Eufy says your fingerprint data stays on your lock and never goes to the cloud. But this is the exact same company that was caught lying about the same thing with their cameras — they said camera footage was stored locally too, but secretly uploaded it to Amazon cloud servers. They use the same app for both cameras and smart locks, so the same deceptive infrastructure could apply to your fingerprints.
critical
Eufy promised your video feeds were encrypted and secure. The New York Attorney General proved they were not — anyone who found the right web address could watch your camera feed without a password. Eufy paid $450,000 in penalties. If they failed to encrypt video properly, can you trust their encryption of your fingerprint data?
critical
Security researchers found that Eufy's smart home system has critical vulnerabilities — one scored 10 out of 10 severity, allowing hackers to take full control of the system remotely. Since this smart lock connects to those same servers for remote access, a hacker exploiting these flaws could potentially unlock your front door from anywhere in the world.
eufy told customers their baby monitor video stays on the device and is encrypted end-to-end. In reality, video was being uploaded to cloud servers without encryption, and anyone who figured out the URL could watch the feed. The New York Attorney General fined them $450,000 for this deception. This means footage of your sleeping baby may have been accessible to unauthorized people on the internet.
critical
eufy doesn't tell you where your baby's data goes. But the company is Chinese-owned (Anker, based in Shenzhen), and researchers found data being sent to both Amazon cloud servers and Chinese servers. Chinese law allows the government to demand access to data held by Chinese companies. This means your baby's heart rate, blood oxygen levels, sleep patterns, and 24/7 video feed could potentially be accessed by the Chinese government, and eufy never told you this was possible.
critical
eufy's security infrastructure has critical vulnerabilities that could let hackers take over your baby monitor. One flaw (CVE-2022-21806) scored 10 out of 10 on the severity scale — the worst possible rating — allowing hackers to run code on eufy devices remotely. Another flaw means the WiFi password protecting eufy devices can be cracked in seconds using just the serial number printed on the device. The NY Attorney General confirmed eufy didn't do enough security testing.
Eufy sold their cameras by promising your video never leaves your home. A security researcher caught them secretly uploading face images to Amazon cloud servers. When confronted, they deleted their privacy promises from their website instead of fixing the problem.
critical
Eufy promised military-grade encryption for your video feeds. In reality, anyone who knew the right web address could watch your live camera feed in a regular video player, with zero password or encryption. Eufy's own spokesperson denied this was possible while journalists were doing it.
critical
Eufy sells home security cameras to protect your family. But the central hub that controls all the cameras had the worst possible security flaw — anyone on your network could completely take over the system, watch all your cameras, or shut them all down at once. The device meant to keep you safe was itself deeply unsafe.
Eufy told you your doorbell video and face data would never leave your home. They lied. Your face was being uploaded to Amazon's cloud servers without your knowledge. When caught, they quietly deleted their privacy promises from their website instead of fixing the problem.
critical
Eufy didn't just upload your face to the cloud — they used it to identify you on other people's doorbells too. If your neighbor had a Eufy doorbell, Eufy's servers could match your face across both cameras using a shared ID, without anyone knowing.
critical
Eufy said your doorbell video was protected by military-grade encryption. In reality, anyone who knew the right web address could watch your live doorbell feed using a free video player — no password, no decryption needed. Eufy denied this was possible while journalists were doing it.
Eufy promised that your face data and videos would never leave your device and would stay stored locally. In reality, the company was secretly uploading facial recognition images to cloud servers without telling you. They even had a hidden database that could match your face across different users's cameras. When caught, they quietly deleted their privacy promises from their website instead of admitting the truth. This is a direct lie about where your most sensitive biometric data goes.
critical
Eufy claims your smart lock works locally without the cloud and that everything is strongly encrypted. But the lock actually talks to at least 7 different cloud servers, and researchers showed that the video feed could be watched by anyone who had the right web link — no password needed. The "encryption" Eufy advertised didn't actually exist. If you block internet access, the lock stops working properly, proving it depends on the cloud despite claiming otherwise.
critical
This smart lock stores your fingerprints and face data, which Eufy says are safe because they're stored locally on the device. But security researchers found that the eufy system hub has critical vulnerabilities — one rated the maximum possible severity score — that allow hackers to take over the entire system remotely. Another flaw lets attackers intercept your lock's camera feed. A 2024 research paper showed the whole eufy system can be hacked in under 20 seconds from miles away. Your fingerprints and face data are only as safe as the system protecting them, and that system has been repeatedly broken.
eufy's entire pitch was: no cloud. Your video stays on your device. Local storage only. Then a security researcher caught them uploading your face to Amazon's servers. Facial recognition thumbnails, sent to AWS, accessible via URL, no authentication required. Anyone with the link could see your face. Anker denied it. Then admitted it. Then called it "necessary for push notifications." A notification doesn't need your face. A notification needs text. They lied about the most fundamental promise they made — where your data lives — and got caught by one person with a network monitor.
critical
Military-grade encryption, they said. Researchers opened VLC, typed in a URL with the camera's serial number, and watched someone's living room. No password. No encryption. No authentication. Just a URL and a serial number. Anker denied it. Then admitted it "in some cases." Then quietly patched it. The camera serial number is printed on the box. Anyone who handled the package — the warehouse worker, the delivery driver, your neighbour — had what they needed to watch your feed. Military-grade encryption with a URL anyone can guess.
high
Anker's apology tour went like this. November: denied everything. December: admitted cloud uploads but called them necessary. January: admitted unencrypted streams. February: apologised and promised independent security audits. Then: silence. No public audit results. No published findings. The pattern is always the same — deny until caught, apologise when cornered, promise transparency, then hope everyone moves on. A security camera company that lied about encryption and cloud storage is asking you to trust their promise of future audits. The audits you can't see.