The "S" in IOT stands for security. IMO the only safe way to have IOT devices is to have them sequestered on a separate network without internet access, then use something like HomeAssistant as a sole point of data ingress/egress
They didn't just omit any form of security, they even upload data when you explicitly told them not to. This is what companies mean when they say "We are very committed to our customer's privacy!" - without independent reviews, that's meaningless.
Wow I am glad I never worked with these folks, they must have offered me 5 sponsorships. I didn't really care for the product but I could not have predicted this!
Damn. I would say hopefully they can turn this around, because the products themselves looked great, no subscription fees and local storage of files. I don't think this is something that can be recovered from, though. It's hard to trust after this kind of mistake.
@Nick Ryan I think Stuxnet illustrated how _any_ trusted-but-unverified IC is a potential threat vector. You design the chip in VHDL or verilog, then the fab sends back a chip. It's like an insecure compiler vulnerability. How do you know that the mass-produced chip faithfully implements your design and doesn't have a few undocumented "glitches" placed by some country's three-letter agency or a snooping corporation? Yeah for some chips I can't immediately think of a way it could be abused, but history has proven that there are some very clever and creative ways to exploit seemingly-secure systems.
@NMSLese CNMBese What an insightful response. If you can borrow a brain cell from someone try reading what I wrote before dribbling out something like this.
When I bought their video doorbell and learned that even though it stores content locally you still needed an internet connection to access the device I was disappointed. This news explains why. I don't know what's so damn hard about this. I don't need any internet bullshit on a video doorbell. All the services any vendor could provide and potentially charge me for, I can provide for myself. We're going to have to roll our own video doorbell with some SBC aren't we? There just aren't any companies out there who want to make a good standalone product that isn't also trying to collect and sell your data.
Instead of fines, a court could just pull the companies charter. This is effectively capital punishment for corporations. Perhaps drastic for violations of privacy, but for cases where there have been loss of life, it should be done. It is a remedy on the books but almost never, ever used, and it should be.
I feel like what Luke said at the end there really echoes well with the experience of many other techies, i.e. viewers of this channel. Most average people simply lack the most basic awareness of privacy when it comes to internet-connected sensors in their lives. I've had to explain multiple times to my immediate family, "NO. We are NOT going to have this smart speaker with this always-on microphone in our house. The only place it belongs is the rubbish bin outside."
6:33 I beg of everyone at LTT/LMG to be lenient on the employee who asked "If Eufy smart scale is sending pictures of my balls and taint, is that a bad thing?" That was the best laugh I have had in days and was actually vaguely on topic.
Assume everything you do online is known regardless of claimed encryption. This includes IOT. Users, in general, don’t have time or skill sets to be constantly monitoring the gadgets. Keep that in mind when placing tech, any tech, about your home, work, anywhere.
This is why I'm building my own off-line security system, I refuse to touch anything that connects to a companies server for my security/personal/private data/info
Eufy never should have advertised it as "no clouds", as that is not true. But this really isn't surprising and is probably the same way Ring and others handle rich notifications (using CDN). Obviously you aren't directly connecting to the doorbell or homebase when outside of your home, as you didn't have to do any sort of port forwarding in your router to make it work outside your LAN. The big issue that was glossed over on this video is the accusation that actual video can be streamed without authentication/encryption. Anyone have any actual evidence or PoC of this?
Damn it I have all Eufy security cameras and sensors throughout my home. I normally shy away from Chinese products but they were actually really good products. But when you think about it, the way the Chinese government subsidizes a lot of their industries like solar panels they are 100% probably subsidizing a product like Anker to gain competitive advantages in order to exploit an industry like this. God I was so dumb when I bought this product. 😰 I'm hesitant to even try to sell it as it will just be hurting someone else.
@K.G. B ww2 was filled with crappy equipment. They used to make peasants reforge farming tools. It's always been a thing. Wars are fought for money so why would the grubbers spend a cent more than they need to.
I had a Eufy door bell camera in and out of my Amazon cart / wish list for the last 5 months. I just left Amazon and kicked it from my Amazon wish list. I'm done with the company too.
sometimes i feel like i might be a little paranoid for being so ardent in my refusal to get a ring doorbell or an alexa setup, and then videos like this pop up and i feel vindicated. there’s another video i saw a while ago of some white hat content creator hacking into some guy’s alexa system because of a vulnerability with the way it handles ip connections over wifi and taking over its speakers to tell him what he did and how to fix it. that’s my nightmare, that my computer is gonna do that one day.
Good luck guys in guessing all the ID's stored in the link to the photos... including time of event :) without inside actress. All that is just so funny to hear ;) Looks like somebody didn't look closer how the link is created and stored and how long. And how the push notifications work. I would stay with Eufy... and recommend this - the best option on market with the best local storage solution. And still safe. You can guys jump to Yi or other Chinese brand - no problem... or create your own cameras which would work in LAN.... but no photo push notifications unfortunately.
You guys could start doing security checks on consumer products like this. For example, can you verify that the mute button on an Amazon Echo genuinely makes it impossible for the device to hear you?
damn it! i love my eufy cams! i dont have the doorbell but have a few other outdoor ones. not that its a huge deal if somebody is able to see my dog using the bathroom in the backyard and my cars sitting in the driveway, but the fact nobody else ever should have seen any of it is awful.
Out of every company I've seen, Anker is the only one I've (cautiously) had brand loyalty too and felt like I could trust, and this is coming from someone who believes that no one should have any brand loyalty. Nice reminder that even seemingly great companies in terms of trustworthiness and transparency of products (specs of products being accurate (especially battery life), quality products, good customer support, etc.) can still do shitty things. EDIT: Situation is likely more complex than it initially seemed (as most things probably are). It's worth checking out the video from The Hook Up (thank you David Jeffers), The Verge's "Anker’s Eufy lied to us about the security of its security cameras", and Ars Technica's "Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted". Definitely worth following the situation before making any final judgments.
@SHR Modding It depends on the specific license, but overall you cant just copy someone elses code with no attributions or remove license info relating to the original creator. Anker at the moment is refusing providing their source code despite admitting to using cura engine(agpl) meshlab and vcglib.
@iDoujin Well, I wonder if that is actually the case or not! I am sure there are ways to ‘re-route’ data through a charger and then upload it to their cloud, while you are connected. Or if you use one of their dongles with Ethernet… And I have both!
I had a gut feeling the Eufy doorbell cameras did something like this, the claim of no cloud is just too convenient to be true when it was almost certainly always a bolt-on to the original design. And I doubted they'd have ever bothered to make some port forwarding or broker mechanism for people to connect back directly to their cameras or Homebase for things like stored thumbnails because it would have made it onerous to maintain two mechanisms. The rest is just pisspoor summer intern coding. None of it is forgiveable. I also noticed on my Eufy pantilt camera that similar things were happening and I was also able to start an HLS stream direct from the camera by URL, but anticipated that stupid stuff like this would always be possible. It's sad that I still expect this to be the norm with these lower priced consumer commodity products. Lazy, inadequate security and platform design undermines otherwise good products. Good on LTT for publicly dropping them.
Time to start a new era of LTT where you take apart everything to check if there's malicious hardware/software. Your'e welcome for the best idea of 2022. lol I hope.
@Alias Anybody I'm reading your comment while I've got three Anker cables plugged into my outlets. So yeah, it does totally leave a sour taste regardless of if someone's been directly affected or not. Shit like brand boycotting needs to really ramp up. Companies have gone off the rails and think they can get away with anything. A sharp dip to profits should bring them back to sanity.
@Robert Andersson which device description are you quoting "local storage only" from? I have not seen that on their products descriptions; they advertise local storage as a feature (and it truly is local storage as the video remain on device). If you set up to have it notify you and sync data to the phone, it's generally necessary to have the device push certain data to the cloud
So what companies would you recommend as an alternative to Anker? It's a real shame to lose out on their products as they've had a reputation for making good kit (cables/chargers).
In Illinois (USA) running facial recognition/tagging without consent is illegal. IL Facebook users were awarded 400$ for non-disclosed facial recognition. Sounds like eufy didn't disclose and will likely get class action lawsuits from IL and similar states.
I feel like this is something for LTT labs to look into on "smart devices" are they as secure as claimed and are they doing detectible nefarious things that go against how it was marketed? This could get very interesting VERY fast.
@Jendrej Sadly I haven't watched it in weeks. If I remember rightly they were joking about the company, and I think to me they were joking too much. Like trying to say, "yeah they paid us to promote them, lol." Atleast that was the vibe I got.
"Why we're dropping this sponsor" that means they got paid for promoting it before right? If someone bought it due to these guys, and they joke about it!!
I changed from Arlo to Eufy. In 2019, Arlo pushed a firmware update to my cameras that killed motion detection. You could run past jumping and waving and it will not see you. With Eufy, they sent me the completely wrong system. They told me I had to return the system, wait for a refund, and then buy it again. The only bypass to this is an RMA which I did request and provide several videos of proof showing all cameras having outright broken audio. Needlessly to say, they outright refused to RMA. Their 2C pro camera looks super shitty [mainly frame fuzz] but does pick up 98%+ motion so far. 16GB of video storage somehow only comes out to 12GB. To top things off, I was just [as of typing] logged out of my account and my password no longer works. If this happened several months ago, I would just return it and install CCTV and deal with all that trouble over all this BS.
If you want more than the surface level anger of "trust me bro" Linus, check out The Hook Up on this topic. He goes into detail what's actually going on, and why Linus' outrage is based on a shallow understanding of the issue. Also, Eufy DID fuck up in the past (they jumbled the device sharing so people could see random stranger devices in their list). But again, Linus completely misses that literall all other devices that support rich notifications do the same thing with regards to uploading thumbnails. EDIT: To be clear, claiming to be local-only and then uploading stuff to the cloud is no bueno. However, the issue here is the uploading itself (or the promise not to), not how they do it. So if you go "lol they upload thumbnails to a public S3 bucket" then congrats, you missed the point.
Suggestion: Find someone whose privacy has been violated by one of these devices. That could entail something as simple as photographing a person in a two-party consent state. For the vacuum with a camera, possibly any photo of a child, especially its face, might suffice. Next, take it to court (Federal, if feasible) and ask for an immediate injunction. IANAL, but I bet there would be lawyers salivating over the possibilities.
I have a Eufy video doorbell, and am not all that concerned that the Chinese government knows when the mailman delivers a package to my front door. Now if I had their security cameras inside my house, that might be another matter, but here we are talking about stuff anyone driving by on the street could see.
I bought an older model because of the HomeKit integration. Never once configured it to use their service. I guess now I need to break out the packet sniffer.
Do y'all remember that scene in Silicon Valley where Dinesh forgot to update the TOS and caused the company to suffer billions of dollars in COPPA violations? I'm pretty sure they just did that for real. Every house that has a camera in an area where children dress/undress probably uploaded some stuff, too. They are so fucked.
As a Software dev, I question if this is even a "Breach" as nothing was breached, they just ignored security entirely. Its something worse. Edit: Apparently there basicly was a auth token embedded in the url, so it was secured. So it's actually not a breach at all.
Yeah legally speaking if I were to spy on your intimate moments, I could literally claim "but I didn't bypass any authentication" and get off scott free.
you need to go back to school. The researcher created a breach by finding the embedded token and viewing the content. They didn't have logging or any oversight so there is zero chance they could prove they weren't additionally compromised. As is standard practice in the security industry this would be treated as a breach and specifically has been at all major fortune 500's and is in part why AWS forced by default that all S3 buckets be encrypted and password protected. It's devs that broke this because product made them move quickly without consulting appropriate experts.
@David Jeffers yes, absolutely. GDPR is pretty strict. Having possession of data against what you say you'll do, even 'accidentally' is a breach of the law that carries hefty fines. Just like a release of personal information, even because someone hacks you, is a breach of the law. If you can't keep data secure, the law says, then you *must* not attempt to store it. GDPR is also codified from the position that a person's data is always not stored by default, and you *must* be clear if you're going to store it for any reason. And by clear I mean not in small print. Every time data is kept the data storer must ask the person if they want it stored, with the assumption being that they won't. You're not even allowed opt-out marketing emails now, the customer must always have to opt-in. Some companies skirt this pretty close, but that's what the law says. Sometimes that means the warning must be there in bold sight saying "by using this service [certain data] must be recorded" but again, not in small print. It must be front and centre. GDPR also goes to great pains to distinguish a higher level of security and penalty for any information that is 'sensitive' (the definition of which is long-winded, but akin to the old data protection rules about 'personal') and any data that can identify the user. There's again caveats about law enforcement, but that's pretty clear stuff. Breaches of GDPR come with a maximum fine of €18 EUR or 4% *global* turnover.
@David Gardiner Is it though? Based on the way the hookup describes the more nitty gritty parts of the situation, that doesn't seem to be true. It seems like this was simply an issue of marketing over promising. Which is still to be fair, a bad thing, but these products are still leaps and bounds better than the alternatives that are cloud dependent. This isn't cloud dependent, there are just some specific features that do rely on the cloud, like rich notifications while you're away from home.
I've always had a gut feeling about this company doing shady things. Never trusted them. All my video is outside the house. Never inside for this reason.
Well I pretty much default to Anker for batteries and such and was just looking at their battery and solar bundle for when we get small blackouts. Guess I'll be looking elsewhere now. I don't bail on a good brand lightly either, this is a huge mishandling on every level.
I don’t know if lawsuits really is the solution. I mean. It’s GREAT if they work, and the fine is meaningful.. but it’s all very retroactive, and affects the minority of companies who have a big leak. In practice, leaving behind many companies with the same vulnerabilities who just happens to have not been hit with a scandal yet. It’s a place for security legislature, and governments need to start taking it seriously and implementing and enforcing standards. The EU privacy laws for instance are a start. That’s the kind of thing that ACTUALLY starts pushing a change in the industry.
That's a shame. I have owned tons of different Anker products at this point and I haven't been disappointed by a single one... but, this... there is no conceivable way they didn't know this kind of procedure and handling of some of the most sensitive user data possible was completely unethical, likely illegal, fraudulent, and a complete breach of trust. I guess they just thought screw it, nobody will find out.
@Lightevilaster yeah for storage. The big draw was that you could slap in a huge memory card and record years worth of alerts without paying cloud storage fees like you would with Ring or Arlo. No reasonable person would ever expect that nothing at all is being sent to the mothership when the entire product is an internet-connected device.
@Lightevilaster How is it pure malice? One of their main features is their prompt notifications and AI face detection. Those are the reasons people buy their products. Did people think that face detection was running on a $30 camera? really?
Im honestly curious. I purposely bought these, because I originally went Wyze, had a similar issue. Thought I'd actually buck up and get something secure that was local as we use our kids rooms on these aswell. Now I have to replace everything, at a larger cost incurred by me, with zero recourse, and the worst part is, now I have to worry about what's out there with my kids on it?? And not going to lie Linus, the part where you guys snicker about it, this isn't funny. Nothing about this is funny. You kinda pissed me off how tongue in cheek you handled this (more so Luke snickering every other comment). This company needs to burn.
@ln+3rna1hàbän3r0s "Dear slaves, how do we stop your slave masters from doing horrible things?" "Idk, we're literally slaves we have slaving to do that's all we're taught to do from the get go bro"
@Beregorn88 Meh, fuck it, just get them all then. If you partake you're responsible. Seems easy enough. Instead of asking anyone here to figure out the fine details, let them figure it out themselves later. Until then, if you took part, you go down with the rest.
@CasualCoreK Why would they ever make laws that could punish those who fund basically everything for them? It's really just one big loop. It protects itself.
@Corey Rogers I've heard this many times, however I've never seen a corporation go to prison. It seems like a convienant lie to protect actual people from the consequences of their actions.
Thought LMG was different….nope just automatically jumps on the bandwagon. Maybe you should take a look at it yourselves and find out what is going on and then give your take on the issue. I am not an a user of Eufy, but LMG’s take on this product without it’s own review, is just one more reason to stop trusting what comes out of LMG, and what I find fewer reasons to watch their channels. A huge company who has a blowhard as the CEO who makes decisions about not working with a sponsor based on another Clip-Sharer st the drop of a hat.
Holy wow, that's like the holy grail of fuck-ups. An unsecured -two-way- connection (it sends data _and_ you can watch with even just vlc) that allows full access to a live video feed could really only be topped if the things were built so shoddily that they'd allow somebody to compromise your entire network (and nobody's yet said that _isn't_ the case). Hats off, pulling something so stupid off requires knowledge, skill, and determination… to do the wrong thing. Edit: it's probably not two-way, I misheard "VLC" for "VNC" and assumed there's data going _into_ the device, not just coming out of it.
@facey Kad Their response is not one of a company who is going to fix the problem. They also either very well knew the issue or are wildly incompetent not to have. Yet they still advertised it the way they did, which is fraudulent.
I'm not surprised by this, all of the Chinese camera I have are constantly trying to send information to their home servers. Some made me install literal spyware to access the web UI (I set it up via VM). I block all communication to the outside world with two layers of protection and host the videos using software I control that requires VPN access to view. I'm sure it's still not foolproof but it's as close as I can get given the cameras are that available at reasonable prices now days. I also find it interesting how so many people are ok with ISP provided Eero routers and access points. The contract seems care about everything but your privacy. Unfortunately, it seems like almost every company is looking to monetize their customers now, and people need to be very proactive about their own data security.
Need some FOSS firmware to make those devices not bricks for consumers that have already paid for them. I guess a quick way to kill the communication if people are still wanting to use them without losing their privacy is to block with pihole or adguard. Too bad this will be a really slow class action lawsuit and most consumers will just have to toss them.
What you said here about tech companies paying basically nothing for doing illegal things in comparison to money made goes for pretty much all industries sadly. Medicines, tech, tools, furnitures and so forth... They'll not disclose stufd they should... Do illegally data collections... Manufacturer know defective parts.... Not honor warranties when they should and so forth... And you are absolutely right they make too much profit to care about the consequences so it continues constantly...
I was part of that Australian breech and it has been an absolute nightmare. I had to block myself from getting credit, limit my withdrawal limits on all my bank accounts and change personal documents. Oh and every time I make a purchase over a certain amount my bank rings me for authentication.
@C You are reading things I did not say into my message. 'Australian passport breach' implies that everyone with an Australian passport was affected, which is not the case for the Medibank/Optus breaches. I did not say anything relating to my personal opinion on those breaches.
@Holgast "not everyone was a user of either of those services" Why would you say that though? Why soften the blow? These jerks stole millions of peoples data, why the instant forgiveness?
@Namegoeshere what passport breach? I had never heard of this and there are no search results. Are they thinking of the recent Optus and Medibank breaches, which included personal info including passports? not everyone was a user of either of those services
@Namegoeshere well I was talking about the Optus breech which had my passport details as proof of identity. Not only my passport but my bank details, username, phone number.
Thank you for this. I'm dropping all of my Anker products and black-listing the company. I also have a Ring doorbell that previous owners left and was planning on setting it up. But I won't. I really hope I won't run out of brands to buy either... but if I do, I'll just stick with my original plan - go live in the woods.
The way large companies are stopped doing this kind of thing, is the punishment needs to be SOOOO damn huge that no company would ever think of being sh*tty to their customers.
Good luck enforcing that in China, as much as it sucks to say that. Most Western companies probably aren't as bad in comparison, and those are the only ones you would manage to punish.
@Adam Flohr That would soon turn in to forcing/tricking people signing contracts which makes them responsible for any wrong doing. Our CEO only handles PR and marketing and Billy Bob the janitor is the actual brains in the company, it even says so in his contracts kind of stuff.
there should be pressure on amazon to stop selling all anker products...that would be a lot more meaningful than some fine. They cut off Aukey for buying advertising, so do it.
Facial recognition is illegal in multiple states in the US. There have been multiple class action lawsuits against basically every social media company for this.
@MopedMike I have exactly one college class in contract law and even I know that you can't waive your statutory rights in a contract. If the EULA says "you agree to be beaten nearly to death as a condition of use of the Service", that's still assault and battery at minimum and you can recover damages.
@Gamer 234 For the same reason that cops are constantly breaking the laws too. What're you gonna do about it? The government, of course, makes the laws to benefit themselves, not you.
@Wrenchmonkey so why is it illegal for other companies to use when your government literally developed the tech And spied on people without consent too
Could LinusTechTips sue Eufy for associated defamation? Like "Because we were in partnership with you, we now look bad and that's entierly your fault, so you owe our brand damages for looking untrustworthy."
3:15 ahhh yes I member doing that back in the day except you just put in a IP or something in the address bar. you could even control the camera and watch people freak out
I'm sorry to the victims, I'm sorry that a good business relationship is over, I'm sorry we can't trust another brand. But holy shit was the 'balls and taint' comment worth it.
I'll be impressed when you guys stop using all Apple products and Samsung products for that matter. The conditions of the workers who put these devices together never mind the deplorable conditions the African workers who mine the raw materials have to endure for a pittance is deplorable. Lets not pretend this is not going on or we don't know about it so we can all afford these overpriced devices.
Have you looked into the claims yourself? He is reporting that the thumbnails are sent, no video was sent. That is pretty typical for a software platform that syncs with your phone. Otherwise, the phone has to constantly poll the device draining both batteries. Other camera systems will generally have the same process. If you don't want this, don't sign up for something that syncs with your phone wherever you go. Now I agree not being encrypted is the problem that they should fix, but that is not the same as main problem that Paul Moore is claiming that all his data is being sent. He also speculates that the thumbnails are on the server longer without proof(which he can certainly check himself by using the links that he has). Lastly, the streams without authentication I believe is referring only to RSTP streams. These are not publicly available links, and are behind router's firewall. Again, it would be better if they have authentication, but this is pretty typical for IP cameras.
@Escape to the Workshop Your test result needs more attention. "Unauthorized access via VLC" was the only contentious point for me. Your testing would indicate that the security measures currently in place are adequate but could be better. Not the "gross negligence" that you see people blindly repeating.
I have tested this with my system. I found I could only stream if I had access to the stream token AND the stream had been started using a request containing my auth token/cookie. Once a stream had started, if I stopped it via the Web UI, it sent another request that kills the stream, including the one through VLC. So it would appear that you need both the token (which admittedly does have a rather short random key on it) AND the stream already be activated. For the thumbnails, the URLs being used appear to have an auth token of sorts as a query param, which is standard practice for access to private files on AWS S3 and Google cloud storage (I work with AWS S3 and GCP cloud storage on a daily basis). And as far as being available after deletion, if they are hosted on S3, it is possible the responses are cached in an edge node of the CDN for a while.
If anyone had bothered to read the full story, YES, Eufy lied. HOWEVER, this "vulnerability" requires that A) your camera be active (as in actively recording) for someone to view it and B) they'd have to have your camera's serial number (something not trivially guessable by the way) to be able to exploit this. TL;DR yes they lied, no the vulnerability isn't actually that bad. READ THE ARTICLES
The hysteria is hilarious, people don't really understand how the vulnerability works but they panic. I'll scoop a bunch of supplementary eufy's when they slash the price. Absolutely no worries
This is aweful. However, these devices may still have potential. If you put your eufy devices in an offline network, you could probably use that unencrypted stream in something like home assistant.
Saying they're going to delete the pictures after taking them without permission is like someone sneaking into your house to play with your stuff and saying "It's okay, I'm gonna put all your stuff back when I'm done."
Or the government deleting background checks after 72 hours for gun purchases…..yeah like we believed that one from the start. Listen….if you think there’s a possibility it can spy on you ….it is.
Webcam + raspberry pi for the win! At least you know what's running..... Tbh most company is lacking on the security side of things, did you know that your PSN password was stored in plain text in your ps vita? So yeah, even Sony isn't clean on that (but at least I guess it's better than a camera that flag in your face in a DB)
Doing a teardown of the scales wouldn't be a bad idea Also, this really is frustrating as i went for my Eufy set up because I saw no other option for my needs, luckily it's all outside the house, but still. Breach of trust on a massive scale. Pun not intended.
You may want to look a little further because further coverage from The Hook Up has shown a slightly different angle of this that makes it seem like Linus may have unintentionally exaggerated the issue of it
Wow, Anker subsidiary? My reaction to this is similar to yours. I've bought their stuff preferentially because it's genuinely good, but there's no way I'm supporting that.
LTT is so blatantly wrong here. He even said it in the clip that the media is used for push notification, so I'm not sure why he's fanning this non-existent fire. If you don't want ANY data at all uploaded to the cloud, then turn it off push notifications and facial recognition. Some people like seeing who's at their door in the push notification. And for that to happen, the image needs to be stored on a publicaly accessible server. What Eufy is likely doing is that images are automatically deleted based on a retention policy - eg: a rule that deletes images older than 1 day.
The usual Linus Dunning-Kruger spectacle. This all has nothing to do with the web interface, and everything to do with mobile notifications. Eufy has a pretty reasonable solution. The face identifiers are used if you turn on the facial recognition feature... so that you see a name in the mobile notification. Did the security researcher check that different accounts yield the same face identifier? No, he wanted his 15min of fame. They definitely should not have claimed "No Cloud," though. They should definitely also warn the user that temporary storage on internet-facing servers is required for some features.
Thoroughly disappointed in Anker for allowing this, possibly even pushing this. Completely unacceptable. As hard as it is for me to say, part of me doesn't want to purchase ANY Anker products anymore...
The "S" in IOT stands for security.
IMO the only safe way to have IOT devices is to have them sequestered on a separate network without internet access, then use something like HomeAssistant as a sole point of data ingress/egress
They didn't just omit any form of security, they even upload data when you explicitly told them not to.
This is what companies mean when they say "We are very committed to our customer's privacy!" - without independent reviews, that's meaningless.
Wow I am glad I never worked with these folks, they must have offered me 5 sponsorships. I didn't really care for the product but I could not have predicted this!
Damn. I would say hopefully they can turn this around, because the products themselves looked great, no subscription fees and local storage of files. I don't think this is something that can be recovered from, though. It's hard to trust after this kind of mistake.
If ever you feel completely worthless, then just know that you're not a cyber security consultant working at Eufy.
Legit lol
SAVAGE
Check out this response: clip-share.net/video/a_rAXF_btvE/video.html
@Nick Ryan I think Stuxnet illustrated how _any_ trusted-but-unverified IC is a potential threat vector. You design the chip in VHDL or verilog, then the fab sends back a chip. It's like an insecure compiler vulnerability. How do you know that the mass-produced chip faithfully implements your design and doesn't have a few undocumented "glitches" placed by some country's three-letter agency or a snooping corporation? Yeah for some chips I can't immediately think of a way it could be abused, but history has proven that there are some very clever and creative ways to exploit seemingly-secure systems.
@NMSLese CNMBese What an insightful response. If you can borrow a brain cell from someone try reading what I wrote before dribbling out something like this.
When I bought their video doorbell and learned that even though it stores content locally you still needed an internet connection to access the device I was disappointed. This news explains why.
I don't know what's so damn hard about this. I don't need any internet bullshit on a video doorbell. All the services any vendor could provide and potentially charge me for, I can provide for myself. We're going to have to roll our own video doorbell with some SBC aren't we?
There just aren't any companies out there who want to make a good standalone product that isn't also trying to collect and sell your data.
Instead of fines, a court could just pull the companies charter. This is effectively capital punishment for corporations. Perhaps drastic for violations of privacy, but for cases where there have been loss of life, it should be done. It is a remedy on the books but almost never, ever used, and it should be.
I feel like what Luke said at the end there really echoes well with the experience of many other techies, i.e. viewers of this channel. Most average people simply lack the most basic awareness of privacy when it comes to internet-connected sensors in their lives. I've had to explain multiple times to my immediate family, "NO. We are NOT going to have this smart speaker with this always-on microphone in our house. The only place it belongs is the rubbish bin outside."
I hope and pray that there is a class action lawsuit for this with substantial ramifications.
6:33 I beg of everyone at LTT/LMG to be lenient on the employee who asked "If Eufy smart scale is sending pictures of my balls and taint, is that a bad thing?" That was the best laugh I have had in days and was actually vaguely on topic.
I do own a Eufy smart scale and was wondering the same!
I wonder what kind of balls recognition software they have over there. Can they balls id you?
Writers asking the real questions. Are they collecting pic of the ol fruit basket and roast beef?
@Bogdan Zadorozhny Felt like Riley or Alex with an edge case of Anthony. Dennis doesn't usually have topics, it's more the writers jobs.
Dennis?
Assume everything you do online is known regardless of claimed encryption. This includes IOT. Users, in general, don’t have time or skill sets to be constantly monitoring the gadgets. Keep that in mind when placing tech, any tech, about your home, work, anywhere.
This is why I'm building my own off-line security system, I refuse to touch anything that connects to a companies server for my security/personal/private data/info
Wow, and I had actually been thinking about replacing all my Ring cameras with Eufy cameras when the time came to upgrade. No chance now!
Eufy never should have advertised it as "no clouds", as that is not true. But this really isn't surprising and is probably the same way Ring and others handle rich notifications (using CDN). Obviously you aren't directly connecting to the doorbell or homebase when outside of your home, as you didn't have to do any sort of port forwarding in your router to make it work outside your LAN. The big issue that was glossed over on this video is the accusation that actual video can be streamed without authentication/encryption. Anyone have any actual evidence or PoC of this?
Damn it I have all Eufy security cameras and sensors throughout my home. I normally shy away from Chinese products but they were actually really good products. But when you think about it, the way the Chinese government subsidizes a lot of their industries like solar panels they are 100% probably subsidizing a product like Anker to gain competitive advantages in order to exploit an industry like this. God I was so dumb when I bought this product. 😰 I'm hesitant to even try to sell it as it will just be hurting someone else.
If the CCP wanted to build an extensive facial recognition database of their adversary (Americans) this would be one great way to do it!
Eufey was the brand that I was pretty much settled on.
Perhaps do a evaluation of all the video doorbell brands and make recommendations?
As a mate in the military said "If it says military grade, don't buy it, our own equipment is cheap"
tHanK yOu FoR yoUr sErVicE
yeah thats makes absolutely no sense.
Military grade = lowest bidder
@K.G. B ww2 was filled with crappy equipment. They used to make peasants reforge farming tools. It's always been a thing. Wars are fought for money so why would the grubbers spend a cent more than they need to.
@Daniel Gonzales always has been
I had a Eufy door bell camera in and out of my Amazon cart / wish list for the last 5 months. I just left Amazon and kicked it from my Amazon wish list. I'm done with the company too.
There are many more backdoors like this that are going unnoticed. Hope more attention is given on this and people start researching.
sometimes i feel like i might be a little paranoid for being so ardent in my refusal to get a ring doorbell or an alexa setup, and then videos like this pop up and i feel vindicated.
there’s another video i saw a while ago of some white hat content creator hacking into some guy’s alexa system because of a vulnerability with the way it handles ip connections over wifi and taking over its speakers to tell him what he did and how to fix it. that’s my nightmare, that my computer is gonna do that one day.
At least if there is a camera on the scale, it means there are a lot of other backdoors getting noticed.
@Al van der Laan missing the point, expensive tech does this too, they're just better at hiding it
People do not care, they want the cheapest and complain only after the fact. People will never research, too much work man, I need the shiny.
If the Snowden leak didn't do anything nothing will
Good luck guys in guessing all the ID's stored in the link to the photos... including time of event :) without inside actress. All that is just so funny to hear ;) Looks like somebody didn't look closer how the link is created and stored and how long. And how the push notifications work. I would stay with Eufy... and recommend this - the best option on market with the best local storage solution. And still safe. You can guys jump to Yi or other Chinese brand - no problem... or create your own cameras which would work in LAN.... but no photo push notifications unfortunately.
You guys could start doing security checks on consumer products like this. For example, can you verify that the mute button on an Amazon Echo genuinely makes it impossible for the device to hear you?
damn it! i love my eufy cams! i dont have the doorbell but have a few other outdoor ones. not that its a huge deal if somebody is able to see my dog using the bathroom in the backyard and my cars sitting in the driveway, but the fact nobody else ever should have seen any of it is awful.
I'm glad I never actually got around to reviewing their doorbell. Sheesh! There's a reason why something is cheap
Out of every company I've seen, Anker is the only one I've (cautiously) had brand loyalty too and felt like I could trust, and this is coming from someone who believes that no one should have any brand loyalty. Nice reminder that even seemingly great companies in terms of trustworthiness and transparency of products (specs of products being accurate (especially battery life), quality products, good customer support, etc.) can still do shitty things.
EDIT: Situation is likely more complex than it initially seemed (as most things probably are). It's worth checking out the video from The Hook Up (thank you David Jeffers), The Verge's "Anker’s Eufy lied to us about the security of its security cameras", and Ars Technica's "Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted". Definitely worth following the situation before making any final judgments.
@SHR Modding It depends on the specific license, but overall you cant just copy someone elses code with no attributions or remove license info relating to the original creator. Anker at the moment is refusing providing their source code despite admitting to using cura engine(agpl) meshlab and vcglib.
@Look ItsRain I probably should. How do they work?
@SHR Modding You should probably learn how open source licenses work
@Look ItsRain how can open source code be stolen? I mean, it's in the name no?
@iDoujin Well, I wonder if that is actually the case or not! I am sure there are ways to ‘re-route’ data through a charger and then upload it to their cloud, while you are connected. Or if you use one of their dongles with Ethernet… And I have both!
I had a gut feeling the Eufy doorbell cameras did something like this, the claim of no cloud is just too convenient to be true when it was almost certainly always a bolt-on to the original design. And I doubted they'd have ever bothered to make some port forwarding or broker mechanism for people to connect back directly to their cameras or Homebase for things like stored thumbnails because it would have made it onerous to maintain two mechanisms. The rest is just pisspoor summer intern coding. None of it is forgiveable. I also noticed on my Eufy pantilt camera that similar things were happening and I was also able to start an HLS stream direct from the camera by URL, but anticipated that stupid stuff like this would always be possible. It's sad that I still expect this to be the norm with these lower priced consumer commodity products. Lazy, inadequate security and platform design undermines otherwise good products. Good on LTT for publicly dropping them.
Time to start a new era of LTT where you take apart everything to check if there's malicious hardware/software. Your'e welcome for the best idea of 2022. lol I hope.
After 3 or 4 more scandals like this you guys might actually start to appreciate Apple.
...and THIS is why I don't want a camera in every room of my house unless I KNOW that it's wired up physically to something that I control
Damn, I have a lot of Anker products and really like their stuff. Such a shame they went down this rabbit hole with Eufy.
Ha. Like they probably had a choice, PLA were knocking on the door like with Huawei.
@Alias Anybody I'm reading your comment while I've got three Anker cables plugged into my outlets. So yeah, it does totally leave a sour taste regardless of if someone's been directly affected or not.
Shit like brand boycotting needs to really ramp up. Companies have gone off the rails and think they can get away with anything. A sharp dip to profits should bring them back to sanity.
could be a bad decision by a eufy-exclusive director to boost earnings, could not. who knows
@Robert Andersson which device description are you quoting "local storage only" from? I have not seen that on their products descriptions; they advertise local storage as a feature (and it truly is local storage as the video remain on device). If you set up to have it notify you and sync data to the phone, it's generally necessary to have the device push certain data to the cloud
@Hdhd Hshs cbxhdh Its not supposed to upload at all though. Thats the point. It says "local storage only".
Take note: ANYTHING can be a camera, microphone or GPS locator
Now I regret buying my Eufy cameras months back. I really wish I could get my money back from this BS.
So what companies would you recommend as an alternative to Anker? It's a real shame to lose out on their products as they've had a reputation for making good kit (cables/chargers).
Ugreen is pretty good
In Illinois (USA) running facial recognition/tagging without consent is illegal. IL Facebook users were awarded 400$ for non-disclosed facial recognition. Sounds like eufy didn't disclose and will likely get class action lawsuits from IL and similar states.
I feel like this is something for LTT labs to look into on "smart devices" are they as secure as claimed and are they doing detectible nefarious things that go against how it was marketed? This could get very interesting VERY fast.
@Jendrej Sadly I haven't watched it in weeks. If I remember rightly they were joking about the company, and I think to me they were joking too much. Like trying to say, "yeah they paid us to promote them, lol." Atleast that was the vibe I got.
@GrimReaperNegi I'm sorry, you've lost me, what are they joking about again?
@Jendrej I still don't think they should joke about it. I think it is fine if they don't apologize, but you shouldn't joke about it so much.
@GrimReaperNegi I think they were promoting different products from the parent company
"Why we're dropping this sponsor" that means they got paid for promoting it before right? If someone bought it due to these guys, and they joke about it!!
I changed from Arlo to Eufy. In 2019, Arlo pushed a firmware update to my cameras that killed motion detection. You could run past jumping and waving and it will not see you. With Eufy, they sent me the completely wrong system. They told me I had to return the system, wait for a refund, and then buy it again. The only bypass to this is an RMA which I did request and provide several videos of proof showing all cameras having outright broken audio. Needlessly to say, they outright refused to RMA. Their 2C pro camera looks super shitty [mainly frame fuzz] but does pick up 98%+ motion so far. 16GB of video storage somehow only comes out to 12GB. To top things off, I was just [as of typing] logged out of my account and my password no longer works. If this happened several months ago, I would just return it and install CCTV and deal with all that trouble over all this BS.
If you want more than the surface level anger of "trust me bro" Linus, check out The Hook Up on this topic. He goes into detail what's actually going on, and why Linus' outrage is based on a shallow understanding of the issue. Also, Eufy DID fuck up in the past (they jumbled the device sharing so people could see random stranger devices in their list). But again, Linus completely misses that literall all other devices that support rich notifications do the same thing with regards to uploading thumbnails.
EDIT: To be clear, claiming to be local-only and then uploading stuff to the cloud is no bueno. However, the issue here is the uploading itself (or the promise not to), not how they do it. So if you go "lol they upload thumbnails to a public S3 bucket" then congrats, you missed the point.
Suggestion: Find someone whose privacy has been violated by one of these devices. That could entail something as simple as photographing a person in a two-party consent state. For the vacuum with a camera, possibly any photo of a child, especially its face, might suffice.
Next, take it to court (Federal, if feasible) and ask for an immediate injunction. IANAL, but I bet there would be lawyers salivating over the possibilities.
You'll need a router that can block specific devices from accessing the internet.
Damn. Was hoping they were going to be trustworthy, since there are basically no good “local only storage” home security camera solutions. 😭
I have a Eufy video doorbell, and am not all that concerned that the Chinese government knows when the mailman delivers a package to my front door. Now if I had their security cameras inside my house, that might be another matter, but here we are talking about stuff anyone driving by on the street could see.
I bought an older model because of the HomeKit integration. Never once configured it to use their service.
I guess now I need to break out the packet sniffer.
Do y'all remember that scene in Silicon Valley where Dinesh forgot to update the TOS and caused the company to suffer billions of dollars in COPPA violations? I'm pretty sure they just did that for real. Every house that has a camera in an area where children dress/undress probably uploaded some stuff, too. They are so fucked.
As a Software dev, I question if this is even a "Breach" as nothing was breached, they just ignored security entirely. Its something worse.
Edit: Apparently there basicly was a auth token embedded in the url, so it was secured. So it's actually not a breach at all.
@DELTARYZ Read the licensing agreement. This is also something every single doorbell company is doing.
Yeah legally speaking if I were to spy on your intimate moments, I could literally claim "but I didn't bypass any authentication" and get off scott free.
you need to go back to school.
The researcher created a breach by finding the embedded token and viewing the content. They didn't have logging or any oversight so there is zero chance they could prove they weren't additionally compromised.
As is standard practice in the security industry this would be treated as a breach and specifically has been at all major fortune 500's and is in part why AWS forced by default that all S3 buckets be encrypted and password protected.
It's devs that broke this because product made them move quickly without consulting appropriate experts.
@David Jeffers yes, absolutely. GDPR is pretty strict. Having possession of data against what you say you'll do, even 'accidentally' is a breach of the law that carries hefty fines. Just like a release of personal information, even because someone hacks you, is a breach of the law. If you can't keep data secure, the law says, then you *must* not attempt to store it.
GDPR is also codified from the position that a person's data is always not stored by default, and you *must* be clear if you're going to store it for any reason. And by clear I mean not in small print. Every time data is kept the data storer must ask the person if they want it stored, with the assumption being that they won't.
You're not even allowed opt-out marketing emails now, the customer must always have to opt-in. Some companies skirt this pretty close, but that's what the law says.
Sometimes that means the warning must be there in bold sight saying "by using this service [certain data] must be recorded" but again, not in small print. It must be front and centre.
GDPR also goes to great pains to distinguish a higher level of security and penalty for any information that is 'sensitive' (the definition of which is long-winded, but akin to the old data protection rules about 'personal') and any data that can identify the user.
There's again caveats about law enforcement, but that's pretty clear stuff.
Breaches of GDPR come with a maximum fine of €18 EUR or 4% *global* turnover.
@David Gardiner Is it though? Based on the way the hookup describes the more nitty gritty parts of the situation, that doesn't seem to be true. It seems like this was simply an issue of marketing over promising. Which is still to be fair, a bad thing, but these products are still leaps and bounds better than the alternatives that are cloud dependent. This isn't cloud dependent, there are just some specific features that do rely on the cloud, like rich notifications while you're away from home.
I've always had a gut feeling about this company doing shady things. Never trusted them.
All my video is outside the house. Never inside for this reason.
Not just Eufy. I wouldn't have any camera that connects to the internet in my home.
Well I pretty much default to Anker for batteries and such and was just looking at their battery and solar bundle for when we get small blackouts. Guess I'll be looking elsewhere now. I don't bail on a good brand lightly either, this is a huge mishandling on every level.
I don’t know if lawsuits really is the solution. I mean. It’s GREAT if they work, and the fine is meaningful.. but it’s all very retroactive, and affects the minority of companies who have a big leak. In practice, leaving behind many companies with the same vulnerabilities who just happens to have not been hit with a scandal yet. It’s a place for security legislature, and governments need to start taking it seriously and implementing and enforcing standards. The EU privacy laws for instance are a start. That’s the kind of thing that ACTUALLY starts pushing a change in the industry.
That's a shame. I have owned tons of different Anker products at this point and I haven't been disappointed by a single one... but, this... there is no conceivable way they didn't know this kind of procedure and handling of some of the most sensitive user data possible was completely unethical, likely illegal, fraudulent, and a complete breach of trust. I guess they just thought screw it, nobody will find out.
I was literally just about to buy some Eufy cameras, so I’m really glad I waited!
@Lightevilaster yeah for storage. The big draw was that you could slap in a huge memory card and record years worth of alerts without paying cloud storage fees like you would with Ring or Arlo.
No reasonable person would ever expect that nothing at all is being sent to the mothership when the entire product is an internet-connected device.
@pilotdog68 marketing materialshown in the video clearly indicates no clouds and no costs and that only i will have access to the data
@Lightevilaster How is it pure malice? One of their main features is their prompt notifications and AI face detection. Those are the reasons people buy their products. Did people think that face detection was running on a $30 camera? really?
Same! Just moved into a new place and liked that Eufy works with all Apple Home Kit and price is good.
Looks like I’m back to the drawing board
@Studio23 Media Do those support HomeKit? That’s honestly the only reason I was considering Eufy
"Make an example out of them", as a Canadian; This is the funniest thing I've seen in a while.
Damn it, I tried so hard to get a good doorbell that wasn't spying on me. >:(
I've been happy with Anker and was looking at Eufy due to that. Well, now I'm glad I didn't...
Im honestly curious. I purposely bought these, because I originally went Wyze, had a similar issue. Thought I'd actually buck up and get something secure that was local as we use our kids rooms on these aswell. Now I have to replace everything, at a larger cost incurred by me, with zero recourse, and the worst part is, now I have to worry about what's out there with my kids on it?? And not going to lie Linus, the part where you guys snicker about it, this isn't funny. Nothing about this is funny. You kinda pissed me off how tongue in cheek you handled this (more so Luke snickering every other comment). This company needs to burn.
The only way stuff like this stops is when execs start seeing INDIVIDUAL consequences.
@ln+3rna1hàbän3r0s "Dear slaves, how do we stop your slave masters from doing horrible things?" "Idk, we're literally slaves we have slaving to do that's all we're taught to do from the get go bro"
@Beregorn88 Meh, fuck it, just get them all then. If you partake you're responsible. Seems easy enough. Instead of asking anyone here to figure out the fine details, let them figure it out themselves later. Until then, if you took part, you go down with the rest.
@CasualCoreK Why would they ever make laws that could punish those who fund basically everything for them? It's really just one big loop. It protects itself.
@Calen Laughlin That's exactly what it is. It's to protect those in charge from shady decisions and to protect shareholder profits.
@Corey Rogers I've heard this many times, however I've never seen a corporation go to prison. It seems like a convienant lie to protect actual people from the consequences of their actions.
I love my EUfy vacuums...had no idea they so made phones, glad I only buy their vacuums! LOL
Thought LMG was different….nope just automatically jumps on the bandwagon. Maybe you should take a look at it yourselves and find out what is going on and then give your take on the issue. I am not an a user of Eufy, but LMG’s take on this product without it’s own review, is just one more reason to stop trusting what comes out of LMG, and what I find fewer reasons to watch their channels. A huge company who has a blowhard as the CEO who makes decisions about not working with a sponsor based on another Clip-Sharer st the drop of a hat.
Is this just affecting the smart doorbell cams or the Eufy 2c cams as well?
Wow I’m shocked. And to think I was eyeing some new anker chargers. Guess I’ll look elsewhere. Hope this hurts them financially.
Holy wow, that's like the holy grail of fuck-ups. An unsecured -two-way- connection (it sends data _and_ you can watch with even just vlc) that allows full access to a live video feed could really only be topped if the things were built so shoddily that they'd allow somebody to compromise your entire network (and nobody's yet said that _isn't_ the case). Hats off, pulling something so stupid off requires knowledge, skill, and determination… to do the wrong thing.
Edit: it's probably not two-way, I misheard "VLC" for "VNC" and assumed there's data going _into_ the device, not just coming out of it.
@MopedMike what? Isn't that some stupid reality show? What exactly don't we understand? Does Linus also not understand?
Wrong, got watch The Hook Up’s video showing how everyone doesn’t know what they are talking about.
@facey Kad Their response is not one of a company who is going to fix the problem. They also either very well knew the issue or are wildly incompetent not to have. Yet they still advertised it the way they did, which is fraudulent.
@facey Kad it's not an overreaction. It really isn't.
Vnc is a remote access tool, was very common, funny that they use a Vnc server on the cams to see output
I'm not surprised by this, all of the Chinese camera I have are constantly trying to send information to their home servers. Some made me install literal spyware to access the web UI (I set it up via VM). I block all communication to the outside world with two layers of protection and host the videos using software I control that requires VPN access to view. I'm sure it's still not foolproof but it's as close as I can get given the cameras are that available at reasonable prices now days. I also find it interesting how so many people are ok with ISP provided Eero routers and access points. The contract seems care about everything but your privacy. Unfortunately, it seems like almost every company is looking to monetize their customers now, and people need to be very proactive about their own data security.
Need some FOSS firmware to make those devices not bricks for consumers that have already paid for them. I guess a quick way to kill the communication if people are still wanting to use them without losing their privacy is to block with pihole or adguard. Too bad this will be a really slow class action lawsuit and most consumers will just have to toss them.
What you said here about tech companies paying basically nothing for doing illegal things in comparison to money made goes for pretty much all industries sadly.
Medicines, tech, tools, furnitures and so forth...
They'll not disclose stufd they should... Do illegally data collections... Manufacturer know defective parts.... Not honor warranties when they should and so forth...
And you are absolutely right they make too much profit to care about the consequences so it continues constantly...
Let us not forget all of those robot vacuums tracking house layouts to send the data upstream to our corporate overlords without our consent. 🤦🏽♂️💯
I was part of that Australian breech and it has been an absolute nightmare. I had to block myself from getting credit, limit my withdrawal limits on all my bank accounts and change personal documents. Oh and every time I make a purchase over a certain amount my bank rings me for authentication.
@C You are reading things I did not say into my message. 'Australian passport breach' implies that everyone with an Australian passport was affected, which is not the case for the Medibank/Optus breaches. I did not say anything relating to my personal opinion on those breaches.
@Holgast "not everyone was a user of either of those services"
Why would you say that though? Why soften the blow? These jerks stole millions of peoples data, why the instant forgiveness?
@Namegoeshere what passport breach? I had never heard of this and there are no search results. Are they thinking of the recent Optus and Medibank breaches, which included personal info including passports? not everyone was a user of either of those services
@Namegoeshere well I was talking about the Optus breech which had my passport details as proof of identity. Not only my passport but my bank details, username, phone number.
@Mo Moe He's talking about the Australian passport breach. It's mentioned at 4:55 in this video.
thank you for this video, i WAS about to buy a full Eufy camera system. not now
The video is wrong though. I suggest watching the response from The Hook Up channel.
Thank you for this. I'm dropping all of my Anker products and black-listing the company. I also have a Ring doorbell that previous owners left and was planning on setting it up. But I won't. I really hope I won't run out of brands to buy either... but if I do, I'll just stick with my original plan - go live in the woods.
I am glad that I didn't get eufy, I had been lookinh into it but now they have lost my trust.
Eufy's motto, "Trust me, bro!"
I _might_ be getting that confused with some other idiot? 🤔
The way large companies are stopped doing this kind of thing, is the punishment needs to be SOOOO damn huge that no company would ever think of being sh*tty to their customers.
@Niedas What about all the employees who did nothing wrong and are now losing their jobs?
Good luck enforcing that in China, as much as it sucks to say that.
Most Western companies probably aren't as bad in comparison, and those are the only ones you would manage to punish.
Punish the owners, shareholders, management, officers, with jail time as well as money!
@BlueFire Animations % of Gross will make itself felt.
@Adam Flohr That would soon turn in to forcing/tricking people signing contracts which makes them responsible for any wrong doing.
Our CEO only handles PR and marketing and Billy Bob the janitor is the actual brains in the company, it even says so in his contracts kind of stuff.
there should be pressure on amazon to stop selling all anker products...that would be a lot more meaningful than some fine. They cut off Aukey for buying advertising, so do it.
"military grade encryption" doesn't specify which military we're talking about. It could very well be the Island of Sodor's coast gaurd
Anyone have good recommendations for power adapters and cables that aren’t Anker?
Man this feels bad because I got into eufy because there was no subscription or cloud and Linus thought this was a good product rip
Facial recognition is illegal in multiple states in the US. There have been multiple class action lawsuits against basically every social media company for this.
Without consent though
@MopedMike I have exactly one college class in contract law and even I know that you can't waive your statutory rights in a contract. If the EULA says "you agree to be beaten nearly to death as a condition of use of the Service", that's still assault and battery at minimum and you can recover damages.
@Gamer 234
For the same reason that cops are constantly breaking the laws too. What're you gonna do about it?
The government, of course, makes the laws to benefit themselves, not you.
@Wrenchmonkey so why is it illegal for other companies to use when your government literally developed the tech And spied on people without consent too
@Gamer 234
So?
Could LinusTechTips sue Eufy for associated defamation? Like "Because we were in partnership with you, we now look bad and that's entierly your fault, so you owe our brand damages for looking untrustworthy."
3:15 ahhh yes I member doing that back in the day except you just put in a IP or something in the address bar. you could even control the camera and watch people freak out
Then there's every Ring and Nest camera product that does all this stuff continuously anyway.
Jail. The solution to this is massive jail time.
I'm sorry to the victims, I'm sorry that a good business relationship is over, I'm sorry we can't trust another brand.
But holy shit was the 'balls and taint' comment worth it.
@MopedMike they lied bruh
@MopedMike yeah no they lied that's reason not to trust them
Wrong, got watch The Hook Up’s video showing how everyone doesn’t know what they are talking about.
I'll be impressed when you guys stop using all Apple products and Samsung products for that matter. The conditions of the workers who put these devices together never mind the deplorable conditions the African workers who mine the raw materials have to endure for a pittance is deplorable. Lets not pretend this is not going on or we don't know about it so we can all afford these overpriced devices.
i would argue if you do pay for it , you're still the product
How do you make an example of them?
No country has laws to cover this level of technical negligence
Real danger to them is if any inappropriate video or picture of a minor got taken. Distribution of that kind throws it right into criminal court.
Have you looked into the claims yourself? He is reporting that the thumbnails are sent, no video was sent. That is pretty typical for a software platform that syncs with your phone. Otherwise, the phone has to constantly poll the device draining both batteries. Other camera systems will generally have the same process. If you don't want this, don't sign up for something that syncs with your phone wherever you go. Now I agree not being encrypted is the problem that they should fix, but that is not the same as main problem that Paul Moore is claiming that all his data is being sent. He also speculates that the thumbnails are on the server longer without proof(which he can certainly check himself by using the links that he has).
Lastly, the streams without authentication I believe is referring only to RSTP streams. These are not publicly available links, and are behind router's firewall. Again, it would be better if they have authentication, but this is pretty typical for IP cameras.
@Escape to the Workshop Your test result needs more attention. "Unauthorized access via VLC" was the only contentious point for me. Your testing would indicate that the security measures currently in place are adequate but could be better. Not the "gross negligence" that you see people blindly repeating.
I have tested this with my system. I found I could only stream if I had access to the stream token AND the stream had been started using a request containing my auth token/cookie. Once a stream had started, if I stopped it via the Web UI, it sent another request that kills the stream, including the one through VLC. So it would appear that you need both the token (which admittedly does have a rather short random key on it) AND the stream already be activated.
For the thumbnails, the URLs being used appear to have an auth token of sorts as a query param, which is standard practice for access to private files on AWS S3 and Google cloud storage (I work with AWS S3 and GCP cloud storage on a daily basis). And as far as being available after deletion, if they are hosted on S3, it is possible the responses are cached in an edge node of the CDN for a while.
If anyone had bothered to read the full story, YES, Eufy lied. HOWEVER, this "vulnerability" requires that A) your camera be active (as in actively recording) for someone to view it and B) they'd have to have your camera's serial number (something not trivially guessable by the way) to be able to exploit this. TL;DR yes they lied, no the vulnerability isn't actually that bad. READ THE ARTICLES
The hysteria is hilarious, people don't really understand how the vulnerability works but they panic.
I'll scoop a bunch of supplementary eufy's when they slash the price. Absolutely no worries
Assuming this product is sold in the EU, this is a fat breach of GDPR on so many levels and the fines would be massive.
This is aweful. However, these devices may still have potential. If you put your eufy devices in an offline network, you could probably use that unencrypted stream in something like home assistant.
Saying they're going to delete the pictures after taking them without permission is like someone sneaking into your house to play with your stuff and saying "It's okay, I'm gonna put all your stuff back when I'm done."
Im cool if they put it back unbroken
Or the government deleting background checks after 72 hours for gun purchases…..yeah like we believed that one from the start.
Listen….if you think there’s a possibility it can spy on you ….it is.
That's fine with me if a random intruder wants to put away all my kid's toys while I'm sleeping
So should I return my chargers/sell my chargers? I have 1 pair of cables 2 chargers and a bank.
so is this about the uploading the images or about the lying. I always assumed other companies did the same stuff.
Webcam + raspberry pi for the win! At least you know what's running..... Tbh most company is lacking on the security side of things, did you know that your PSN password was stored in plain text in your ps vita? So yeah, even Sony isn't clean on that (but at least I guess it's better than a camera that flag in your face in a DB)
I wonder if there is any legal action that will be taken against them.
Doing a teardown of the scales wouldn't be a bad idea
Also, this really is frustrating as i went for my Eufy set up because I saw no other option for my needs, luckily it's all outside the house, but still. Breach of trust on a massive scale.
Pun not intended.
@MrZilla500 same
Yeah i have a bunch of their outdoor cameras and nothing setup to cloud save....still... who knows
You may want to look a little further because further coverage from The Hook Up has shown a slightly different angle of this that makes it seem like Linus may have unintentionally exaggerated the issue of it
Can we PLEASE get that discussion question on a tshirt on lttstore?? 🤣🤣
Wow, I hate this. I loved Anker. Screw them now!
To be fair, I’m not buying any of Anker’s intelligent products. But they still have some of the best charger products..
Wow, Anker subsidiary? My reaction to this is similar to yours. I've bought their stuff preferentially because it's genuinely good, but there's no way I'm supporting that.
LTT is so blatantly wrong here. He even said it in the clip that the media is used for push notification, so I'm not sure why he's fanning this non-existent fire. If you don't want ANY data at all uploaded to the cloud, then turn it off push notifications and facial recognition. Some people like seeing who's at their door in the push notification. And for that to happen, the image needs to be stored on a publicaly accessible server. What Eufy is likely doing is that images are automatically deleted based on a retention policy - eg: a rule that deletes images older than 1 day.
That really sucks since I think Anker powerbanks and charging products are the best in the market :(
The usual Linus Dunning-Kruger spectacle. This all has nothing to do with the web interface, and everything to do with mobile notifications. Eufy has a pretty reasonable solution. The face identifiers are used if you turn on the facial recognition feature... so that you see a name in the mobile notification. Did the security researcher check that different accounts yield the same face identifier? No, he wanted his 15min of fame.
They definitely should not have claimed "No Cloud," though. They should definitely also warn the user that temporary storage on internet-facing servers is required for some features.
Thoroughly disappointed in Anker for allowing this, possibly even pushing this. Completely unacceptable. As hard as it is for me to say, part of me doesn't want to purchase ANY Anker products anymore...