Security researcher Paul Moore discovered in November 2022 that Eufy cameras connected to HomeBase were uploading facial recognition thumbnails to AWS cloud servers (s3.amazonaws.com). The Verge independently confirmed that live video feeds were accessible via unencrypted cloud URLs without any authentication. Anker denied the findings for months before admitting in January 2023 that cameras did not offer end-to-end encryption as promised.

The Verge proved in November 2022 that Eufy cameras were uploading facial recognition thumbnails to AWS cloud servers without user consent. Worse, camera feeds could be accessed remotely via a URL with no authentication — anyone with the link could watch live footage. The URLs used a predictable pattern based on device serial numbers.

Ring provided camera footage to law enforcement at least 11 times without customer consent or a warrant in 2022, as disclosed by Amazon to Senator Markey. Ring also maintained partnerships with over 2,100 police departments through the Neighbors app, creating the largest corporate-run surveillance network in the United States.

In February 2025, security researcher Jeremiah Fowler discovered a 1.17 terabyte unprotected database containing 2.7 billion records from Mars Hydro, LG-LED Solutions, and Spider Farmer IoT devices. The database — with no password protection — contained Wi-Fi network names and passwords, IP addresses, device IDs, API tokens, and operating system details of users worldwide.

Security researcher Sam Sabetan discovered hardcoded credentials in Nexx smart garage controllers that allowed anyone to open, close, or monitor any Nexx garage door in the world. The vulnerability (CVE-2023-1748, CVSS 9.3) also exposed email addresses, device IDs, and first names of all Nexx users. CISA issued an advisory. Nexx never responded to the researcher, CISA, or media.

In 2024, security researchers discovered that every Unitree Go2 robot dog contains a pre-installed remote access tunnel (CloudSail/Zhexi) that connects back to Unitree's servers in China. Through this tunnel, Unitree — or anyone who compromises their infrastructure — can remotely access the robot's cameras, microphone, and movement controls. The tunnel is active by default and cannot be disabled through normal settings.

In April 2026, ShinyHunters breached ADT via voice phishing of an employee's Okta SSO credentials, then exfiltrated data from Salesforce. 5.5 million people affected — names, emails, dates of birth, phone numbers, addresses, and partial SSNs. ADT refused to pay ransom. ShinyHunters leaked an 11GB archive on the dark web. This was ADT's third breach in two years. A home security company breached three times in 24 months. The company protecting your home can't protect its own customer database.

Security researchers have repeatedly found critical vulnerabilities in Wemo products. In 2023, a buffer overflow vulnerability (CVE-2023-27217) in the Wemo Mini Smart Plug V2 allowed remote code execution on the device. Belkin stated it would not fix the vulnerability because the product was "at end of life" — despite millions of units still in active use in homes.