Picking a security & safety ecosystem

[NobleGamer]

I'm considering which security and potentially safety ecosystem is right for me, hence me posting here instead of "Photography and Videography".  I have searched these forums, but at first glance I haven't seen much recent discussion about the benefits & downsides of most of the different brands that I'm first considering.

 

I have had a bit of positive experience with Eufy products BUT I'm seeing what else is out there, as I don't like how they handled their prior debacle covered by LTT about some stuff being stored in the cloud, etc.  If some other brand has better products for my needs at a cost that isn't considerably higher than Eufy's ecosystem, then I'll certainly be open to them.

Devices types needed:

• Wired doorbell with 2 way voice comms
• Wired lighted/floodlight camera
• Battery camera

Other devices nice-to-have in same ecosystem:

• Water sensor
• Smart Thermostat (I may go with a separate brand)
• CO2/smoke detector (I may go with a dedicated safety brand here)

Features needed for all devicse:

• No monthly fees for these items:
• Mobile notifications
• Live or recorded-via-motion view
• Night vision
• Easy to view
• Some basic local storage (on-device or on-premises)
• 1080p resolution or higher
• Adjustable motion detection

 

Let me know whether you agree or disagree with my initial impressions of each brand:

• Lorex - Seems to have a mix of quality video devices, some with storage and others that need central storage, but they have no smoke or water detectors.
• Blink - Not sure if Amazon is any better with maintaining their hardware+software products that Google, but they have a cheap "sync" module allowing for <=256GB local storage via USB 2.0 drive for <=10 devices, though I wonder if it has to communicate directly with Blink devices instead of thru the wifi network given that the sync module supports Blink's proprietary 900 MHz band?
• Ring - Not sure, but they've been subject to many security exploits over time as the OG here, and evidently their motion detection may not be great
• Nest - Another product for Google to kill or provide bad support for?

What brands I'm likely writing off unless I'm wrong about their subscriptions:

• Arlo - Might be okay, but subscription required for definiting activity zones
• SimpliCam - I cannot simpli determine what does and does not require a monthly fee.
• Wyze - Subscription required to get notifications

 

Any brands I should consider?

 

Here's some other notes that may be relevant:

 

Nice to have:

• Activity/area exclusion zones
• Solar power option for non-wired cameras
• 1440p, especially for doorbell & driveway
• Schedule times to disable notifications, or motion sensor lighting (beyond disabling in daylight)
• Recording more than motion activity only: 24x7 is not required, but I'm open to this unless it is much more expensive

Considerations:

• No existing PPoE switches, and not planning to buy any
• Dual band wifi not necessary - 2.4 GHz only cameras have worked well in my experience with 1080p and 1440p
• I hope to avoid wiring any camera to ethernet, though I might need do that in the long term for a certain camera that I might want to put 100+ feet away from my home

[NobleGamer]

2 hours ago, Arika S said:

the safest and most secure ecosystem is no ecosystem. do everything yourself, do everything locally, don't rely on a singular compan

By DIY, I assume you mean get cameras that store to a NAS of my own? I get it that if I don't do this it's not the "safest & most secure". 

 

The closest I want to get to that full DIY now is getting cameras that store video on-device or locally (without managing the logistics of a NAS somehow hosting & serving video and sending mobile notifications). 

 

Then what is your opinion on the other brands I listed and how well they'd fit my needs?

 

5 hours ago, HomicidalPingu said:

All eufy did was put thumbnails onto a server for use in the app. That’s it. 

Let's say you are right. Do you think eufy is one of the better sets of security & safety products for my needs, or do you think there are other brands I should consider?

 

To clarify: I'm going to do all the research on reviews and such, but the reality is that sometimes there's info that doesn't come across in reviews - As I'm not aware of a site that does security & safety system reviews of security systems with the level of near scientific rigor that RTINGS does for many other consumer electronics. So I thought I'd ask LTT Forums since some people there might catch something that other sites dont cover - That's all.

[LAwLz]

11 hours ago, NobleGamer said:

Let's say you are right. Do you think eufy is one of the better sets of security & safety products for my needs, or do you think there are other brands I should consider?

Just some things to keep in mind. 

1) The researcher (Paul Moore) who discovered the Eufy stuff looked at several other products and did not find a single one that didn't do what Eufy did or worse. 

 

2) Eufy fixed am of the raised issues and did so in a very quick manner. 

 

3) There was a lot of misinformation surrounding the Eufy news and in my opinion a lot of people clearly didn't know what was going on, yet were very vocal about it. Hell, I don't even think most people knew what the issues (there were more than one) were and instead just heard "Eufy bad" and jumped on the bandwagon without doing any research for themselves. 

[seanondemand]

I’ll throw in my 2c

 

i’ve moved completely to Ubiquiti UniFi Protect - 1x G4 Doorbell, 3x G3 flex, 2x g4 instant, 1x g4 bullet and a Dream Machine Pro. Love the local HDD storage and their app is very responsive - motion zones, notifications, and smart detections too. HomeKit is my ecosystem of choice and scrypted pulls them in beautifully. I ran Ethernet to my attic and hooked the flex’s/bullet to my Poe switch that way (but you could always use injectors) which was a bit of a PIA but my house has aluminum siding and the old nest cams really struggled. The g4 instants are comically cheap 1440p wifi cameras, but not outdoor rated (works good as a baby monitor, though). Main thing you would be missing is battery/solar powered cams.

[SansVarnic]

My security system involves lead poisoning [if you get the reference].

[NobleGamer]

7 hours ago, seanondemand said:

i’ve moved completely to Ubiquiti UniFi Protect - 1x G4 Doorbell, 3x G3 flex, 2x g4 instant, 1x g4 bullet and a Dream Machine Pro. Love the local HDD storage and their app is very responsive - motion zones, notifications, and smart detections too. HomeKit is my ecosystem of choice and scrypted pulls them in beautifully. I ran Ethernet to my attic and hooked the flex’s/bullet to my Poe switch that way (but you could always use injectors) which was a bit of a PIA but my house has aluminum siding and the old nest cams really struggled. The g4 instants are comically cheap 1440p wifi cameras, but not outdoor rated (works good as a baby monitor, though). Main thing you would be missing is battery/solar powered cams.

Thank you for a response that didn't fixate on me mentioning eufy.

 

I got familiar with Ubiquiti (UI) when buying an Edgerouter-X, so I definitely respect their products if my positive experience with ER-X is any indication.  I would likely go with as many Ubiquiti products as I could for my network and possibly security if money were no object, but money matters a bit here.  So I don't expect to spend hundreds of dollars on a central hub/storage.

 

As for HomeKit, I don't have any Apple devices.  So that's out for me.  What I meant by ecosystem was really a manufacturer.  I don't really need a secondary home automation software/interconnect like HomeKit or IFFFT (sp?) to work with these devices - I just need something with notifications, does some basic recording, and lets me view live if I want to.

 

12 hours ago, LAwLz said:

Just some things to keep in mind. 

1) The researcher (Paul Moore) who discovered the Eufy stuff looked at several other products and did not find a single one that didn't do what Eufy did or worse. 

Are there other articles or tweets from Paul where he has called out security issues?  I wasn't able to find other stuff from him, but Twitter doesn't make it convenient to view & search someone's old tweets.  So what you are saying is that Paul has tested other camera-type products, and they all did what Eufy did, or they were worse?

 

12 hours ago, LAwLz said:

2) Eufy fixed am of the raised issues and did so in a very quick manner.  

My understanding is that they initially categorically denied all that Paul had revealed, and only after more information was released (by Paul) did they finally acknowledge something and make changes.  Is that not true?

 

Don't get me wrong - I want to give Eufy the benefit of the doubt, though even if I believe that Eufy resolved all the issues in a decent amount of time, I don't think that initial response was great.

[LAwLz]

26 minutes ago, NobleGamer said:

Are there other articles or tweets from Paul where he has called out security issues?  I wasn't able to find other stuff from him, but Twitter doesn't make it convenient to view & search someone's old tweets.  So what you are saying is that Paul has tested other camera-type products, and they all did what Eufy did, or they were worse?

Sadly, Paul is kind of a crazy person (not in a good way sadly, calls people who disagree with him paid shills, didn't want the covid vaccine, etc) and spends way too much rambling about stuff on his Twitter and it's hard to even understand what he means in some tweets (like this one, does he agree or disagree with the statement? Really hard to tell). 

 

But if you trust what he says (I don't really) then it doesn't seem like any brand (including Ubiquiti that was mentioned earlier in the thread).

On the 26th November, he said that he would look into Ubiquiti. Then a little while later, on the 5th December he said "Rapidly coming to the conclusion that there no #privacy preserving, #localOnly #doorbells on the market". Then a few weeks later on the 10th of December, he said "Thus far, it's safer to use a doorbell which tells you it's stored in the cloud - as the ones honestly enough to tell you generally use solid crypto."

Then on the 28th he said: "I'm yet to find one guys. Tried several brands so far, all of which claim offline storage and all are complete lies. I'm still working on it though; I need a replacement too".

And then on January 2, 2023 he said: "There are no wired/wireless #doorbells which are truly #localOnly under £200. Literally, not one. All store data in the cloud; from full video/images to basic metadata".

Although he never explicitly said Ubiquiti uploaded stuff I assume they are included in the several general statements where he says "everyone is bad".

 

 

1 hour ago, NobleGamer said:

My understanding is that they initially categorically denied all that Paul had revealed, and only after more information was released (by Paul) did they finally acknowledge something and make changes.  Is that not true?

I don't think they ever denied everything. The only thing I can find is that they denied that it was possible to watch the video stream through VLC, which is half true and half a lie. That was not one of the things Paul found though, it was found by Spicy Wasabi on the 25th november, and it really wasn't as bad as it sounded.

 

1) It only worked on their HomeBase station version 1 and 2, not 3.

2) It wasn't just like anyone could bring up a stream, they would need to know quite a lot of details about your specific setup to even be able to attempt to view the stream. in order to view the stream, you need to know these things:

*Which datacenter the camera was connected to at the time.

*The full serial number of the device you wanted to look through.

*A 4 character long hex code.

 

There was also an authentication code involved but it seems like it wasn't being used (bug maybe?) to validate the stream. This was however fixed very quickly after it was discovered (it was confirmed fixed the 12th December, so at most 14 days later). After that, the stream was secure.

 

It was also not possible to view the stream unless someone triggered the camera, which was something the security researcher had trouble doing even with his own device. Since the camera didn't even respond unless it was recording, someone doing a brute-force attack against cameras probably had like a 99,9% chance of getting a false negative even if they were scanning your specific camera with exactly the right details (which by itself was less than 1/65 000, and that assumes they already new which data center you happened to be connected to and the serial number of your device).

 

Don't get me wrong, Eufy did mess up some things in regard to their security implementation, but this was one of those things that were easy to do if you already had all the information at hand, and very hard to do if you didn't, and it was fixed very quickly. I think that deserves a lot of credit.

If you want an analogy, it's basically like saying a lock is bad because someone can make a copy of your key. Making a copy of your key is only easy if the person already has your key. Same deal here. The attack is easy if the attacker already has all the necessary information, but getting that information is in and of itself pretty damn hard to get.

 

 

Anyway, I don't think Eufy denied anything else. I guess you could technically say they lied in their marketing material about it being "fully offline", but at the same time, it is important to understand exactly what was being uploaded, where, how and when.

In the case of Eufy, they were uploading a thumbnail image that was used for push notifications if the push notification feature was turned on. They only uploaded it when necessary, when the feature was turned on (their change was to display a warning when turning the feature on) and it seems like they did delete it when it was no longer needed. There is a big difference between "they are uploading video footage so they can spy on you" and "they sent you and image you requested every once in a while, and said the image was temporarily saved on their servers if your phone wasn't able to get the image at the time". I think a lot of people assumed the former when what was actually happening was the latter. It doesn't help that Paul Moore makes no distinction between the two and just views things as either "it uploads data" or "it doesn't upload data". I mean, even in his own tweets when he makes generalized statements he talks about uploading images, videos and metadata as being equal, which it absolutely isn't. 

[NobleGamer]

8 hours ago, LAwLz said:

Don't get me wrong, Eufy did mess up some things in regard to their security implementation, but this was one of those things that were easy to do if you already had all the information at hand, and very hard to do if you didn't, and it was fixed very quickly. I think that deserves a lot of credit.

If you want an analogy, it's basically like saying a lock is bad because someone can make a copy of your key. Making a copy of your key is only easy if the person already has your key. Same deal here. The attack is easy if the attacker already has all the necessary information, but getting that information is in and of itself pretty damn hard to get.

...

Anyway, I don't think Eufy denied anything else. I guess you could technically say they lied in their marketing material about it being "fully offline", but at the same time, it is important to understand exactly what was being uploaded, where, how and when.

In the case of Eufy, they were uploading a thumbnail image that was used for push notifications if the push notification feature was turned on. They only uploaded it when necessary, when the feature was turned on (their change was to display a warning when turning the feature on) and it seems like they did delete it when it was no longer needed. There is a big difference between "they are uploading video footage so they can spy on you" and "they sent you and image you requested every once in a while, and said the image was temporarily saved on their servers if your phone wasn't able to get the image at the time". I think a lot of people assumed the former when what was actually happening was the latter. It doesn't help that Paul Moore makes no distinction between the two and just views things as either "it uploads data" or "it doesn't upload data". I mean, even in his own tweets when he makes generalized statements he talks about uploading images, videos and metadata as being equal, which it absolutely isn't. 

I think this is a good summary, and it seems even Paul acknowledges that there's no such thing as local storage only at a reasonable price point.

 

So if I take all this at face value and believe that eufy was justified in their response (whatever it did or didn't say), then I suppose I have no frame of reference for the other brand's products to know whether any of them have the potential to better meet my needs or not.