In late November,security expertsfound that eufy camera footage can be streamed through VLC—no authentication required. This is an awful vulnerability, especially for a camera brand that supposedly keeps everything off the cloud. Now, instead of facing this mess head-on, eufy is deleting some of its old promises.
As reported by The Verge’s Sean Hollister, eufy deletedat least 10 promisesfrom its “Privacy Commitment” page. This deletion happened sometime between December 8th and December 15th, as indicated byan archived versionof the commitment page.
Here are five promises that were deleted from eufy’s website:
These now-deleted promises explain the benefits of local encrypted storage. And, of course, they mainly center around privacy—your data doesn’t leave your home, nobody else can see it, and so on.
Related:Why Review Geek Can’t Recommend Wyze or eufy Cameras Anymore
Of course, none of these promises turned out to be true. you may stream unencrypted video from an eufy camera if you obtain its serial number, UNIX timestamp, and hex key. The process requires a lot of technical know-how, but nonetheless, it’s a critical vulnerability that could harm customers.
And we still have no idea what eufy thinks about this situation. Public statements from eufy and its parent company, Anker, either ignore or deny that the vulnerability exists. All we know is that, behind the scenes, eufy is quietly scrubbing these ironic promises from its website.
As we stated on December 2nd, eufy’s response to this vulnerability iscompletely unacceptable. The company should have admitted its mistake and provided some transparency for customers. Instead, it’s spent the last 15 days throwing a temper tantrum.
We’ve reached out to eufy for comment on this story. To be clear, we no longer recommend buying eufy cameras—not because of the vulnerability, but because of eufy’s alarming response. Old Review Geek articles that mention eufy cameras have been edited to reflect our stance.
