Playing Live Videos successful Third-Party Media Players

Today, determination are 2 superior ways to presumption unrecorded streams of eufy Security cameras. One is to usage the eufy Security App, and the different is to usage our unafraid Web portal at eufy.com. 

Previously, aft logging into our unafraid Web portal at eufy.com, a registered idiosyncratic could participate debug mode, usage the Web browser’s DevTool to find the unrecorded stream, and past play oregon stock that nexus with idiosyncratic other to play extracurricular of our unafraid system. However, that would person been the user’s prime to stock that link, and they would person needed to archetypal log into the eufy Web portal to get this link.

Today, based connected manufacture feedback and retired of an abundance of caution, the eufy Security Web portal present prohibits users from entering debug mode, and the codification has been hardened and obfuscated. In addition, the video watercourse contented is encrypted, which means that these video streams tin nary longer beryllium played connected third-party media players specified arsenic VLC.

I should note, however, that lone 0.1 percent of our existent regular users usage the unafraid Web portal diagnostic at eufy.com. Most of our users usage the eufy Security app to presumption unrecorded streams. Either way, the erstwhile plan of our Web portal had immoderate issues, which person since been resolved. 

Concerning the PR typical who answered your question astir utilizing VLC, they conflated the question. This was a known issue, easy replicated and had been reported by the media. However, they thought you were asking if people other than the registered idiosyncratic could observe links connected their ain and past presumption them done a third-party media subordinate similar VLC. The dynamic naming normal of the video links was besides addressed successful the media coverage, truthful I tin spot however this whitethorn person confused them. But it was not the authoritative reply from our merchandise teams. The existent reply to this question has been addressed above. 

Video End-to-End Encryption

Today, each videos (live and recorded) shared betwixt the user’s instrumentality to the eufy Security Web portal oregon the eufy Security App utilize end-to-end encryption, which is implemented utilizing AES and RSA algorithms.

Additionally, erstwhile a idiosyncratic uses the eufy Security App to entree videos from their devices, the transportation betwixt the eufy Security App and the user’s instrumentality is end-to-end encrypted done a unafraid P2P service. 

Homebase3 and eufyCam3/3C devices released successful October 2022 usage WebRTC for end-to-end encrypted connection erstwhile utilizing the Web portal to entree unrecorded streams successful a browser. And we are rolling retired WebRTC to ALL eufy Security devices close now.

I should besides enactment if a idiosyncratic selects to use eufy Security’s optional unreality retention add-on, this cognition is end-to-end encrypted. In addition, attraction of our unreality server complies with the requirements of ISO27701 and ISO27001 standards. We are besides audited by outer third-party regulators each year. 

Consumer Privacy

When utilizing section storage, eufy Security cannot access our users’ video recordings. All video information is encrypted and stored connected the instrumentality itself and tin lone beryllium accessed oregon shared by the user.  Furthermore, eufy Security has nary entree to the user’s biometric details specified arsenic fingerprints oregon facial designation information created by the users’ section devices. All these processes are besides done and stored locally.

User Image Added To The Cloud

Previously, we had 1 device, the Video Doorbell Dual, that sent and stored an representation of the idiosyncratic to our unafraid cloud. There is simply a batch of speculation and misinformation connected this, truthful fto maine explicate however this seemingly incongruent process came about. 

First, the intent of sending a idiosyncratic representation from the eufy App to our devices is to springiness the section facial designation bundle a baseline to tally its algorithm. All facial designation processes are and person ever been done locally connected the user’s device. In the lawsuit of our Video Doorbell Dual, a transcript of that set-up representation was stored utilizing end-to-end encryption connected our unafraid cloud. The crushed for this, was successful lawsuit the idiosyncratic decided to regenerate the Video Doorbell Dual oregon adhd an further Video Doorbell Dual to their eufy Security system, the strategy would propulsion the existing representation from the unreality during setup, alternatively than making the idiosyncratic instrumentality a caller image. 

Again, this process was not successful enactment with our “local” ngo and has been removed. Today, similar each different devices successful the eufy Security lineup, our Video Doorbell Dual relies connected local-only retention of idiosyncratic images and video data. Not the cloud.

It’s important to note, that nary idiosyncratic oregon facial designation information has ever been included with the images that were sent to the cloud.

Since the precise beginning, eufy Security was designed to let users to watercourse unrecorded and recorded footage from their devices to their eufy Security mobile app. These streams person ever utilized end-to-end encryption. And that encryption has ever been done locally either straight connected the camera oregon connected a eufy HomeBase device.

The eufy Web portal was created for users to negociate their relationship details and adhd optional services specified arsenic work plans and unreality storage. After receiving requests from immoderate users, the merchandise squad decided to adhd a unrecorded presumption relation to the Web portal truthful users could widen their information monitoring to their desktops. The Web portal was designed to necessitate the idiosyncratic to login, but it was not designed utilizing end-to-end encryption. 

Today, little than 0.1 percent of our progressive users utilize the unrecorded streaming diagnostic connected the Web portal; however, it is precise wide to each of america that encryption protocols should person been designed into this solution from the precise beginning. This has been addressed, and contiguous each the unrecorded streams from the user’s devices to the Web portal present usage end-to-end encryption.

Furthermore, each devices volition present usage WebRTC to bring end-to-end encrypted connection erstwhile utilizing the Web portal to entree unrecorded streams successful a browser. This is already disposable connected our caller HomeBase 3 and eufyCam 3 series. We began rolling retired firmware updates to each different devices past week.

With the caller issues, determination has been a batch of interior discussions connected however our teams make and motorboat caller features. Several caller protocols and procedures person been enactment successful spot to marque definite that each information flowing from the user’s devices to the eufy Security App oregon Web portal indispensable utilize end-to-end encryption. 

First, video triggered by the information system’s mean processes (motion, idiosyncratic ringing the doorbell, etc.), is ever recorded, stored, and encrypted locally. 

Live video is not recorded. Therefore, the point-to-point encryption process lone happens erstwhile the eufy Security strategy receives a petition from the idiosyncratic to statesman unrecorded streaming.

The P2P process past begins, waking up the camera, encoding the unrecorded video successful real-time utilizing a dynamic key, and past decoding that video connected the different broadside utilizing a dynamic key.

The eufy Security app supports some unrecorded and recorded video streaming and has ever utilized P2P encryption. This is utilized by 99.9 percent of our users and is the superior method to presumption unrecorded and recorded videos.

But point-to-point encryption requires processes to beryllium acceptable up connected some ends, and the P2P processes and requirements are precise antithetic for the eufy instrumentality to the eufy Mobile app than the eufy instrumentality to the eufy Web portal (browser),

That said, the Web portal antecedently was not designed to enactment P2P encryption for viewing unrecorded streams. This was protected done a idiosyncratic login to the Web portal.

This wasn’t enough, and it’s been fixed.

Furthermore, we are besides upgrading the Web portal unrecorded encryption process to WebRTC. This is presently being pushed to all devices arsenic an OTA firmware update.

No. All our video streams are encrypted with a dynamic cardinal alternatively of a fixed key. The “ZXSecurity17Cam@” was a mounting parameter for processing and investigating successful a precise aged bundle version, which was abandoned years ago. We person removed this codification to alleviate immoderate misunderstanding.

No. The lone mode to negociate section instrumentality features specified arsenic locking and unlocking a door, turning connected floodlights, etc, is done the user’s eufy Security app.

When a idiosyncratic accesses a unrecorded watercourse from 1 of their cameras, this video footage isn’t being recorded. It is simply being unrecorded streamed straight from the user’s instrumentality to their eufy Security App oregon to eufy’s unafraid Web portal. Today, this is each done utilizing end-to-end encryption.

Additionally, every eufy Security camera records, stores, and encrypts videos locally – either straight connected the camera oregon connected a HomeBase device. This has ever been the lawsuit since our archetypal eufyCam was launched.

We usage a patented, third-party P2P technology, heavy optimized for eufy Security’s products.

No. Outside of the caller contented with the Web portal, which has been addressed, each our video streaming processes (both unrecorded and recorded) are designed to usage end-to-end encryption.

I americium not definite I recognize this question. But arsenic noted supra ALL cameras erstwhile sending unrecorded oregon recorded video feeds to either the eufy Security app or eufy Web portal usage end-to-end encryption.

Answered above. Outside of the caller contented with the Web portal, which has been addressed, each our video streaming processes (both unrecorded and recorded) are designed to usage end-to-end encryption. 

eufy Security devices bash not stock videos, idiosyncratic images oregon biometric details (fingerprints, facial designation details) with the cloud. All of this is processed, stored, and encrypted locally connected the user’s device. 

There are respective mean processes that necessitate the usage of the unreality specified arsenic relationship setup, propulsion notifications, archetypal instrumentality setup, instrumentality OTA, etc. We volition beryllium launching a microsite soon with infographics to amended explicate each our cardinal processes - and which are done locally, and which necessitate the usage of the cloud.

eufy Security has nary entree to the user’s unrecorded streams oregon recorded videos.

eufy doesn’t person entree to the user’s unrecorded video streams oregon locally stored videos. It would beryllium up to the idiosyncratic to stock these details with instrumentality enforcement officials. 

eufy Security’s ngo is to protect, not conscionable our customer’s property, but besides their privacy. And we judge the champion mode to support our customers ‘ privateness is to marque definite these details are kept successful their possession and successful their control.

First, determination person been nary information leaks, nor did we interruption GDPR oregon different information extortion laws.

However, information is an ever-evolving field, and we privation to guarantee that we bash everything successful our powerfulness to support our consumers’ privacy. To that end, we are actively moving connected respective antithetic strategies:

In summation to what we already person successful place, we volition beryllium bringing connected respective caller information consulting, certification, and penetration investigating companies soon to behaviour a broad information hazard appraisal of our products and destruct imaginable risks.

We are besides successful discussions with a starring and well-known information adept truthful that they tin nutrient an autarkic study astir our existent information and privateness systems and practices.

We are mounting up a “eufy Security bounty program” to make a amended and much collaborative strategy for information researchers to assistance america observe immoderate vulnerabilities successful our eufy Security system. 

We person officially engaged PWC and TrustARC to behaviour a broad information appraisal of our products. This is exciting, and we volition supply much details connected this erstwhile they go available.

Lastly, astatine the opening of adjacent month, we volition motorboat a microsite to amended explicate however our processes work, to supply clearer explanations connected which are done locally, and which presently necessitate the usage of our unafraid cloud.

We committedness to supply much timely updates successful our assemblage (and to the media!) to support consumers amended informed connected immoderate updates to these strategies.

We are inactive successful negotiations and volition supply these details very soon.

We are inactive successful chats with respective extracurricular vendors and volition supply details soon. This is simply a large precedence for america arsenic we privation to make a much ceremonial process to promote manufacture feedback and collaboration.

We grip each our lawsuit work in-house, and those teams are good trained to attack each contented connected a case-by-case basis. Obviously, we volition bash immoderate is successful our powerfulness to marque things close and support our customers happy.

In my opinion, I judge we’ve begun to acknowledge the issues and promised to bash better. However, an apology should travel with more details connected what happened and the corrective steps we’ve done to marque definite this doesn’t hap again.

Over the past respective weeks, the team has been moving to hole issues, amended our interior processes and bring successful much autarkic oversight.

We volition beryllium issuing an update to the our users successful aboriginal February, to sermon galore of the things we’ve touched connected successful this email exchange; supply immoderate updates connected the different larger standard initiatives we volition beryllium doing; and besides motorboat our caller micro-site to amended explicate which processes are done locally, and which are done successful the cloud. 

At that time, and with each this details laid retired much transparently, we tin supply a much thoughtful apology. And an apology that is amended backed up by a existent plan.

Regarding our privateness policy, portion we were moving to re-write this a fewer weeks agone and beryllium clearer astir which processes utilized the unreality and which did not, idiosyncratic jumped the weapon and pushed a redacted version. I tin guarantee you this wasn’t done for immoderate nefarious reasons, but simply a bid of unfortunate events that yet compounded our full connection processes.