Intro

I recently purchsed some external Eufy cameras to monitor the outside of my house. I got both the Eufy Security Floodlight Pro 2K and Floodlight Camera 2K HD models. I went with Eufy, since I already have some cameras for the indoor areas and had a pretty good experience with them.

Unfortunately the external cameras have some unfortunate features. I am not sure who is running product over at Eufy, but they must have rocks in their head.

In this post, I will outline how to get them working and the things that make the cameras a huge failure compared to the indoor models.

Storage

The first things that is really piss poor is that these devices do not connect or record to the home base like the indoor cameras. They have a small amount of non-upgradable onboard storage. 0/10

Management

Because these devices do not connect to the home base they are managed individually in the app. That means you need to upgrade the firware seperately and you cannot set them to away all at once. You need to do them all individually. Mega UX miss 0/10

Firewall Rules

Perhaps the worst thing about these devices is they require connectivity to Google DNS servers 8.8.8.8 and 8.8.4.4 as well as unknown/documented NTP servers before they can record. If you block access to google DNS and unknown NTP servers in your network like I do, then you are shit out of luck. IMO this is a pretty dangerous design decision. If you loose access to to these services, the cameras simply WILL NOT RECORD. 0/10.

I raised a case with Eufy to ask why the cameras do not take the DNS/NTP settings from DHCP. They confirmed (after 5 or 6 emails persisting for the information) that they are hard coded in the firmware and must be accessable to work. They confirmed the Google DNS IP's but they would not confirm the NTP pools that they use.

The most they would give me is "TCP ports 80 and 443 and UDP 0~65535. As well as google DNS."

LORD HAVE MERCY!

From my firewall logs, I can see the following ports/protocols are in use. It looks like the IP's all belong to Amazon, so likely the infra is hosted in AWS so not easy to pinpoint a range of IP's.

Protocol Port Destination
TCP 80 ANY
TCP 443 ANY
ICMP NA 8.8.8.8
8.8.4.4
UDP 53 8.8.8.8
8.8.4.4
UDP 123 ANY
UDP 1024 - 65535 ANY

This post narrowed down the UDP high port range to something sane. But I found that port numbers all over the high port number range are used. Le-Sigh.

Workaround

To get around these limitations I create a dedicated internet of shit secuity zone and network for the Eufy cameras. I permit the above rules outbound and keep them well away from the rest of my network.

Outro

For a so called security company. The product and design decision made are frankly mind boggling. 0/10 for Eufy, don't recommend. If I had not already had them installed by an electrician by the time I found this out I would have sent them back for a refund.

# iot
# eufy
# rant