Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras
from the DUMPSTER-FIRE-2019-???? dept
Amazon's Ring has been uniformly terrible ever since it decided its primary market (homeowners) should be treated with less care and concern than the market it's actually courting and subsidizing (law enforcement agencies).
Since it's not really in the customer service business anymore, the end users who thought they were buying some security and peace of mind have discovered they've actually become part of a law enforcement surveillance network run by a company that doesn't really seem to be in the security business.
A group of forum members found Ring cameras incredibly easy to hijack. Running scripts utilizing lists of credentials harvested from the web's many security breaches, some sociopathic idiots were able to brute force their way into taking control of devices. Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners for the enjoyment of their podcast audience. (I really wish I were making that last part up but this is the internet we have.)
When the news cycle of "hacked" Ring cameras began, Ring was quick to point out this wasn't its fault. To a certain point, Ring is right. Ring says it encourages the use of two-factor authentication and strong passwords. Great. So do lots of IoT device makers. But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go "live" on the web. Ring isn't doing this either.
It's even worse in Ring's case. Ring says it's the customers that are wrong, but it does absolutely nothing to prevent this sort of hijacking. There's no lockout after a certain number of failed logins. No warnings are sent to owners about logins from unrecognized devices or IP addresses. Repeated failed login attempts aren't flagged as suspicious. For a company supposedly in the security business, this is a pretty insecure way to run a business.
It's this latest insecurity that's getting the company sued.
Amazon and its home security subsidiary Ring are facing a federal lawsuit in California over allegations that its "lax security standards" led to a series of invasive and frightening hacks over the past year.
The lawsuit, which alleges Ring security cameras have been hacked six times across the U.S., comes as Amazon's Ring faces a barrage of scrutiny from lawmakers, privacy advocates and the public over its cybersecurity standards and widespread partnerships with local police departments.
The lawsuit [PDF], filed by a victim of just such a "hacking" hopes to become a class action when it's all grown up and fully-represented. Until then, there's this incident, which happened to the plaintiff.
Plaintiff John Baker Orange is a resident of Jefferson County Alabama. He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00. The Ring camera was installed over his garage with a view of the driveway. Mr. Orange purchased the Ring camera to provide additional security for him and his family which include his wife and three children aged 7, 9, and 10. Recently, Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system. An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication. Prior to changing his password, Mr. Orange protected his Ring camera with a medium-strong password.
Orange alleges that Ring did almost nothing to protect its customers while promising its products will protect its customers.
Unfortunately, Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed. The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use. This obligation is even more critical in instances where the device, like the Ring camera, is related to the safety and security of person and property.
Ring failed to meet this most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack. Notably, Ring only required users enter a basic password and did not offer or did not compel two-factor authentication.
He's not wrong. Security is pretty much an afterthought for this security company. It likes to put its resources into pitching its products to cops, who can then hand the flawed products to citizens in exchange for possible glimpses of camera recordings in the future.
But is it enough to win a lawsuit? The plaintiff alleges negligence and a few other related torts, but he'll have to prove Ring deliberately sold a product it knew was insecure. Ring is probably aware of the lack of built-in security, but is it more deliberately negligent than any other IoT device maker that decides to dumb down security options to increase adoption and marketshare? And if it's just as terrible as its competitors, should that be enough to allow it to escape a lawsuit?
Maybe this one will hit Ring hard and force it and its competitors in the IoT marketplace to actually take the security of their customers seriously, rather than just saying that after their customers have already been compromised. Or maybe I just want Ring to get smacked around for pushing an insecure product on consumers with the assistance of over 600 law enforcement agencies. Ring has been an absentee landlord in its market, grabbing all the market share it can while leaving its millions of customers to fend for themselves when it comes to securing their devices properly.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doorbells, iot, lawsuit, ring, security
Companies: amazon, ring
Reader Comments
Subscribe: RSS
View by: Time | Thread
Soo?
So, the cops have access to the camera's, but do the Customers?
[ link to this | view in chronology ]
Re: Soo?
Its just, that if someones Home gets robbed, and the camera worked, Who has the pictures?
Is anyone going to tell these people that the backdoor, is easier to use to rob a home..as generally, its hidden from anyone seeing it.
1 camera does not a security system make.
[ link to this | view in chronology ]
Re: Re: Soo?
Likely the thief has the pictures -- the pictures from the previous few weeks that they used to scope out the house to see when people come and go.
And some guy with a podcast probably has the audio.
The police probably have access, but are unlikely to actually use that access unless it pertains to some active case they're already working on.
[ link to this | view in chronology ]
Re: Soo?
Of course they do!
Cops don't have to follow a legal process, so they get it automatically.
Customers have to yet follow a quasi-legal process, so they may get it someday if they sue in a court and pay tons of money.
/sad
[ link to this | view in chronology ]
Wow
He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00.
He forgot to include being robbed as one of his complaints.
[ link to this | view in chronology ]
The kind of "two factor authentication" you're talking about, which basically consists of sending a message to somebody's phone, is a stupid, ugly, surprisingly easily defeated hack... which is both made possible and made to appear necessary by the mind-shatteringly moronic decision to have the things centrally controlled from "the cloud". Relying on it would tend to further entrench the fundamental mistake.
The entire architecture they have is unsecurable, period. That central control point can never be protected adequately and therefore should never have been allowed to exist. Until they fix that, they're mostly masturbating.
The best fix is not to put your goddamned doorbell (or door lock) on the goddamned Internet. But if you absolutely must do that, there are authentication systems and protocols that work. They mostly don't emphasize passwords, let alone have default passwords, because we know at this point that people can't handle passwords.
So let them implement something that actually helps. In the devices, not in the "cloud".
... and, to be fair, anybody who sets their password to 12345, or to anything they use with any other service, is in fact an idiot, who probably can't be saved regardless of what the freaking doorbell does. 12345 is probably also the combination on their luggage. And the key is probably under the mat. And they're probably obsessing about the front door when they have a big, fat, unprotected, unobserved window in the back.
1980s style "lockouts" create DoS vulnerabilities, and probably aren't the right choice for a device that may be your only way of getting into your house. A rate limit almost always makes sense, though. And, sure, warnings when there are a lot of tries.
[ link to this | view in chronology ]
Re:
I don't see anything in the article about a central control point. It looked like they were talking about people directly connecting to cameras. If that's not the case, what's the architecture they're using?
[ link to this | view in chronology ]
even Netflix is better than this.
Wow, even Netflix will send me an email whenever someone (usually me) logs into my account from a new device (or one where I've deleted the Netflix cookie).
[ link to this | view in chronology ]
Re: even Netflix is better than this.
Both Amazon and my bank ask for a verification code, for me sent through email (the passwords to each of these is changed several times a year) every time. Even if I am using the same computer I always use ( my bank claims to care, Amazon doesn't seem to). The use of a password manager makes using difficult passwords, often changed, easy.
[ link to this | view in chronology ]
I have difficulty sympathizing with the customers. The concept of having some corporate entity collecting all that information should itself been enough to make people say no. One need not even understand the security issues to know the concept is flawed.
[ link to this | view in chronology ]
With a Mic
How's that work? The Ring has a mic a hacker can talk through? Strange magic
[ link to this | view in chronology ]
Re: With a Mic
Aside the fact that all mics are speakers and all speakers are mics (when connected as not-intended, and with roughly the efficacy one might expect), i am guessing that, yes, speaker may have been what was meant, unless mic is the short form for a dual-purpose microphone-speaker device in the current parlance.
[ link to this | view in chronology ]
Something something we never expected shitlords would shitlord, so we discounted that possibility.
It let us save money to not be even slightly more proactive.
Our goal wasn't security for you, but for creating a network for police to access how they want.
You people bitching that your leaked credentials were used to break in & scare children are at fault!
Just because someone can try 10 million passwords in sequence without triggering any sort of alert is your fault, not ours. Use stronger passwords.
[ link to this | view in chronology ]
Serious question: is there any way to set up a surveillance system at home that's actually safe and private? You know, don't depend on centralized servers and stuff. Or is there any manufacturer you can trust to have good security and privacy policies?
[ link to this | view in chronology ]
Re:
Suitable IP cameras are available, as is open source software to set up motion detection systems. i.e. OpenCV. Raspberry pi's are powerful enough for the server for such systems, and various ways of setting up a secure online connection are possible. A mobile dongle would allow direct text sending from such systems. Also, cloud storage, own cloud included, for videos when motion is detected would be a good idea.
While it would take a little research and effort, such a system would not be difficult to set for a computer literate person.
[ link to this | view in chronology ]
Re: Re:
I'm sticking to known brands. I'm doing some research and I'm pretty sure I can do it. Still, it's a nightmare for those with little skill with computers.
[ link to this | view in chronology ]
Re: Re: Re:
That why the likes of Ring can extend their data gathering operations by selling security systems.
[ link to this | view in chronology ]
If you connect something to the Internet and don't have a real firewall that defaults to no traffic either way and only allows traffic you have authorized, you should expect to lose control of your device.
But most ISPs don't want you to have a real firewall as they will get stuck answering all those "Why doesn't my latest IOT gizmo work." questions.
Neither do most IOT gizmo makers. A real firewall setup means the IOT maker has to fully disclose what traffic their gizmo generates and all of the places that info is going as well as everyone that will be viewing the images.
As for a secure surveillance system, either build it yourself or buy one of the old school CCTV systems with an on site recorder setup. Eliminate any vendor that needs a cloud account for their gizmo to work.
[ link to this | view in chronology ]
Re:
UPnP is a dumpsterfire all it's own, yes.
[ link to this | view in chronology ]
Put in a wired camera with no wireless antennas or internet connections if you want a secure home recording system.
There are attack vectors that don't include hacking those electronics however.
[ link to this | view in chronology ]
I might not want to be forced into 2FA, if it is shit 2FA, but then, i probably wouldn't want any natively internet-connected camera in the first place. If they can do local 2FA, that would be better.
On the other hand, gee it is fucking easy to send an email or txtmsg saying, "hey we have login attempts from an unrecognized device".
[ link to this | view in chronology ]
Starship Discovery
Just imagine for a moment that documents turned up in discovery reveal that Amazon was working in tandem with the DOJ and other LEAs to develop these damned things to create a gigantic surveillance network.
Would it affect how people use them?
Not in the slightest, because people who have them are abysmally stupid.
[ link to this | view in chronology ]
And here I thought the horror movie The Ring was fiction. I guess I was wrong.
[ link to this | view in chronology ]
Misleading title
Ring cameras were never "hacked". The Ring system was never "hacked". Stop with this misleading bullshit which doesn't actually address the problem. The lawsuit is stupid and should be thrown out because, again, the Ring cameras were never "hacked". The USERS used the same login credentials for their Ring cameras as they used on some other unrelated service that WAS HACKED. Criminals simply scoured the net using those stolen credentials and lucked out on finding idiot Ring users who used the same logins on everything. Yes, Ring should have forced users to enable 2FA or some other means, but instead they chose to make it more simple for the users, not realizing that users are typically STUPID.
This lawsuit, again, is a stupid waste of time and the courts should throw it out. RING WAS NEVER HACKED. That's it.
[ link to this | view in chronology ]
Re: Misleading title
Yeah, there was never any info out there about the login credentials.
[ link to this | view in chronology ]
How is this surprising ato anyone? Anyone in tech knew that there was zero security built into these stupid devices. I mean, cmon they were crap devices for the terminally lazy. The only ones that thought they were useful were the ones that believed the stupid hype.
So teddy bear nanny cams weren't enough?
[ link to this | view in chronology ]