Graphic showing home with multiple Eufy proucts, reading:
Enlarge / Eufy's security arm has publicly addressed some of the most important claims about the company's local-focused systems, but those who bought into the "no clouds" claims may not be fully assured.

Eufy has issued a statement in response to recent findings by security researchers and tech news sites. Eufy admits that it could do better, but also that there are some unresolved issues.

In a thread titled "Re: Recent security claims against Eufy Security," "eufy_ official" wrote to its "Security Cutomers and Partners." Eufy is taking a new approach to home security and is designed to operate locally and avoid cloud server. "Not the cloud" means that video footage, facial recognition, and identitymetrics are managed on devices.

Questions about Eufy's cloud policies have been raised a few times recently. Two years of findings on Eufy security were summarized by another firm.

Eufy acknowledged at that time that it used cloud server to store thumbnail images, and that it would improve its setup language so customers who wanted mobile alert knew this. The company didn't address the claim that live video streams could be accessed through the right URL, one that could potentially be brute-forced.

One day later, a tech site working with a researcher confirmed that a user without a Eufy account could watch a camera's stream. To get that URL, you needed a serial number, a timestamp, and a four-digit value.

Eufy disagreed with the accusations regarding the security of the products. The company changed a lot of its statements and promised more on its privacy policy page. The statement on its own forums was delivered last night.


Eufy's security model has never been attempted, but that it remains committed to customers. Several claims have been made against its security, and the need for a response has annoyed customers. The company wanted to gather all the facts before making a statement.

Eufy stated that it uses Amazon Web Services to forward notifications. Eufy states that the image is end-to-end secure and deleted after being sent.

Eufy says that no user data has been exposed and the potential security flaws discussed online are speculative. Eufy says it has disabled the viewing of livestreams when not logging in.

Eufy says the claim that it is sending facial recognition data to the cloud is false. Users can add faces to their devices through either a local network or peer-to- peer connection. The Video Doorbell dual used to be able to share it with other cameras on the Eufy system, but that feature has been disabled.

Some follow-up questions about Eufy's security practices have been given by The Verge, which had not received answers to further questions. They include why the company denied viewing a remote stream, its law enforcement request policies, and whether the company was really using "ZX Security17 cam@" as an encryption key.

Paul Moore, the researcher who raised some of the earliest questions about Eufy's practices, hasn't commented on the matter since he said on November 28 that he had a lengthy discussion with Eufy's legal department. Moore investigated other "local-only" video doorbell systems and found them to be non- local. Eufy's privacy policy seems to have been copied by one of them.

" Thus far, it's safer to use a doorbell which tells you it's stored in the cloud, as the ones honest enough to tell you generally use solidCrypto," Moore wrote about his efforts. Eufy's most privacy-minded customers may be willing to agree.

There is a listing image by Eufy.