An open source privacy-preserving home security camera using end-to-end encryption

Hi everyone,

We would like to introduce Secluso, a privacy-preserving home security camera solution, which uses end-to-end encryption. Secluso tries to provide functionality similar to a Ring or a Blink camera, but without violating the user privacy (as most mainstream consumer cameras do!) The functionality includes sending video recordings to the app when the camera detects an event (motion, person, pet, etc.) as well as on-demand live-streaming. To detect events, Secluso performs AI on the camera feed fully locally (i.e., on the camera).

Existing home security cameras have a terrible privacy track record. For example, according to FTC, Ring employees and contractors illegally accessed users’ videos (source). Eufy was fined $450,000 after New York’s Attorney General found its “local only” and “end-to-end encryption” claims were false (source). And Wyze says that a breach allowed 13,000 camera users to see inside other users’ homes (source). Not to mention, majority of these companies don’t encrypt videos from their cameras, so they’re able to view them whenever they want. We think we can do better than this!

Guaranteeing user privacy has been and will continue to be the number one design principle in Secluso! To that end, Secluso uses the following techniques. First, all videos are end-to-end encrypted from the camera to the mobile app (Android or iOS). The encrypted videos are transferred via a cloud server, but the server is untrusted and cannot decrypt the videos. Secluso uses the Messaging Layer Security (MLS) for end-to-end encryption, which provides advanced features including forward secrecy and post-compromise security. At a high level, these features guarantee that even if the camera or the app are ever compromised and encryption keys are stolen, the compromised keys cannot be used to decrypt videos from the past and future. Second, Secluso is fully open source (and will always remain open source), and hence can be inspected by users and security experts. Third, Secluso’s camera firmware and part of its mobile app are implemented in Rust, which eliminates memory safety vulnerabilities. Fourth, Secluso supports reproducible builds, which allows users and experts to verify that the binaries inside the camera firmware are compiled from our open source code on Github. Finally, we are planning to add immutable and transparent firmware updates, which guarantees that all automatic updates to the camera firmware will be transparent to the public and immutable for one year. This will prevent malicious and silent updates to our cameras.

A little bit about us (the project founders): Ardalan is a computer science professor with expertise in computer security and privacy. John is an open source and privacy enthusiast that has over a decade of experience in software development. Ardalan initially started this project since he needed a security camera for inside his house but did not want to jeopardize the privacy of his family. John later discovered this project on Github since he was disappointed after looking around and learning that there wasn’t any cameras on the market that were privacy preserving. They then joined forces and have been working together since the beginning of this year. They’ve been both working on it in their spare time and have put in a lot of energy to make sure it’s secure and functional.

Now, we would like to ask you to help us by using our solution and giving us feedback. There are several ways you can try our camera solution:

• Fully self-hosted: You can use our software on your own camera hardware and server. For the camera, you can either use a Raspberry Pi (even one as weak as a Raspberry Pi Zero 2W) or an IP camera that supports RTSP. In the case of Raspberry Pi, our camera software runs directly on the Pi. With IP cameras, our software runs on another machine connected to the camera and acts as a hub (and a firewall since we can’t trust IP cameras with closed source firmware). You also need a server with a public IP address. We have detailed instructions in our Github repository on how to set up this self-hosted option. If you run into any issues, let us know (either here, on Github, or via email at secluso@proton.me) and we will be more than happy to help you fix them.

• Semi self-hosted: If you have your own camera, but don’t have a server, we can try to help with that. We can try to accommodate a limited number of users in our own server instance (for free). Just send us an email if that’s what you would like to do.

• Plug-and-play camera: We have also been building a plug-and-play camera using a Raspberry Pi Zero 2W and a 3D-printed case that we have designed in house. The goal of this camera is to make it as easy as a Ring camera for a user to use it. When you get our plug-and-play camera, you simply pair it with our app and you’re good to go. (But note that you can still verify all the software running on the Pi if you’d like to.) If you’re interested in this option, please go to our website (htttps://secluso.com) and join the waiting list. We plan to hand build a limited number of our early prototype camera and giving them for free to interested users and get their feedback. When they are ready (in a few months), we will email the waiting list and ask for volunteers to try our plug-and-play camera. By joining the waiting list, you also help us gauge the community’s interest in our plug-and-play camera. If we see interest from the community, we will look into scaling up our camera production and we will email the waiting list with information on how to acquire one when the cameras are ready. We’re hoping that our plug-and-play camera can provide an easy-to-use privacy-preserving home security camera for all privacy-conscious people (and beyond) as there is currently no such camera out there.

Even if you can’t use our camera, we ask that you share with us your thoughts. Do you have a use for a privacy-preserving home security camera? Are there any important features that you need but we currently don’t support? Any other suggestions?

Your help and feedback will go a long way in helping us improve Secluso and will motivate us to invest even more energy into it and hopefully turn it into a camera that can support a large number of users in the future.

Finally, if you’re interested to hear more from us regarding our efforts, please go to our website (https://secluso.com) and join the mailing list by clicking on the “Keep in touch” button.

Our Github repository: GitHub - secluso/secluso: A privacy-preserving home security camera that uses end-to-end encryption. (Secluso was previously named Privastead.)

Our website: https://secluso.com

I highly recommend this on the Privacy Guides forum - there are many folks on there that would love to learn about this project and what you offer.

You will also get feedback and criticism on it all (so you can better it)- FYI.

But thanks for sharing here. I’ll have to check it out in detail for all that it is and can be. Lastly, it would behoove you to use your real name as hiding behind pseudonymous identities when sharing your project does not inspire trust. But that’s a personal opinion.

Edit: I see it on the website.

Hi @privacyadvocate, thank you for your thoughtful feedback. I agree, we will definitely be sharing this on the Privacy Guides forum. We’re waiting to be approved into the developers group before we can make a post in the project showcase area.

We know it’s a bit unusual for a privacy project to have personal names attached, but for us it’s part of being transparent about who’s building it. One of our co-founders holds a Ph.D. in Computer Science with expertise in security and privacy, and putting our names behind the work is a way of showing we’re not anonymous actors with hidden motives.

That said, we also want trust to be verifiable without relying on identity, through open code, reproducible builds, and (soon) transparent, immutable updates. We also welcome pseudonymous contributors, and the project itself will never require tying use to real-world identities.

Looks interesting! I had a few questions:

1. I notice in the demonstration on your website that the user scans the QR code on your camera to pair with their Android/iOS device. Does this automatically perform out-of-band key verification? (Sort of similar to how SimpleX Chat works when adding contacts.) If not, would you consider adding this feature to defend against MITM attacks?
2. Are there any intentions develop Windows, Mac, or Linux apps in the future?

Hi @TheDoc,

When someone sets up the camera (or after a reset), a Rust crate is used to generate a secret and store it in a file on the camera. The same secret is encoded in a QR code that the user scans into the app. When the app tries to pair, it presents that secret, and both the app and camera use it as an external pre-shared key (PSK) in the MLS handshake. If the app’s secret doesn’t match what’s on the camera, pairing fails.

So it’s “out-of-band” because the QR code / secret path is separate from the network channel where MLS key exchange happens (over the camera’s temporary WiFi). An attacker on the network can’t fake that secret or see it (unless they’re physically present to intercept it or get it somehow). Because of that, we assume an attacker doesn’t have both the secret and the physical proximity needed at pairing time, and so MITM is not a viable attack in that threat model.

We have some more information about our security and pairing in SECURITY.md on our GitHub. It unfortunately won’t let me directly link it here.

Regarding other platforms apps, yes, we will definitely be implementing this at some point. We recently remade our entire app with Flutter, which supports cross-platform apps with one codebase. This was primarily done for iOS and Android support, but can easily be extended into Windows, Mac and Linux apps with minimal changes. An important feature that we want to implement before doing this is allowing for multiple devices to be paired with a singular camera. This is because most people will want to use computers as a secondary function. Afterwards, we plan to add support for these apps.

Please let me know if you have any other questions.

what’s the main difference to “HomeKit Secure Video” from Apple?

Hi @janell1991,

What really makes Secluso special is that anyone in the community can inspect and verify everything in the system. Because Secluso supports running open, auditable firmware on hardware like a Raspberry Pi (either your own or our prototype), you can see the source, check the build process, monitor firmware updates, and confirm that the security promises match what’s actually implemented. True trust comes from knowing you can check anything, not just being told it’s secure. Without it, claims about security can’t be independently verified, which means you’re forced to assume there are no backdoors or unpatched vulnerabilities, something you can’t reliably do.

In contrast, HomeKit Secure Video is locked into Apple’s ecosystem. It only works with approved IP cameras, requires an Apple home hub (HomePod, Apple TV, or iPad), and everything is managed via the Home app and iCloud. Because the firmware on those cameras is **closed source** and the updates aren’t inspectable, users **must rely entirely** on Apple’s claims about what the device does, how secure it is, and how updates are handled.

HomeKit does support end-to-end encryption: video is analyzed locally on the hub, encrypted with AES-256, then uploaded with metadata and keys stored in iCloud under end-to-end encryption. But HomeKit’s architecture doesn’t provide the same strong guarantees of forward secrecy or post-compromise security as Secluso does. If the HomeKit persistent long-term keys or their service key pairs are ever breached, all of your security camera videos will become decryptable. With our use of MLS, we ensure that even if keys are compromised, your past and future videos will still be protected.