linus, check out The Hook Up on this topic. He goes into detail what's actually going on, and why Linus' outrage is based on a shallow understanding of the issue. Also, Eufy DID fuck up in the past (they jumbled the device sharing so people could see random stranger devices in their list). But again, Linus completely misses that literall all other devices that support rich notifications do the same thing with regards to uploading thumbnails.
    EDIT: To be clear, claiming to be local-only and then uploading stuff to the cloud is no bueno. However, the issue here is the uploading itself (or the promise not to), not how they do it. So if you go "lol they upload thumbnails to a public S3 bucket" then congrats, you missed the point.

  • freemab222
    freemab222 Month ago

    Suggestion: Find someone whose privacy has been violated by one of these devices. That could entail something as simple as photographing a person in a two-party consent state. For the vacuum with a camera, possibly any photo of a child, especially its face, might suffice.
    Next, take it to court (Federal, if feasible) and ask for an immediate injunction. IANAL, but I bet there would be lawyers salivating over the possibilities.

  • snaplash
    snaplash Month ago

    You'll need a router that can block specific devices from accessing the internet.

  • InPad III
    InPad III Month ago

    Damn. Was hoping they were going to be trustworthy, since there are basically no good “local only storage” home security camera solutions. 😭

  • Ike Stewart
    Ike Stewart Month ago

    I have a Eufy video doorbell, and am not all that concerned that the Chinese government knows when the mailman delivers a package to my front door. Now if I had their security cameras inside my house, that might be another matter, but here we are talking about stuff anyone driving by on the street could see.

  • ProbablyNotIan
    ProbablyNotIan Month ago

    I bought an older model because of the HomeKit integration. Never once configured it to use their service.
    I guess now I need to break out the packet sniffer.

  • Rusty Shackleford
    Rusty Shackleford Month ago

    Do y'all remember that scene in Silicon Valley where Dinesh forgot to update the TOS and caused the company to suffer billions of dollars in COPPA violations? I'm pretty sure they just did that for real. Every house that has a camera in an area where children dress/undress probably uploaded some stuff, too. They are so fucked.

  • Walter Wolfe
    Walter Wolfe 2 months ago +748

    As a Software dev, I question if this is even a "Breach" as nothing was breached, they just ignored security entirely. Its something worse.
    Edit: Apparently there basicly was a auth token embedded in the url, so it was secured. So it's actually not a breach at all.

    • Espressomatic
      Espressomatic 5 hours ago

      @DELTARYZ Read the licensing agreement. This is also something every single doorbell company is doing.

    • Rose
      Rose 7 days ago

      Yeah legally speaking if I were to spy on your intimate moments, I could literally claim "but I didn't bypass any authentication" and get off scott free.

    • BIZKIT
      BIZKIT 18 days ago +1

      you need to go back to school.
      The researcher created a breach by finding the embedded token and viewing the content. They didn't have logging or any oversight so there is zero chance they could prove they weren't additionally compromised.
      As is standard practice in the security industry this would be treated as a breach and specifically has been at all major fortune 500's and is in part why AWS forced by default that all S3 buckets be encrypted and password protected.
      It's devs that broke this because product made them move quickly without consulting appropriate experts.

    • David Gardiner
      David Gardiner Month ago +1

      @David Jeffers yes, absolutely. GDPR is pretty strict. Having possession of data against what you say you'll do, even 'accidentally' is a breach of the law that carries hefty fines. Just like a release of personal information, even because someone hacks you, is a breach of the law. If you can't keep data secure, the law says, then you *must* not attempt to store it.
      GDPR is also codified from the position that a person's data is always not stored by default, and you *must* be clear if you're going to store it for any reason. And by clear I mean not in small print. Every time data is kept the data storer must ask the person if they want it stored, with the assumption being that they won't.
      You're not even allowed opt-out marketing emails now, the customer must always have to opt-in. Some companies skirt this pretty close, but that's what the law says.
      Sometimes that means the warning must be there in bold sight saying "by using this service [certain data] must be recorded" but again, not in small print. It must be front and centre.
      GDPR also goes to great pains to distinguish a higher level of security and penalty for any information that is 'sensitive' (the definition of which is long-winded, but akin to the old data protection rules about 'personal') and any data that can identify the user.
      There's again caveats about law enforcement, but that's pretty clear stuff.
      Breaches of GDPR come with a maximum fine of €18 EUR or 4% *global* turnover.

    • David Jeffers
      David Jeffers Month ago

      @David Gardiner Is it though? Based on the way the hookup describes the more nitty gritty parts of the situation, that doesn't seem to be true. It seems like this was simply an issue of marketing over promising. Which is still to be fair, a bad thing, but these products are still leaps and bounds better than the alternatives that are cloud dependent. This isn't cloud dependent, there are just some specific features that do rely on the cloud, like rich notifications while you're away from home.

  • Rxonmymind
    Rxonmymind Month ago

    I've always had a gut feeling about this company doing shady things. Never trusted them.
    All my video is outside the house. Never inside for this reason.

    • Heath Hardie
      Heath Hardie Month ago

      Not just Eufy. I wouldn't have any camera that connects to the internet in my home.

  • Steed_Digital
    Steed_Digital Month ago

    Well I pretty much default to Anker for batteries and such and was just looking at their battery and solar bundle for when we get small blackouts. Guess I'll be looking elsewhere now. I don't bail on a good brand lightly either, this is a huge mishandling on every level.

  • Shane Kirk
    Shane Kirk Month ago

    I don’t know if lawsuits really is the solution. I mean. It’s GREAT if they work, and the fine is meaningful.. but it’s all very retroactive, and affects the minority of companies who have a big leak. In practice, leaving behind many companies with the same vulnerabilities who just happens to have not been hit with a scandal yet. It’s a place for security legislature, and governments need to start taking it seriously and implementing and enforcing standards. The EU privacy laws for instance are a start. That’s the kind of thing that ACTUALLY starts pushing a change in the industry.

  • Matthew Haworth
    Matthew Haworth Month ago

    That's a shame. I have owned tons of different Anker products at this point and I haven't been disappointed by a single one... but, this... there is no conceivable way they didn't know this kind of procedure and handling of some of the most sensitive user data possible was completely unethical, likely illegal, fraudulent, and a complete breach of trust. I guess they just thought screw it, nobody will find out.

  • Enchanted Goose
    Enchanted Goose 2 months ago +497

    I was literally just about to buy some Eufy cameras, so I’m really glad I waited!

    • pilotdog68
      pilotdog68 Month ago

      @Lightevilaster yeah for storage. The big draw was that you could slap in a huge memory card and record years worth of alerts without paying cloud storage fees like you would with Ring or Arlo.
      No reasonable person would ever expect that nothing at all is being sent to the mothership when the entire product is an internet-connected device.

    • Lightevilaster
      Lightevilaster Month ago

      @pilotdog68 marketing materialshown in the video clearly indicates no clouds and no costs and that only i will have access to the data

    • pilotdog68
      pilotdog68 Month ago

      @Lightevilaster How is it pure malice? One of their main features is their prompt notifications and AI face detection. Those are the reasons people buy their products. Did people think that face detection was running on a $30 camera? really?

    • DDurbin
      DDurbin 2 months ago

      Same! Just moved into a new place and liked that Eufy works with all Apple Home Kit and price is good.
      Looks like I’m back to the drawing board

    • Enchanted Goose
      Enchanted Goose 2 months ago

      @Studio23 Media Do those support HomeKit? That’s honestly the only reason I was considering Eufy

  • DroppedMayo
    DroppedMayo Month ago

    "Make an example out of them", as a Canadian; This is the funniest thing I've seen in a while.

  • Jade Ferra
    Jade Ferra Month ago

    Damn it, I tried so hard to get a good doorbell that wasn't spying on me. >:(

  • Iamttuk
    Iamttuk Month ago

    I've been happy with Anker and was looking at Eufy due to that. Well, now I'm glad I didn't...

  • EightAndOh
    EightAndOh Month ago

    Im honestly curious. I purposely bought these, because I originally went Wyze, had a similar issue. Thought I'd actually buck up and get something secure that was local as we use our kids rooms on these aswell. Now I have to replace everything, at a larger cost incurred by me, with zero recourse, and the worst part is, now I have to worry about what's out there with my kids on it?? And not going to lie Linus, the part where you guys snicker about it, this isn't funny. Nothing about this is funny. You kinda pissed me off how tongue in cheek you handled this (more so Luke snickering every other comment). This company needs to burn.

  • CasualCoreK
    CasualCoreK 2 months ago +318

    The only way stuff like this stops is when execs start seeing INDIVIDUAL consequences.

    • Metalface
      Metalface Month ago

      @ln+3rna1hàbän3r0s "Dear slaves, how do we stop your slave masters from doing horrible things?" "Idk, we're literally slaves we have slaving to do that's all we're taught to do from the get go bro"

    • Metalface
      Metalface Month ago

      @Beregorn88 Meh, fuck it, just get them all then. If you partake you're responsible. Seems easy enough. Instead of asking anyone here to figure out the fine details, let them figure it out themselves later. Until then, if you took part, you go down with the rest.

    • Metalface
      Metalface Month ago

      @CasualCoreK Why would they ever make laws that could punish those who fund basically everything for them? It's really just one big loop. It protects itself.

    • Corey Rogers
      Corey Rogers Month ago

      @Calen Laughlin That's exactly what it is. It's to protect those in charge from shady decisions and to protect shareholder profits.

    • Calen Laughlin
      Calen Laughlin Month ago +2

      @Corey Rogers I've heard this many times, however I've never seen a corporation go to prison. It seems like a convienant lie to protect actual people from the consequences of their actions.

  • Jake Jager
    Jake Jager Month ago

    I love my EUfy vacuums...had no idea they so made phones, glad I only buy their vacuums! LOL

  • Matthew Carl
    Matthew Carl Month ago

    Thought LMG was different….nope just automatically jumps on the bandwagon. Maybe you should take a look at it yourselves and find out what is going on and then give your take on the issue. I am not an a user of Eufy, but LMG’s take on this product without it’s own review, is just one more reason to stop trusting what comes out of LMG, and what I find fewer reasons to watch their channels. A huge company who has a blowhard as the CEO who makes decisions about not working with a sponsor based on another Clip-Sharer st the drop of a hat.

  • Viking Robot
    Viking Robot Month ago

    Is this just affecting the smart doorbell cams or the Eufy 2c cams as well?

  • sithlordmaster181
    sithlordmaster181 Month ago

    Wow I’m shocked. And to think I was eyeing some new anker chargers. Guess I’ll look elsewhere. Hope this hurts them financially.

  • LordHonkInc
    LordHonkInc 2 months ago +509

    Holy wow, that's like the holy grail of fuck-ups. An unsecured -two-way- connection (it sends data _and_ you can watch with even just vlc) that allows full access to a live video feed could really only be topped if the things were built so shoddily that they'd allow somebody to compromise your entire network (and nobody's yet said that _isn't_ the case). Hats off, pulling something so stupid off requires knowledge, skill, and determination… to do the wrong thing.
    Edit: it's probably not two-way, I misheard "VLC" for "VNC" and assumed there's data going _into_ the device, not just coming out of it.

    • Driahva
      Driahva Month ago

      @MopedMike what? Isn't that some stupid reality show? What exactly don't we understand? Does Linus also not understand?

    • MopedMike
      MopedMike Month ago +1

      Wrong, got watch The Hook Up’s video showing how everyone doesn’t know what they are talking about.

    • SepticFuddy
      SepticFuddy 2 months ago +1

      @facey Kad Their response is not one of a company who is going to fix the problem. They also either very well knew the issue or are wildly incompetent not to have. Yet they still advertised it the way they did, which is fraudulent.

    • Driahva
      Driahva 2 months ago +7

      @facey Kad it's not an overreaction. It really isn't.

    • lee x
      lee x 2 months ago +1

      Vnc is a remote access tool, was very common, funny that they use a Vnc server on the cams to see output

  • glsracer
    glsracer Month ago

    I'm not surprised by this, all of the Chinese camera I have are constantly trying to send information to their home servers. Some made me install literal spyware to access the web UI (I set it up via VM). I block all communication to the outside world with two layers of protection and host the videos using software I control that requires VPN access to view. I'm sure it's still not foolproof but it's as close as I can get given the cameras are that available at reasonable prices now days. I also find it interesting how so many people are ok with ISP provided Eero routers and access points. The contract seems care about everything but your privacy. Unfortunately, it seems like almost every company is looking to monetize their customers now, and people need to be very proactive about their own data security.

  • Michael Stepniewski

    Need some FOSS firmware to make those devices not bricks for consumers that have already paid for them. I guess a quick way to kill the communication if people are still wanting to use them without losing their privacy is to block with pihole or adguard. Too bad this will be a really slow class action lawsuit and most consumers will just have to toss them.

  • TrollFaceTheMan
    TrollFaceTheMan Month ago

    What you said here about tech companies paying basically nothing for doing illegal things in comparison to money made goes for pretty much all industries sadly.
    Medicines, tech, tools, furnitures and so forth...
    They'll not disclose stufd they should... Do illegally data collections... Manufacturer know defective parts.... Not honor warranties when they should and so forth...
    And you are absolutely right they make too much profit to care about the consequences so it continues constantly...

  • Christopher-Titus Mark Vanderwall-Brown

    Let us not forget all of those robot vacuums tracking house layouts to send the data upstream to our corporate overlords without our consent. 🤦🏽‍♂️💯

  • MrRez
    MrRez 2 months ago +160

    I was part of that Australian breech and it has been an absolute nightmare. I had to block myself from getting credit, limit my withdrawal limits on all my bank accounts and change personal documents. Oh and every time I make a purchase over a certain amount my bank rings me for authentication.

    • Holgast
      Holgast Month ago

      @C You are reading things I did not say into my message. 'Australian passport breach' implies that everyone with an Australian passport was affected, which is not the case for the Medibank/Optus breaches. I did not say anything relating to my personal opinion on those breaches.

    • C
      C Month ago

      @Holgast "not everyone was a user of either of those services"
      Why would you say that though? Why soften the blow? These jerks stole millions of peoples data, why the instant forgiveness?

    • Holgast
      Holgast Month ago +2

      @Namegoeshere what passport breach? I had never heard of this and there are no search results. Are they thinking of the recent Optus and Medibank breaches, which included personal info including passports? not everyone was a user of either of those services

    • MrRez
      MrRez Month ago +3

      @Namegoeshere well I was talking about the Optus breech which had my passport details as proof of identity. Not only my passport but my bank details, username, phone number.

    • Namegoeshere
      Namegoeshere Month ago +5

      @Mo Moe He's talking about the Australian passport breach. It's mentioned at 4:55 in this video.

  • Tali_the_Dragon
    Tali_the_Dragon Month ago

    thank you for this video, i WAS about to buy a full Eufy camera system. not now

    • Budha75
      Budha75 Month ago

      The video is wrong though. I suggest watching the response from The Hook Up channel.

  • Maciej Cupial
    Maciej Cupial Month ago

    Thank you for this. I'm dropping all of my Anker products and black-listing the company. I also have a Ring doorbell that previous owners left and was planning on setting it up. But I won't. I really hope I won't run out of brands to buy either... but if I do, I'll just stick with my original plan - go live in the woods.

  • Lee Myers
    Lee Myers Month ago

    I am glad that I didn't get eufy, I had been lookinh into it but now they have lost my trust.

  • ethzero
    ethzero Month ago +1

    Eufy's motto, "Trust me, bro!"
    I _might_ be getting that confused with some other idiot? 🤔

  • Slavstralian
    Slavstralian 2 months ago +366

    The way large companies are stopped doing this kind of thing, is the punishment needs to be SOOOO damn huge that no company would ever think of being sh*tty to their customers.

    • Ikxi - Forever a Tatsunoko
      Ikxi - Forever a Tatsunoko Month ago

      @Niedas What about all the employees who did nothing wrong and are now losing their jobs?

    • Tom Storey
      Tom Storey Month ago +2

      Good luck enforcing that in China, as much as it sucks to say that.
      Most Western companies probably aren't as bad in comparison, and those are the only ones you would manage to punish.

    • BILL H.
      BILL H. Month ago +1

      Punish the owners, shareholders, management, officers, with jail time as well as money!

    • Dennis Callesen
      Dennis Callesen Month ago

      @BlueFire Animations % of Gross will make itself felt.

    • ville korhonen
      ville korhonen Month ago

      @Adam Flohr That would soon turn in to forcing/tricking people signing contracts which makes them responsible for any wrong doing.
      Our CEO only handles PR and marketing and Billy Bob the janitor is the actual brains in the company, it even says so in his contracts kind of stuff.

  • Chris Schultz
    Chris Schultz Month ago

    there should be pressure on amazon to stop selling all anker products...that would be a lot more meaningful than some fine. They cut off Aukey for buying advertising, so do it.

  • fuzzycuffs
    fuzzycuffs Month ago

    "military grade encryption" doesn't specify which military we're talking about. It could very well be the Island of Sodor's coast gaurd

  • Glen Cote
    Glen Cote Month ago +1

    Anyone have good recommendations for power adapters and cables that aren’t Anker?

  • Ryan Bugarin
    Ryan Bugarin Month ago

    Man this feels bad because I got into eufy because there was no subscription or cloud and Linus thought this was a good product rip

  • The Life of Riley
    The Life of Riley 2 months ago +559

    Facial recognition is illegal in multiple states in the US. There have been multiple class action lawsuits against basically every social media company for this.

    • Misha M
      Misha M Month ago

      Without consent though

    • Fox D
      Fox D Month ago +1

      @MopedMike I have exactly one college class in contract law and even I know that you can't waive your statutory rights in a contract. If the EULA says "you agree to be beaten nearly to death as a condition of use of the Service", that's still assault and battery at minimum and you can recover damages.

    • Wrenchmonkey
      Wrenchmonkey Month ago

      @Gamer 234
      For the same reason that cops are constantly breaking the laws too. What're you gonna do about it?
      The government, of course, makes the laws to benefit themselves, not you.

    • Gamer 234
      Gamer 234 Month ago

      @Wrenchmonkey so why is it illegal for other companies to use when your government literally developed the tech And spied on people without consent too

    • Wrenchmonkey
      Wrenchmonkey Month ago

      @Gamer 234
      So?

  • Alex Imray Papineau

    Could LinusTechTips sue Eufy for associated defamation? Like "Because we were in partnership with you, we now look bad and that's entierly your fault, so you owe our brand damages for looking untrustworthy."

  • Stunlokked
    Stunlokked Month ago

    3:15 ahhh yes I member doing that back in the day except you just put in a IP or something in the address bar. you could even control the camera and watch people freak out

  • AcousticTheory
    AcousticTheory Month ago

    Then there's every Ring and Nest camera product that does all this stuff continuously anyway.

  • Donald Petersen
    Donald Petersen Month ago +1

    Jail. The solution to this is massive jail time.

  • Stitch Finger
    Stitch Finger 2 months ago +162

    I'm sorry to the victims, I'm sorry that a good business relationship is over, I'm sorry we can't trust another brand.
    But holy shit was the 'balls and taint' comment worth it.

    • Rainbow Dash
      Rainbow Dash Month ago

      @MopedMike they lied bruh

    • Donxx120
      Donxx120 Month ago +4

      @MopedMike yeah no they lied that's reason not to trust them

    • MopedMike
      MopedMike Month ago +2

      Wrong, got watch The Hook Up’s video showing how everyone doesn’t know what they are talking about.

  • Tony Lawlor
    Tony Lawlor Month ago

    I'll be impressed when you guys stop using all Apple products and Samsung products for that matter. The conditions of the workers who put these devices together never mind the deplorable conditions the African workers who mine the raw materials have to endure for a pittance is deplorable. Lets not pretend this is not going on or we don't know about it so we can all afford these overpriced devices.

  • brightdarkness
    brightdarkness Month ago

    i would argue if you do pay for it , you're still the product

  • Logan McCandless
    Logan McCandless Month ago

    How do you make an example of them?
    No country has laws to cover this level of technical negligence

  • Isaac Cooke
    Isaac Cooke Month ago

    Real danger to them is if any inappropriate video or picture of a minor got taken. Distribution of that kind throws it right into criminal court.

  • Hdhd Hshs cbxhdh
    Hdhd Hshs cbxhdh 2 months ago +7

    Have you looked into the claims yourself? He is reporting that the thumbnails are sent, no video was sent. That is pretty typical for a software platform that syncs with your phone. Otherwise, the phone has to constantly poll the device draining both batteries. Other camera systems will generally have the same process. If you don't want this, don't sign up for something that syncs with your phone wherever you go. Now I agree not being encrypted is the problem that they should fix, but that is not the same as main problem that Paul Moore is claiming that all his data is being sent. He also speculates that the thumbnails are on the server longer without proof(which he can certainly check himself by using the links that he has).
    Lastly, the streams without authentication I believe is referring only to RSTP streams. These are not publicly available links, and are behind router's firewall. Again, it would be better if they have authentication, but this is pretty typical for IP cameras.

    • DAVINCHE
      DAVINCHE Month ago +2

      @Escape to the Workshop Your test result needs more attention. "Unauthorized access via VLC" was the only contentious point for me. Your testing would indicate that the security measures currently in place are adequate but could be better. Not the "gross negligence" that you see people blindly repeating.

    • Escape to the Workshop
      Escape to the Workshop 2 months ago +7

      I have tested this with my system. I found I could only stream if I had access to the stream token AND the stream had been started using a request containing my auth token/cookie. Once a stream had started, if I stopped it via the Web UI, it sent another request that kills the stream, including the one through VLC. So it would appear that you need both the token (which admittedly does have a rather short random key on it) AND the stream already be activated.
      For the thumbnails, the URLs being used appear to have an auth token of sorts as a query param, which is standard practice for access to private files on AWS S3 and Google cloud storage (I work with AWS S3 and GCP cloud storage on a daily basis). And as far as being available after deletion, if they are hosted on S3, it is possible the responses are cached in an edge node of the CDN for a while.

  • Bluefire Spotcat
    Bluefire Spotcat Month ago

    If anyone had bothered to read the full story, YES, Eufy lied. HOWEVER, this "vulnerability" requires that A) your camera be active (as in actively recording) for someone to view it and B) they'd have to have your camera's serial number (something not trivially guessable by the way) to be able to exploit this. TL;DR yes they lied, no the vulnerability isn't actually that bad. READ THE ARTICLES

  • L-Renaud
    L-Renaud Month ago

    The hysteria is hilarious, people don't really understand how the vulnerability works but they panic.
    I'll scoop a bunch of supplementary eufy's when they slash the price. Absolutely no worries

  • Christley
    Christley Month ago

    Assuming this product is sold in the EU, this is a fat breach of GDPR on so many levels and the fines would be massive.

  • Jonathan A
    Jonathan A Month ago

    This is aweful. However, these devices may still have potential. If you put your eufy devices in an offline network, you could probably use that unencrypted stream in something like home assistant.

  • Eldibs
    Eldibs 2 months ago +158

    Saying they're going to delete the pictures after taking them without permission is like someone sneaking into your house to play with your stuff and saying "It's okay, I'm gonna put all your stuff back when I'm done."

    • Rainbow Dash
      Rainbow Dash Month ago +1

      Im cool if they put it back unbroken

    • Viking Robot
      Viking Robot Month ago

      Or the government deleting background checks after 72 hours for gun purchases…..yeah like we believed that one from the start.
      Listen….if you think there’s a possibility it can spy on you ….it is.

    • Pog Tuber
      Pog Tuber Month ago

      That's fine with me if a random intruder wants to put away all my kid's toys while I'm sleeping

  • Yovecx
    Yovecx Month ago +1

    So should I return my chargers/sell my chargers? I have 1 pair of cables 2 chargers and a bank.

  • MARzero1
    MARzero1 Month ago

    so is this about the uploading the images or about the lying. I always assumed other companies did the same stuff.

  • Ayumu Aikawa
    Ayumu Aikawa Month ago

    Webcam + raspberry pi for the win! At least you know what's running..... Tbh most company is lacking on the security side of things, did you know that your PSN password was stored in plain text in your ps vita? So yeah, even Sony isn't clean on that (but at least I guess it's better than a camera that flag in your face in a DB)

  • K
    K Month ago

    I wonder if there is any legal action that will be taken against them.

  • Mike Allberry
    Mike Allberry 2 months ago +87

    Doing a teardown of the scales wouldn't be a bad idea
    Also, this really is frustrating as i went for my Eufy set up because I saw no other option for my needs, luckily it's all outside the house, but still. Breach of trust on a massive scale.
    Pun not intended.

    • Mike Allberry
      Mike Allberry Month ago

      @MrZilla500 same

    • MrZilla500
      MrZilla500 Month ago

      Yeah i have a bunch of their outdoor cameras and nothing setup to cloud save....still... who knows

    • David Jeffers
      David Jeffers Month ago +2

      You may want to look a little further because further coverage from The Hook Up has shown a slightly different angle of this that makes it seem like Linus may have unintentionally exaggerated the issue of it

  • J D
    J D Month ago

    Can we PLEASE get that discussion question on a tshirt on lttstore?? 🤣🤣

  • Joshua Most
    Joshua Most Month ago

    Wow, I hate this. I loved Anker. Screw them now!

  • C Dubs
    C Dubs Month ago +1

    To be fair, I’m not buying any of Anker’s intelligent products. But they still have some of the best charger products..

  • xthetenth
    xthetenth 2 months ago +172

    Wow, Anker subsidiary? My reaction to this is similar to yours. I've bought their stuff preferentially because it's genuinely good, but there's no way I'm supporting that.

    • DAVINCHE
      DAVINCHE Month ago +2

      LTT is so blatantly wrong here. He even said it in the clip that the media is used for push notification, so I'm not sure why he's fanning this non-existent fire. If you don't want ANY data at all uploaded to the cloud, then turn it off push notifications and facial recognition. Some people like seeing who's at their door in the push notification. And for that to happen, the image needs to be stored on a publicaly accessible server. What Eufy is likely doing is that images are automatically deleted based on a retention policy - eg: a rule that deletes images older than 1 day.

  • Michael Angelo
    Michael Angelo Month ago

    That really sucks since I think Anker powerbanks and charging products are the best in the market :(

  • exciting-burp
    exciting-burp Month ago

    The usual Linus Dunning-Kruger spectacle. This all has nothing to do with the web interface, and everything to do with mobile notifications. Eufy has a pretty reasonable solution. The face identifiers are used if you turn on the facial recognition feature... so that you see a name in the mobile notification. Did the security researcher check that different accounts yield the same face identifier? No, he wanted his 15min of fame.
    They definitely should not have claimed "No Cloud," though. They should definitely also warn the user that temporary storage on internet-facing servers is required for some features.

  • Luckybudda89
    Luckybudda89 Month ago

    Thoroughly disappointed in Anker for allowing this, possibly even pushing this. Completely unacceptable. As hard as it is for me to say, part of me doesn't want to purchase ANY Anker products anymore...