How to Buy a Security Camera You Can Trust – OWN A EUFY security camera or video doorbell? The recent news exposing serious security flaws from the Anker-owned brand may have caused you some anxiety. I have been testing and reviewing security cameras for several years now. Revelations about data breaches and vulnerabilities are a regular occurrence. Arlo, Nest, Ring, Wyze—every major manufacturer you can think of has had its share of scandals. But it can be challenging to look beyond hyperbolic headlines, weigh the seriousness of each issue, and figure out whether you need to worry.
Security cameras and video doorbells have grown popular as an easy and affordable way to keep an eye on your home. Around 28 percent of Americans protect their property with security cameras, according to a Safewise survey. The systems are easy to install and promise protection from burglars and porch pirates. (Whether they actually make you safer is a question for another day.) To get a better sense of what security camera system you should invest in, how to deal with breaches, and how to find a company you can trust, we spoke to a few experts. We also took a closer look at how Eufy handled its security woes.
Where Eufy Went Wrong
Late last year, security researcher Paul Moore demonstrated that camera systems sold with the promise of local data storage were, in fact, uploading images to the cloud. Worse yet, it was possible to stream video from a Eufy camera without encryption. When we first asked about these issues, the company issued a strong denial, saying it “adamantly disagrees with the accusations.” A couple of months later, Eufy admitted that most of the allegations were true.
A spokesperson explained to WIRED in an email that Eufy only uploaded images (video thumbnails) to deliver push notifications to customers, and in one other case for its Video Doorbell Dual, where it uploaded a face image of the user (for face recognition) to make it easier to set up multiple doorbell devices without having to upload a new image. Eufy has updated the language around its cloud use to address the first issue and removed the upload requirement for the second.
More serious was the issue of accessible unencrypted live streams outside the Eufy system. Eufy claims this required users to log in to the web portal, enter debug mode, and share a link. It’s unlikely anyone would have stumbled upon these links, but the possibility of unencrypted camera streams is a natural cause for concern. Eufy has now applied peer-to-peer encryption to its web portal (mobile app streams were always encrypted). The company flatly denies using any fixed encryption keys, insisting
Eufy’s failings feel especially egregious because the company generally ticks all the right boxes. Its cameras and doorbells strike the balance between quality and affordability. Anker is a respected brand in the accessory space. And Eufy offers support for two-factor authentication, although not by default, and promises completely local storage and on-device processing for features like facial recognition.
Understand the Risks When Shopping
Despite an abundance of security camera manufacturers, pristine reputations are rare, so how do you choose wisely? “You want to go with a brand name,” says Deral Heiland, principal security researcher for the Internet of Things at Rapid7. “One you’ve heard of, because these companies have to protect their branding.”
Big brands come under greater scrutiny. They are targets for security researchers and amateur tinkerers. And they know that bad press will hurt their business. Since regulation is negligible, many no-name or little-known brands sell untested security cameras that may harbor multiple vulnerabilities. When they run into issues, they disappear or change the brand name.
Two-factor authentication (2FA) is also vital, Heiland says. It prevents anyone who has managed to get your login details from accessing your camera. With 2FA, you need the login details and a fingerprint, facial scan, or automatically generated one-time use code from an authenticator app, text message, or email. WIRED doesn’t recommend any security cameras that don’t at least offer 2FA as an option, but we’d like to see it become the default industrywide.
When you install a security camera, it’s worth thinking about what the most compromising or embarrassing thing the camera—outside or inside your house—can see. You need to understand that no internet-connected device is 100 percent safe.
There is always a risk someone is going to gain access to the camera—“be it hackers plugging data-breached passwords in to see if people are reusing them or police who often go to companies, even without warrants, in hopes of getting footage from people’s devices without their knowledge,” says Matthew Guariglia, a policy analyst for the Electronic Frontier Foundation.
After every security camera scandal, you might see some folks argue that they don’t care who sees footage of their front door or backyard. It’s true that there is little value in many of these video streams, which makes them an unlikely target. But Guariglia says security cameras usually have powerful microphones and often pick up more than we think.
Then there’s the issue of other people’s privacy, whether it’s neighbors, window cleaners, or passersby. Security camera footage is frequently shared online without the knowledge of the people who appear in it. Most cameras offer privacy zones so you can confine recordings to your property, and you should consider placement carefully when you install cameras.
You should also do some research before you buy. Guariglia suggests asking questions like, “What would it take for police to get footage from the company? Where is your data going to be stored? Does this company have a history of data breaches or bad cybersecurity?” Unfortunately, answers aren’t always easy to find. Apple, Arlo, Eufy, and Wyze state that they won’t share footage without a warrant or court order. Ring, however, has a close relationship with police departments, and Google may share Nest footage in emergency situations where there is a threat to life.
With a local storage system, you can potentially avoid uploading video to a company server and take it out of the manufacturer’s hands. Look for end-to-end encryption (preferably as a default). You can opt for a local system with no internet connection, but you would only be able to review video when you’re home. If you have the technical know-how to hook up internet-protocol cameras and DVRs without cloud services and connect via a Virtual Private Network (VPN) service, Heiland says that’s another potentially secure route.
“Because there’s no such thing as no vulnerabilities.”
Perhaps counterintuitively, it might not be a red flag if your chosen camera brand has had problems in the past, provided the company has fixed them.“It’s better if there have been vulnerabilities reported on a camera because it gives us the ability to take a look at how a company deals with them,” Heiland says. “I’d rather go with a company that’s had multiple vulnerabilities in its cameras and shows a track record of fixing them quickly than a company that’s had no vulnerabilities. Because there’s no such thing as no vulnerabilities.”
