New York Attorney General Letitia James has reached a settlement with three companies distributing eufy home security video cameras, securing $450,000 for failing to protect consumers' private home security videos. The companies involved are Fantasia Trading LLC, Power Mobile Life LLC, and Smart Innovation, LLC. An investigation by the Office of the Attorney General (OAG) revealed that video streams from these cameras were not always securely encrypted, allowing access to anyone with the relevant link without needing authentication.
Attorney General James emphasized the importance of data security in her statement: “New Yorkers buy home security cameras to protect themselves and their homes,” she said. “The eufy cameras’ poor data security allowed anyone to access people’s security camera footage, defeating the purpose of having a home security system. Today my office is taking steps to ensure eufy cameras’ developers improve their data security so that New Yorkers' home security footage is private and protected.”
The issue came to light in November 2022 when a security researcher publicly questioned the marketing claims about the eufy products’ security and “end-to-end encryption” of data. The OAG's investigation focused on internet-enabled video cameras, video doorbells, and video locks under the eufy brand distributed by the aforementioned companies.
Findings from the investigation indicated that some videos transmitted over the internet from these products lacked end-to-end encryption. Furthermore, an active video stream could be accessed without authentication if one had the correct URL—a URL that might be deduced without being obtained directly from a user. These vulnerabilities were not previously identified due to inadequate processes for testing safeguards or identifying risks to consumer privacy.
As part of this settlement, Fantasia Trading LLC, Power Mobile Life LLC, and Smart Innovation will pay $450,000 in penalties and costs while also committing to enhancing protections for consumers' private videos. The agreement mandates regular verification that developers maintain a comprehensive information security program; use secure software development processes; maintain a vulnerability management program including regular penetration testing; and implement appropriate encryption processes.
This action aligns with Attorney General James' ongoing efforts to safeguard New Yorkers' personal information and hold companies accountable for poor data protection practices. In recent months, similar settlements have been reached with various organizations over lapses in data security protocols.
The matter was handled by Assistant Attorney General Nathaniel Kosslyn, Senior Enforcement Counsel Jordan Adler, Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology under Bureau Chief Kim Berger's supervision within the Division for Economic Justice led by Chief Deputy Attorney General Chris D’Angelo.