Things have gotten worse and worse for Amazon’s Ring over the past several months. Once just the pusher of a snitch app that allowed city residents to engage in racial profiling from the comfort of their homes, Ring is now synonymous with poor security practices and questionable “partnerships” with hundreds of law enforcement agencies around the nation.

Ring owners recently discovered how easily their cameras could be hijacked by assholes with no moral compass and too much time on their hands. Using credentials harvested from security breaches, online forum members took control of people’s cameras to entertain a podcast audience who listened along as hijackers verbally abused Ring owners and their children.

Ring is now being sued for selling such an easily-compromised product. Ring’s response to the original reports of hijackings was to blame customers for not taking their own security more seriously. Ring does recommend two-factor authentication but that’s about all it does. It does not inform users when login attempts are made from unrecognized IP addresses or devices, and does not put the system on lockdown after a certain number of failed attempts are made.

Yes, users should use strong passwords (and not reuse passwords), but blaming customers for engaging in behavior most customers will engage in is unproductive. Instead of making two-factor authentication a requirement before deployment, Ring has just repeatedly pointed to its prior statements about its “encouragement” of 2FA — an “encouragement” that is mostly comprised of defensive statements issued in response to another negative news cycle.

Since it can’t keep blaming its millions of customers for its own failings, Ring is taking a very, very small step in the direction of actually taking its customers’ security seriously. [Please hold your tepid applause until the end of the announcement.]

Ring has announced that it is adding a new privacy dashboard to its mobile apps that will let Ring owners manage their connected devices, third-party services, and whether local police partnered with Ring can make requests to access video from the Ring cameras on the account. The company says that other privacy and security settings will be added to the dashboard in the future. This new Control Center will be available in the iOS and Android versions of the Ring app later this month.

It’s barely enough to make any one feel whelmed, much less overly so. There are two small additions that put this ahead of what Ring offered prior to the newsworthy camera hijackings. First, the app will allow users to see who’s logged in at any given time and logout unrecognized IP addresses or locations from within the app.

The second addition finally puts some (baby) teeth into Ring’s 2FA recommendation:

[R]ing is continuing to inform its customers of the importance of two-factor authentication on their accounts and will be making it an “opt-out” thing for new account setups, as opposed to the opt-in setup it currently is.

Swell. So that’s kind of… fixed. I guess. Now Ring just needs to work on all the other problematic things about itself, like the fact that it’s still not going to notify users when new IP addresses, devices, or locations attempt to access their cameras. And it’s not going to stop using cop shops as Ring marketing street teams. And for all of its insistence footage is never handed over to cops without the proper paperwork, it still deals from the bottom of the deck by claiming end users own all their footage even as it’s handing this footage to law enforcement without the end user’s permission or involvement.

Ring has a lot to fix if it’s ever going to make its way out of the PR pit it’s dug for itself. This is something, but it’s just barely something. It’s not enough. And it says Ring still isn’t serious about protecting its customers — not from law enforcement and not from malicious idiots who’ve found a new IoT toy to play with.

Permalink | Comments | Email This Story

Techdirt.