Eufy sold their cameras by promising your video never leaves your home. A security researcher caught them secretly uploading face images to Amazon cloud servers. When confronted, they deleted their privacy promises from their website instead of fixing the problem. Eufy promised military-grade encryption for your video feeds. In reality, anyone who knew the right web address could watch your live camera feed in a regular video player, with zero password or encryption. Eufy's own spokesperson denied this was possible while journalists were doing it.
What they claim: Eufy privacy policy states biometric facial recognition is "conducted entirely on your device" and local storage data is "not uploaded to the cloud." Marketing prominently features "No Cloud" and "Local Storage Only" as key selling points.
What we found: Security researcher Paul Moore proved in November 2022 that Eufy cameras were uploading facial recognition thumbnails to AWS cloud servers without user consent. The Verge independently confirmed video streams were accessible without authentication via VLC. NY AG investigation confirmed video streams were not always encrypted and could be accessed by anyone with the URL. Eufy responded by silently removing ten "privacy promises" from their website.
What they claim: Eufy markets itself as a privacy-focused alternative to cloud cameras. The Exodus Privacy report shows 0 trackers in the app, suggesting a privacy-respecting approach.
What we found: Despite claiming zero trackers, the eufy Security app (v6.0.03) requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, AD_ID, and BIND_GET_INSTALL_REFERRER_SERVICE permissions — all advertising and attribution tracking infrastructure. The app also requests ACTIVITY_RECOGNITION (tracking physical movement), ACCESS_BACKGROUND_LOCATION (tracking location even when the app is closed), and WRITE_SETTINGS (modifying system settings).
What they claim: The Eufy Indoor Cam 2K is a standalone Wi-Fi security camera with video, two-way audio, and motion detection. It connects via Wi-Fi and Bluetooth.
What we found: The eufy Security app requests 49 permissions including: RECORD_AUDIO and FOREGROUND_SERVICE_MICROPHONE (continuous audio access), READ_PHONE_STATE (phone identity), KILL_BACKGROUND_PROCESSES (controlling other apps), SYSTEM_ALERT_WINDOW (drawing over other apps), WRITE_SETTINGS (modifying system configuration), SCHEDULE_EXACT_ALARM, SET_ALARM, DOWNLOAD_WITHOUT_NOTIFICATION (silent downloads), and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS. Many of these exceed what a security camera app requires.
What they claim: The eufy Security app uses biometric login (USE_BIOMETRIC, USE_FINGERPRINT permissions) to secure camera access, suggesting only authenticated users can view feeds.
What we found: CVE-2021-3555 is a pre-authentication buffer overflow in the camera's RTSP server that allows remote code execution without any credentials. Additionally, Bitdefender found a man-in-the-middle vulnerability allowing malicious firmware installation and complete device takeover. The app's authentication is bypassed entirely at the device level — biometric security on the app is meaningless if the camera itself can be compromised without any authentication.
What they claim: Eufy markets cameras to American and European consumers as privacy-focused local storage devices.
What we found: Republican lawmakers demanded a federal probe into Anker (Eufy's parent company, headquartered in Shenzhen, China) over national security concerns. Camera data routes through cloud endpoints controlled by a Chinese company despite "local only" marketing. The USENIX WOOT 24 paper confirmed devices communicate with AWS infrastructure that could be subject to Chinese data access laws. This follows the pattern of US government scrutiny of Chinese IoT manufacturers (similar to Hikvision/Dahua bans).
What they claim: Eufy privacy policy claims "We use encryption to keep your data private while in transit" using "industry-standard protocols (such as TLS 1.3 and ECDH key exchange with AES-256)." Local data claimed to be "protected with AES-256 encryption."
What we found: The Verge demonstrated that live video streams from Eufy cameras could be accessed using VLC media player without any authentication or encryption — a direct Eufy PR spokesperson had claimed this was "not possible." Bitdefender found the RTSP server (CVE-2021-3555) had pre-authentication vulnerabilities. The USENIX WOOT 24 paper confirmed design flaws in the P2P relay protocol with insufficient access controls.
What they claim: Eufy privacy policy claims data is "protected with AES-256 encryption" and uses "industry-standard protocols." The product is marketed as a security device to protect homes.
What we found: CVE-2022-21806 (CVSS 10.0) — a use-after-free vulnerability in Eufy Homebase 2 allows remote code execution via network packets, giving an attacker full control of the hub and all connected cameras. CVE-2022-25989 allows authentication bypass via crafted DHCP packets. CVE-2022-26073 enables denial of service that disables all connected cameras. A device sold to protect your home had maximum-severity vulnerabilities in its security hub.
What they claim: Eufy claims data is encrypted and securely stored. Privacy policy states only the user has access to their data.
What we found: Bitdefender discovered partial access to the AWS S3 bucket used by Eufy to store media and crash log data. An endpoint signs requests for arbitrary paths in the bucket, potentially exposing serial numbers, user IDs, and stored video data from any Eufy user. This means a single vulnerability could expose video data from the entire Eufy user base — not just one camera.
What they claim: Eufy privacy policy claims industry-standard encryption and security measures to protect user data.
What we found: The New York Attorney General's investigation confirmed that Eufy video streams were not always encrypted with end-to-end encryption and that active video streams could be accessed by anyone with the relevant URL without authentication. Three companies distributing Eufy cameras paid 50,000 in settlement. The investigation was triggered by the November 2022 Paul Moore disclosure — meaning the privacy violations were systemic, not isolated.
What they claim: Eufy markets the Indoor Cam 2K as working with "no cloud required" and "local storage only." The privacy policy states local data is "not uploaded to the cloud."
What we found: The camera communicates with 7+ cloud endpoints (mysecurity.eufylife.com, security-api.eufylife.com, p2p-stun.eufylife.com, etc.) hosted on AWS infrastructure. Community testing confirmed the camera stops working entirely when internet access is blocked — even for local features like viewing the live feed on the same network. The camera requires constant cloud connectivity despite being marketed as a local-only device.