Ring Spends The Week Collecting Data On Trick-Or-Treating Kids And Being An Attack Vector For Home WiFi Networks

Nothing owns like a self-own. And Ring — Amazon’s doorbell surveillance project — is so into self-abuse, it’s almost kinky. It’s a DOM when it picks up another submissive law enforcement partner (400+ at last count, so maybe get tested if you install a doorbell without protection). Any other time, it seems to be a relentlessly cheery masochist. Hopefully it’s deriving some pleasure from the endless negative news cycles. Maybe 95% market share heals all wounds.

Ring is putting the “creep” back in the phrase “surveillance creep.” While there’s some value to keeping an eye on your front doorstep when you’re expecting an expensive delivery, the downside is Ring might be letting cops know you’ve got a camera on your house. What it won’t be letting you know is that it will part with your footage at the drop of a subpoena.

If you’re not eyeballing your neighbors by proxy, you’re not living right. That’s the message of the Neighbors app, which is pushed by Ring and cops alike. Breaking down “sharing” barriers is the first step toward bypassing the warrant process. Ring is the grease and the wheel.

The pushback against Ring’s law enforcement adoption offensive has had minimal effect on the company. It continues undeterred, even as it attempts to explain both its lack of interest in adding facial recognition software to its doorbells and its retention of a facial recognition division head. It’s things like this that make one believe the public’s opinion ultimately doesn’t matter, not if Ring can convince enough cop shops to start pushing its offerings on the public.

Ring is back in the news again. And, again, it’s not because it did anything right. Or competently.

First, Buzzfeed reports the doorbell company is as tone deaf as it is dominant in its market sector. What Ring thinks is cute and fun is actually just very, very creepy.

In a company blog and series of Instagram stories, posted Monday and Tuesday, the company showed that it collects, stores, and analyzes sensitive data about how, when, and where people use its doorbell cameras. Ring said that nationwide, its doorbell cameras were activated 15.8 million times on Halloween. The company makes several other types of surveillance cameras in addition to its doorbell camera.

As it has on other occasions, like Super Bowl Sunday, Ring turned Halloween into a marketing opportunity. As reported by Mashable, Ring circulated videos of children on Halloween on Twitter. Ring also promoted Halloween-themed skins to decorate doorbell cameras on its company blogs and Instagram. However, in promoting itself as a family-friendly company, Ring showed that it collects user data on a granular level.

Friends, neighbors, visitors… children — nothing but data and footage to be used to promote Ring’s version of everyday life in the United States. The information a Ring doorbell collects belongs to Ring, not its customers. And if it belongs to Ring, it can be had without a warrant in most cases. Ring knows how often customers’ doorbells ring. It says it anonymizes this data, but first you have to trust that it actually did what it said it did. And then you have to believe anonymizing data actually anonymizes it, which it kind of doesn’t.

But trading trick-or-treating kids for social media impressions isn’t the only headline Ring made this past week. It also showed it’s not immune to the IoT curse: connected “smart’ things tend to be attack vectors. And if they’re not actually being attacked, they’re just giving info away to whoever wants it.

A vulnerability in the Amazon Ring doorbells could have exposed homes’ WiFi username and password to hackers.

Discovered earlier this year by Romanian cybersecurity firm Bitdefender, the issue caused users’ WiFi credentials to be transmitted unencrypted while they were setting up the internet-connected device.

“When entering configuration mode, the device receives the user’s network credentials from the smartphone app,” Bitdefender notes. “Data exchange is performed through plain HTTP, which means that the credentials are exposed to any nearby eavesdroppers.”

While this method requires a hacker to be near the doorbell or on the targeted WiFi network in order to intercept the credentials, this doesn’t mean exploitation is only a crime of opportunity. As Bitdefender noted, hackers could flood the device with de-authentication messages which would kick the doorbell off the network. When Ring users try to reconnect their doorbell to their network, hackers could jump in and grab the credentials as they sail by in plaintext.

The good news is this issue has been fixed. The bad news is this is the second time Ring’s doorbells have been caught handing out WiFi credentials. At least last time, malicious hackers needed physical access to the doorbell. The last misstep allowed hackers to stay in their cars.

The further bad news is Ring is still Ring and mainly interested in turning doorbells in spy cams that can be easily accessed by its hundreds of law enforcement “partners.” It has never expressed any sincere desire to protect the privacy of its users. As far as it’s concerned, every camera is just another eye it owns, feeding it footage and data it can use at will.

Permalink | Comments | Email This Story