Column: Ring says it protects your home, but users say it exposed them to cyberattacks
For a company that says its goal is to help people secure their homes from criminals, Ring hasn’t had an enjoyable last few months.
The Santa Monica firm, which sells internet-enabled video doorbells and home security cameras and was acquired by Amazon in 2018 for a reported $1 billion, has come under fire from legislators, security experts and customers for what the critics say are its own suspect security procedures.
In November, Sen. Edward J. Markey (D-Mass.) upbraided the company for making deals with law enforcement agencies that could expose customers and their neighbors to “invasive or even discriminatory information-gathering practices” by police.
The internet of things can enrich our lives, but most consumers don’t understand that it can ... open their doors to malicious actors.
— John Yanchunis, privacy attorney
Separately, Markey and four Democratic Senate colleagues raised questions about technical flaws in Ring products that “left customer video feeds vulnerable to eavesdropping and manipulation by malicious actors.”
Their reference was to reports, which Ring says are under investigation, that hackers had broken into Ring products, using their cameras and speakers to yell obscenities at customers in their homes, peep at and harass children, utter racial slurs and issue violent and extortionate threats at residents.
In a response to the senators’ letter sent Tuesday over the signature of Brian Huseman, an Amazon vice president, the company said it takes “customer privacy and protection of customer data very seriously,” but acknowledged that on at least four occasions in the last four years it had fired employees for improperly accessing customer videos.
The unfolding showdown between Apple and the FBI is almost invariably depicted in terms of the security and privacy of your smartphone.
In mid-December, the log-in credentials of more than 3,600 Ring account holders were reportedly breached, potentially exposing their personal information to malicious users. The company says those breaches were caused by vulnerabilities of other systems, not its own.
The incidents and others have become the raw material of a lawsuit filed just after Christmas in federal court in Los Angeles, seeking class-action status for potentially thousands of Ring customers. The company hasn’t yet answered the lawsuit and says it has no comment.
Ring is a prime target for criticism of its security vulnerabilities for several reasons. One is that its products appear to be enormously popular. Although parent Amazon doesn’t break out sales figures, Ring products tend to be among the highest-rated in consumer satisfaction rankings. The company says it has “millions of customers.”
Another reason is Ring’s self-promotion as a solution to a purported tide of property crime. Never mind that property crime rates have plummeted in California and nationwide over the last three decades; every security company has an incentive to pump up the supposed threat to its target market, and Ring has the pumps on overdrive.
“At Ring, our mission is simple,” the company says in its marketing materials: “To reduce crime in neighborhoods. ... Ring is a do-it-yourself solution that puts security back into the hands of homeowners.” Its downloadable Neighbors app, through which neighboring Ring customers can share videos and alerts, arguably fosters an echo chamber effect among concerned residents in a street or housing tract.
That said, Ring is hardly unique in marketing products vulnerable to hacker attacks. Those vulnerabilities are endemic throughout the entire so-called internet of things — that rapidly-growing universe of wifi-enabled refrigerators, thermostats, home alarm systems, light switches, baby monitors, even dishwashers.
As we’ve reported, privacy vulnerabilities have spread from internet-connected computers and phones to household devices that can give hackers, whether working for the government or acting illegally, access to homeowners’ private networks and information.
“The internet of things can enrich our lives,” says John Yanchunis, the Tampa, Fla., attorney who filed the federal lawsuit against Ring last month, “but most consumers don’t understand that it can act as a gateway to their homes and open their doors to malicious actors.”
One problem is that device manufacturers are loath to force rigorous security protocols on their customers, for fear of discouraging a sale.
Changing the default passwords that come with a device to passwords that are unique or resistant to random hacking can be a burden to lay purchasers. Same with two-factor authorization, through which users have to enter both a password and a code sent to a personal computer or phone to access their account from an unfamiliar computer or device. But taking those steps is essential to hardening a consumer device against hacking.
“It’s rare to find a home security camera that’s not insecure out of the box,” says Brian Krebs, a private security expert who runs the indispensable Krebs on Security blog.
The consumer technology industry and the law enforcement community have been on a collision course over consumer privacy for years.
Krebs chose not to comment directly on Ring’s devices or procedures because he hasn’t examined them himself, but he observed that many home devices are cheaply manufactured overseas and could be equipped with outdated software or even deliberate security vulnerabilities. (Ring’s products are manufactured in China.)
“The challenge for vendors is to strike a balance between customer support and security and privacy,” Krebs says. “A big part of the calculation is how much will increasing security increase the cost of support?”
Ring says its own systems were not breached — “we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the company told me by email. But that’s not the same as saying Ring was not at fault.
What apparently happened, according to Ring and security experts, is that hackers acquired consumer IDs and passwords by breaching unrelated sites, then tried to see if they’d work on Ring accounts. The process is known as “credential stuffing.”
Ring has implied that any success the hackers had was the fault of the Ring customers for failing to observe fundamental password security. “Unfortunately, when people reuse the same username and password on multiple services, it’s possible for bad actors to gain access to many accounts,” the company said on its blog.
Yet that’s not good enough. It’s evident that the company failed to take rudimentary steps at its end to forestall credential stuffing, which it must have known was a possibility, since Ring manifestly targets low-tech customers — it promises that its video doorbell can be installed “in just a few minutes, with no professional help required.”
Ring could have implemented a rule that would lock down accounts if it detected too many failed attempts at inputting passwords within a short period, which happens if hackers are flooding websites with random attempts at access. That’s a common security safeguard of sign-on websites.
Last summer, after years of inaction on consumer privacy by the federal government and slipshod privacy protection by big businesses collecting personal data, the California Legislature took matters into its own hands.
Nor did Ring have a policy of notifying customers if their accounts had been accessed from an unfamiliar computer or mobile device. Although Ring advises customers of the wisdom of two-factor authorization, it didn’t require it as a condition of activating their devices.
Ring says it has implemented some of these procedures since the credential stuffing was reported. Customers opening new accounts or adding new devices to existing accounts, for example, will henceforth have two-factor authorization turned on by default. (They can turn if off if they wish.) The company also began notifying users of access attempts from new devices.
But locking the front door after intruders have ransacked the house isn’t a good look for an ostensibly security-conscious company.
Sen. Ron Wyden (D-Ore.), in his response to Amazon’s replies to his and his colleagues’ questions, stated that while requiring two-factor authorization for new accounts “is a step in the right direction ... there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers. Amazon needs to go further — by protecting all Ring devices with two-factor authentication.”
Another factor that may make Ring alluring to hackers is that it collects footage from customers’ devices and stores it for as long as 60 days, depending on the customers’ preference and their choice of storage plans, which can cost up to $10 per month.
Good corporations know that the secret to success is to focus on your best quality and use it to serve your customers.
“Whenever you have a treasure trove of information like footage from people’s homes, that footage is going to be a target,” says Matthew Guariglia, who works on privacy and surveillance issues at the Electronic Frontier Foundation. “The best security for keeping information safe is not to collect it at all.”
In the response to the senators’ queries, the company also acknowledged that members of its research and development teams in Ukraine had access to video footage. But it said they could only view “publicly available videos and videos available from employees, contractors, and friends and family of employees or contractors with their express consent.”
What many privacy advocates find most disquieting about Ring is its relationship with law enforcement agencies. The company has struck information-sharing arrangements with local police departments through the Neighbors app.
Ring portrays the app as a high-tech “neighborhood watch,” but privacy experts say there’s little that can ensure against police misuse of the material once it’s turned over by a resident or Ring itself.
Ring told Markey that it requires no “evidentiary showing” from police before allowing police to seek footage from Ring customers. As Markey observed, Ring imposes “no security requirements for the law enforcement offices that get access to users’ footage ... has no restrictions on law enforcement sharing users’ footage with third parties ... and has no policies that prohibit law enforcement from keeping shared video footage forever.
“When the police request footage from someone’s Ring camera,” Guariglia says, “they can keep it and do whatever they want with it. There’s no oversight of why the police are requesting it, how they’ll use it once they get it, or who they share it with.”
The “nightmare scenario,” he says, “is the police request your footage from a car break-in on your street, and they forward it to [Immigration and Customs Enforcement] and get a dog-walker on your street or a neighbor deported.”
Ring says its terms of service for customers require them to avoid situating their devices so they can make recordings outside their own property lines. But it acknowledged to Markey that it takes no steps to hold customers to that rule or verify that it’s being followed.
“Connected doorbells are well on their way to becoming a mainstay of American households,” Markey commented, “and the lack of privacy and civil rights protections for innocent residents is nothing short of chilling.”
Ring likes to portray itself as a bulwark in Americans’ quest for privacy and security. But its products are vulnerable to breaches and its policies give police new methods to circumvent legal and constitutional protections against improper search and seizure.
This is how a surveillance culture enters American life through the back door — or the front porch.
