Eufy is part of the Chinese company Anker and makes well-reviewed smart cameras around the house. But the cameras seem to upload the images to the cloud, Discover Security researcher Paul Moore. When he logs into the Eufy website, he sees recent photos taken by his Eufy cameras. That shouldn’t be possible: it only saves photos from cameras offline.

At first, the cameras appeared to be uploading images as part of push notifications on users’ smartphones. For example, if someone rings the doorbell, a photo of that person can be shown in the notification on the phone — even though the camera only stores the photos locally. But even with those notifications turned off, the snaps still appear online, Offers moore on.

Watch others

Even more troubling is Moore’s discovery that the Eufy cameras are simply through the browser Available. Anyone who knows the correct URL of this camera can access it and view it unnoticed. The live video is not encrypted nor even password protected. Moore does not share how he pulled it off given the seriousness of the case.

eufy groups reaction His cameras are designed for local storage of video images. According to Eufy, they are always stored encrypted on the user’s own hardware. According to Eufy, the uploaded images are necessary to show an image with push notifications. The company acknowledges that this functionality could have been explained more clearly and promises to do so in the future. However, the company has not yet addressed the possibility of others viewing live images from the cameras unnoticed.

It’s not clear if Moore’s findings apply to all Eufy cameras. Anyway, it would take weeks with the EufyCam 3 paired with the Eufy HomeBase 3. It showed AndroidCentral, who managed to emulate Moore’s approach. Eufy fell into the basket before, when photos from cameras were sent to strangers due to a server error offered.