Tag: Ring | Page 7

Ring Throws A Moist Towelette On Its Dumpster Fire With A Couple Of Minimal Security Tweaks

January 11, 2020/in Internet Security

Things have gotten worse and worse for Amazon’s Ring over the past several months. Once just the pusher of a snitch app that allowed city residents to engage in racial profiling from the comfort of their homes, Ring is now synonymous with poor security practices and questionable “partnerships” with hundreds of law enforcement agencies around the nation.

Ring owners recently discovered how easily their cameras could be hijacked by assholes with no moral compass and too much time on their hands. Using credentials harvested from security breaches, online forum members took control of people’s cameras to entertain a podcast audience who listened along as hijackers verbally abused Ring owners and their children.

Ring is now being sued for selling such an easily-compromised product. Ring’s response to the original reports of hijackings was to blame customers for not taking their own security more seriously. Ring does recommend two-factor authentication but that’s about all it does. It does not inform users when login attempts are made from unrecognized IP addresses or devices, and does not put the system on lockdown after a certain number of failed attempts are made.

Yes, users should use strong passwords (and not reuse passwords), but blaming customers for engaging in behavior most customers will engage in is unproductive. Instead of making two-factor authentication a requirement before deployment, Ring has just repeatedly pointed to its prior statements about its “encouragement” of 2FA — an “encouragement” that is mostly comprised of defensive statements issued in response to another negative news cycle.

Since it can’t keep blaming its millions of customers for its own failings, Ring is taking a very, very small step in the direction of actually taking its customers’ security seriously. [Please hold your tepid applause until the end of the announcement.]

Ring has announced that it is adding a new privacy dashboard to its mobile apps that will let Ring owners manage their connected devices, third-party services, and whether local police partnered with Ring can make requests to access video from the Ring cameras on the account. The company says that other privacy and security settings will be added to the dashboard in the future. This new Control Center will be available in the iOS and Android versions of the Ring app later this month.

It’s barely enough to make any one feel whelmed, much less overly so. There are two small additions that put this ahead of what Ring offered prior to the newsworthy camera hijackings. First, the app will allow users to see who’s logged in at any given time and logout unrecognized IP addresses or locations from within the app.

The second addition finally puts some (baby) teeth into Ring’s 2FA recommendation:

[R]ing is continuing to inform its customers of the importance of two-factor authentication on their accounts and will be making it an “opt-out” thing for new account setups, as opposed to the opt-in setup it currently is.

Swell. So that’s kind of… fixed. I guess. Now Ring just needs to work on all the other problematic things about itself, like the fact that it’s still not going to notify users when new IP addresses, devices, or locations attempt to access their cameras. And it’s not going to stop using cop shops as Ring marketing street teams. And for all of its insistence footage is never handed over to cops without the proper paperwork, it still deals from the bottom of the deck by claiming end users own all their footage even as it’s handing this footage to law enforcement without the end user’s permission or involvement.

Ring has a lot to fix if it’s ever going to make its way out of the PR pit it’s dug for itself. This is something, but it’s just barely something. It’s not enough. And it says Ring still isn’t serious about protecting its customers — not from law enforcement and not from malicious idiots who’ve found a new IoT toy to play with.

Permalink | Comments | Email This Story

Techdirt.

Ring Throws Customers Under the Bus After Data Breach – EFF

December 20, 2019/in Internet Security

Ring Throws Customers Under the Bus After Data Breach EFF
“data breach” – read more

Hackers Hijack Ring Cameras by Cracking Passwords – PCMag.com

December 14, 2019/in Internet Security

Hackers Hijack Ring Cameras by Cracking Passwords PCMag.com
“HTTPS hijacking” – read more

Amazon: Cops Can Get Recordings From Ring, Keep Them Forever, And Share Them With Whoever They Want

November 25, 2019/in Internet Security

Even more alarming news has surfaced about Amazon’s Ring doorbell/camera and the company’s ultra-cozy relationship with police departments.

Since its introduction, Ring has been steadily increasing its market share — both with homeowners and their public servants. At the beginning of August, this partnership included 200 law enforcement agencies. Three months later, that number has increased to 630.

What do police departments get in exchange for agreeing to be Ring lapdogs? Well, they get a portal that allows them to seek footage from Ring owners, hopefully without a warrant. They also get a built-in PR network that promotes law enforcement wins aided by Ring footage, provided the agencies are willing to let Ring write their press releases for them.

They also get instructions on how to bypass warrant requirements to obtain camera footage from private citizens. Some of this is just a nudge — an unstated quid pro quo attached to the free cameras cops hand out to homeowners. Some of this is actual instructions on how to word requests so recipients are less likely to wonder about their Fourth Amendment rights. And some of this is Ring itself, which stores footage uploaded by users for law enforcement perusal.

If it seems like a warrant might slow things down — or law enforcement lacks probable cause to demand footage — Ring is more than happy to help out. Footage remains a subpoena away at Ring HQ. And, more disturbingly, anything turned over to police departments comes with no strings attached.

Statements given to Sen. Edward Markey by Amazon indicate footage turned over to cops is a gift that keeps on giving.

Police officers who download videos captured by homeowners’ Ring doorbell cameras can keep them forever and share them with whomever they’d like without providing evidence of a crime, the Amazon-owned firm told a lawmaker this month.

Brian Huseman, Amazon’s VP of Public Policy, indicates the public is kind of an afterthought when it comes to Ring and its super-lax policies.

Police in those communities can use Ring software to request up to 12 hours of video from anyone within half a square mile of a suspected crime scene, covering a 45-day time span, Huseman wrote. Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.

Ring itself maintains that it’s still very much into protecting users and their safety. Maybe not so much their privacy, though. The company says it takes the “responsibility” of “protecting homes and communities” very seriously. But when it comes to footage, well… that footage apparently belongs to whoever it ends up with.

Ring… “does not own or otherwise control users’ videos, and we intentionally designed the Neighbors Portal to ensure that users get to decide whether to voluntarily provide their videos to the police.”

It’s obvious Ring does not “control” recordings. Otherwise, it would place a few more restrictions on the zero-guardrail “partnerships” with law enforcement agencies. But pretending Ring owners are OK with cops sharing their recordings with whoever just because they agreed to share the recording with one agency is disingenuous.

Ring’s answers to Markey’s pointed questions are simply inadequate. As the Washington Post article notes, Ring claims it makes users agree to install cameras so they won’t record public areas like roads or sidewalks, but does nothing to police uploaded footage to ensure this rule is followed. It also claims its does not collect “personal information online from children under the age of 13,” but still proudly let everyone know how many trick-or-treaters came to Ring users’ doors on Halloween. And, again, it does not vet users’ footage to ensure they’re not harvesting recordings of children under the age of 13.

The company also hinted it’s still looking at adding facial recognition capabilities to its cameras. Amazon’s response pointed to competitors’ products utilizing this tech and said it would “innovate” based on “customer demand.”

While Ring’s speedy expansion would have caused some concern, most of that would have been limited to its competitors. That it chose to use law enforcement agencies to boost its signal is vastly more concerning. It’s no longer just a home security product. It’s a surveillance tool law enforcement agencies can tap into seemingly at will.

Many users would be more than happy to welcome the services of law enforcement if their doorbell cameras captured footage of criminal act that affected them, but Ring’s network of law enforcement partners makes camera owners almost extraneous. If cops want footage, Ring will give it to them. And then the cops can do whatever they want with it, even if it doesn’t contribute to ongoing investigations.

These answers didn’t make Sen. Markey happy. Hopefully, other legislators will find these responses unsatisfactory and start demanding more — both from law enforcement agencies and Ring itself.

Permalink | Comments | Email This Story

Techdirt.

Tag Archive for: Ring