Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted - Ars Technica

When security researchers found that Eufy's supposedly cloud-free cameras were uploading thumbnails with facial data to cloud servers, Eufy's response was that it was a misunderstanding, a failure to disclose an aspect of its mobile notification system to customers.

Eufy didn't respond to other claims from security researcher Paul Moore and others, including that one could stream the feed from a Eufy camera in VLC Media Player, if you had the right URL.

Last night, The Verge, working with the security researcher "wasabi" who first tweeted the problem, confirmed it could access Eufy camera streams, encryption-free, through a Eufy server URL.

This makes Eufy's privacy promises of footage that "never leaves the safety of your home," is end-to-end encrypted, and only sent "straight to your phone" highly misleading, if not outright dubious.

"Typically," that is, because the camera-feed URL appears to be a relatively simple scheme involving the camera serial number in Base64, a Unix timestamp, a token that The Verge says is not validated by Eufy's servers, and a four-digit hex value.

Researcher Paul Moore, who initially raised concerns with Eufy's cloud access, tweeted on November 28 that he had "a lengthy discussion with [Eufy's] legal department" and would not comment further until he could provide an update.

You might give Eufy the benefit of the doubt, that the cloud servers you can access with the right URL are simply a waypoint for streams that have to leave the home network eventually under an account password lock.