Eufy security camera owners able to watch live feeds of strangers thanks to bug

Log out and in again, the company advises

In an apparent security glitch, several users of Anker's Eufy home security cameras reported on Monday that they were able to access live camera feeds, saved videos and even account details of users whom they had never met.

The issue, first reported by 9to5Mac, came to light after many users from around the world complained on Reddit and Twitter that their Eufy app had suddenly started giving them access to random accounts, enabling them to watch live feeds of complete strangers, instead of their own camera feeds.

Users claimed that they were also able to access stranger's admin settings as well as cloud storage.

"I checked my app today (from New Zealand) and noticed none of the videos were of my own," Reddit user MeChum87 said.

"I can also see their contact details ... I have 3 little children, I am very worried that others are looking at my cameras too."

One of 9to5Mac' s writers, who independently verified the issue, said that he could "see all details, recordings, live (edited)" and that "it was like I was logged in as the person."

While most of the earliest complaints came from Australia and New Zealand, many users in the United States later confirmed that they also experienced similar problems.

In a post on Twitter, Eufy acknowledged the issue, blaming a software bug during a server upgrade. The company said that the bug occurred during the server upgrade at 4:50 AM EST on Monday and was fixed in less than two hours.

"Our engineering team recognised this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST," the firm said.

https://twitter.com/EufyOfficial/status/1394319675450920962?ref\\_src=twsrc%5Etfw

Eufy spokesman Bryan Saxton told 9to5Mac that the issue affected only a "limited number" of users from Australia, New Zealand, the US, Mexico, Cuba, Brazil and Argentina, and that European users were not affected.

According to Saxton, the bug had no impact on Eufy baby monitors, alarm systems, smart locks or pet care products.

The firm advised all EufyCam users to unplug their devices, reconnect them, and then (in time-honoured fashion) "log out of the Eufy security app and log in again."

"We realise that as a security company we didn't do good enough," Paxton said.

"We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again."

Security breaches involving security cameras are not rare. In March, an international hacker collective claimed that they were able to break into Verkada, a surveillance and facial recognition startup, gaining access to live feeds of around 150,000 cameras installed at banks, hospitals, jails, and various other sites across the world.

Bloomberg reported that the attackers were able to access video feeds from leading firms such as Tesla, Cloudflare and Equinox. The victims also included a hospital in Florida, a jail in Alabama, Sandy Hook School in Connecticut, shopping malls, pubs and bars, museums, credit unions, pharmaceutical firms, multiple universities across the US and Canada, marketing agencies, churches - and Verkada's own offices, according to media reports.