So, I’m already returning my Eufy Homebase 3 for previously stated reasons. But something startling happened today before I managed to submit the return request.
Eufy kept my support case open. And they responded with an asinine response. But a comment caught my attention.
Unfortunately, we regret to inform you that we are unable to retrieve any logs or data analysis as there is currently no Homebase 3 associated with your account.
The support agent tried to identify a Homebase 3 on my account to access the logs and the data on it. I was not aware of this going on. That comment was the first indication that this was occuring.
But it probably wasn’t the first time support did this.
When the first email came from support after the chat, they included a link to TP-Link documentation with instructions on how to disable AP Isolation, assuming my issue was with AP Isolation despite the fact I told them it wasn’t enabled. I thought it was weird that they gave me TP-Link documentation, though they sent me documentation covering consumer products, not Omada. I thought maybe I mentioned it in the chat and shrugged it off.
But after reading they could no longer access it, I looked back at the chat. I never mentioned TP-Link prior to that.
So it looks like they used the Homebase 3 to discover devices on my network and figure out what my access point was in order to send what they thought would be the correct documentation.
There was not, at any time, in any communication, a point where they mentioned they would be accessing my devices nor anything on my network.
I’d have to go digging through the agreements, but I suspect there’s something in there that would prevent this from being a violation of the CFAA’s unauthorized access provisions. But holy shit this is a problem.
Okay, it’s a Eufy Security device connected to a Eufy Security services account, so of course Eufy Security has access to it. But there’s a major difference between device connected to services, and a person actually accessing the device to retrieve data. What data are they retrieving? What do they have access to? What capabilities are they activating? Can this be exploited by threat actors? Are there threat actors within Eufy that might want to exploit this?
The mere fact they were able to identify non-Eufy devices and take actions based on that is where this crosses the line.
And there’s no transparency on any of this.
It’s a good thing I decided this was not going to work for me. I’m not willing to have this trojan horse in my network.
I’ve already gotten my cameras pointed back at Frigate for now. But this convinces me that I really need to go ahead and get rid of these things.
The saved video and whatnot is supposed to be encrypted. It’s worth noting that Eufy has control over those keys.