Eufy says your fingerprint data stays on your lock and never goes to the cloud. But this is the exact same company that was caught lying about the same thing with their cameras — they said camera footage was stored locally too, but secretly uploaded it to Amazon cloud servers. They use the same app for both cameras and smart locks, so the same deceptive infrastructure could apply to your fingerprints. Eufy promised your video feeds were encrypted and secure. The New York Attorney General proved they were not — anyone who found the right web address could watch your camera feed without a password. Eufy paid $450,000 in penalties. If they failed to encrypt video properly, can you trust their encryption of your fingerprint data?.
What they claim: Eufy privacy policy states biometric fingerprint data is "securely stored locally on your device and not uploaded to the cloud" and that "Anker does not have access to this data."
What we found: Eufy/Anker was caught secretly uploading camera biometric data (facial recognition) to AWS cloud despite identical "local-only" marketing claims. BIPA lawsuit allowed to proceed in Illinois (Jan 2024) after evidence showed facial recognition thumbnails uploaded to AWS even when cloud storage was disabled. Same company, same app (com.oceanwing.battery.cam), same marketing language — proven false for cameras, now applied to fingerprint data.
What they claim: Eufy Smart Lock C230 is a fingerprint deadbolt lock — it has no camera and no microphone. The eufy Security app is used to control it.
What we found: The eufy Security app (com.oceanwing.battery.cam) requests CAMERA, RECORD_AUDIO, and FOREGROUND_SERVICE_MICROPHONE permissions. A smart lock app controlling a device with no camera or microphone should not need camera or audio recording permissions. These permissions exist because the same app serves Eufy cameras, but the smart lock user cannot selectively deny permissions for lock-only features vs camera features without losing lock functionality.
What they claim: Eufy privacy policy states biometric information is "collected and processed solely on the user's device; Anker does not have access to this data."
What we found: The eufy Security app requests USE_BIOMETRIC and USE_FINGERPRINT permissions on the phone itself, plus INTERNET, ACCESS_NETWORK_STATE, and FOREGROUND_SERVICE permissions. While these phone biometric permissions may be for app login (not lock fingerprint data), the app has full network access. The BIPA lawsuit evidence showed Eufy cross-linked biometric facial IDs across different cameras and different HomeBase units via cloud — proving biometric data DID transit through Anker's infrastructure despite "local-only" claims for camera biometrics.
What they claim: Eufy privacy policy states it maintains security safeguards and encryption for user data.
What we found: The NY AG investigation (2025) found Eufy distributors "did not have the necessary processes in place to test their safeguards or to identify risks to the security and privacy of consumers." Video data was transmitted without end-to-end encryption. Biometric facial data was uploaded to AWS without encryption (per BIPA lawsuit). The 2021 bug exposed 712 users' camera feeds to strangers during a software update. The eufy ecosystem has a documented pattern of security failures across multiple independent investigations.
What they claim: The Eufy Smart Lock C230 has an embedded encryption chip that Eufy claims protects fingerprint templates and Bluetooth data.
What we found: While Eufy claims an encryption chip protects biometric data, the same company's ecosystem was found by the NY AG to lack end-to-end encryption for video data and by security researchers (USENIX WOOT '24) to have critical vulnerabilities in its peer-to-peer protocol, authentication, networking, and encryption processes. No independent security audit of the smart lock's encryption chip has been published. The encryption chip claim is unverified by any third party, and the company's track record with encryption is demonstrably poor.
What they claim: Eufy privacy policy claims fingerprint data is stored locally and not shared. Policy also discloses sharing data with "Anker affiliates and group entities."
What we found: BIPA lawsuit evidence showed Eufy cross-linked biometric data across different devices and users via cloud infrastructure. Eufy policy discloses sharing with "Anker affiliates" but does not specify which affiliates or what data. Anker Innovations Limited is a Hong Kong-based company with affiliates in Shenzhen, China. Under China's Data Security Law, companies can be compelled to share data with government authorities for national security purposes. The policy's vague "affiliates" language combined with Anker's corporate structure raises questions about whether biometric data could be accessed by entities beyond the user's control.
What they claim: The Eufy Smart Lock C230 is a door lock — a physical security device for controlling access to a home.
What we found: The eufy Security app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, and ACTIVITY_RECOGNITION permissions. A door lock knows when you come and go via unlock events. Combined with fine-grained GPS tracking and activity recognition (walking, driving, running), the app can build a comprehensive movement profile far beyond "who unlocked the door when." The app also requests AD_ID, ACCESS_ADSERVICES_AD_ID, and ACCESS_ADSERVICES_ATTRIBUTION — advertising tracking permissions that have no relationship to locking or unlocking a door.
What they claim: Eufy privacy policy mentions sharing data with "advertising networks" among other third parties.
What we found: The eufy Security app requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, AD_ID, and BIND_GET_INSTALL_REFERRER_SERVICE permissions. These are advertising and attribution tracking permissions. Combined with the app's access to unlock logs (who entered your home, when), location data, and activity recognition, the data available to advertising networks includes a detailed picture of your daily routine, when your home is occupied or empty, and your movement patterns.
What they claim: The eufy Security app requests READ_PHONE_STATE and WRITE_SETTINGS permissions.
What we found: READ_PHONE_STATE allows reading the phone's IMEI, phone number, carrier, and call state. WRITE_SETTINGS allows modifying system settings. For a smart lock companion app, these permissions are excessive — a door lock does not need to know your phone number, carrier, or IMEI, nor modify device settings. Combined with the app's advertising permissions (AD_ID, ADSERVICES), READ_PHONE_STATE enables cross-device tracking by linking your phone's unique identifiers with your smart lock usage patterns.
What they claim: Eufy privacy policy claims video data is protected and secure, with end-to-end encryption.
What we found: NY Attorney General investigation (Jan 2025, $450,000 settlement) found eufy home security products did NOT protect video with end-to-end encryption despite company assurances. Active video streams were accessible to anyone with the URL without authentication. URLs were potentially deducible without obtaining from user. Settlement required comprehensive security program, penetration testing, and proper encryption — proving these safeguards were previously absent.
What they claim: The Eufy Smart Lock C230 connects to Eufy cloud servers (security-app.eufylife.com, mysecurity.eufylife.com, api.eufylife.com) for remote access and app control.
What we found: CVE-2022-21806 (CVSS 10.0) allows remote code execution on Eufy Homebase 2 via specially crafted packets. CVE-2022-25989 (CVSS 7.1) allows authentication bypass redirecting device traffic to attacker-controlled server. CVE-2022-26073 (CVSS 7.4) allows remote denial of service. USENIX WOOT '24 research exposed critical vulnerabilities across the entire Eufy ecosystem. A smart lock with cloud connectivity inherits all cloud infrastructure vulnerabilities — a compromised Eufy cloud account or exploited ecosystem vulnerability could grant physical access to your home.
What they claim: The eufy Security app requests KILL_BACKGROUND_PROCESSES, REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, RECEIVE_BOOT_COMPLETED, and SCHEDULE_EXACT_ALARM permissions.
What we found: These permissions allow the app to: kill other apps' background processes, prevent Android from saving battery by stopping the app, start automatically when the phone boots, and schedule precise alarms. This combination ensures the eufy app is always running and cannot be stopped by the operating system. For a door lock app, persistent background operation means continuous data collection (location, activity) even when the user is not actively using the lock.