Privacy & Cybersecurity Law Blog

New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products. The settlement follows findings that, in some cases, video streams from eufy cameras were transmitted without end-to-end encryption and active video feeds could be accessed without authentication by individuals with the corresponding URL.

The Office of the Attorney General (OAG) initiated the investigation after a November 2022 disclosure by a security researcher raised concerns about the accuracy of eufy’s marketing claims regarding its security and encryption measures. The researcher’s findings suggested that eufy’s Internet-connected security cameras, video doorbells and smart locks did not fully encrypt video data in transit, despite company assurances that consumer footage would remain private and secure.

The OAG’s investigation confirmed that, in certain circumstances:

• video data was not protected by end-to-end encryption, leaving portions of the transmission unencrypted;
• active video streams could be accessed without authentication if an individual had the correct URL;
• some URLs could be determined without directly obtaining them from a user, increasing the risk of unauthorized access; and
• the companies had not implemented sufficient security testing procedures, leading to undetected vulnerabilities.

Under the terms of the settlement, the companies must implement enhanced security measures including:

• developing and maintaining a comprehensive information security program to protect consumer data;
• implementing secure software development practices, including third-party security testing;
• maintaining a vulnerability management program with regular penetration testing; and
• enhancing encryption protocols for video storage and transmission.

This resolution highlights the importance of robust security measures for Internet-connected devices that store and transmit sensitive consumer data. Companies offering such products must ensure that their security practices align with industry standards and that their marketing claims accurately reflect their security capabilities.