Ring Throws A Moist Towelette On Its Dumpster Fire With A Couple Of Minimal Security Tweaks
from the [yelling-over-the-roaring-flame]-WE-CARE-DEEPLY-ABOUT-OUR-USERS dept
Things have gotten worse and worse for Amazon's Ring over the past several months. Once just the pusher of a snitch app that allowed city residents to engage in racial profiling from the comfort of their homes, Ring is now synonymous with poor security practices and questionable "partnerships" with hundreds of law enforcement agencies around the nation.
Ring owners recently discovered how easily their cameras could be hijacked by assholes with no moral compass and too much time on their hands. Using credentials harvested from security breaches, online forum members took control of people's cameras to entertain a podcast audience who listened along as hijackers verbally abused Ring owners and their children.
Ring is now being sued for selling such an easily-compromised product. Ring's response to the original reports of hijackings was to blame customers for not taking their own security more seriously. Ring does recommend two-factor authentication but that's about all it does. It does not inform users when login attempts are made from unrecognized IP addresses or devices, and does not put the system on lockdown after a certain number of failed attempts are made.
Yes, users should use strong passwords (and not reuse passwords), but blaming customers for engaging in behavior most customers will engage in is unproductive. Instead of making two-factor authentication a requirement before deployment, Ring has just repeatedly pointed to its prior statements about its "encouragement" of 2FA -- an "encouragement" that is mostly comprised of defensive statements issued in response to another negative news cycle.
Since it can't keep blaming its millions of customers for its own failings, Ring is taking a very, very small step in the direction of actually taking its customers' security seriously. [Please hold your tepid applause until the end of the announcement.]
Ring has announced that it is adding a new privacy dashboard to its mobile apps that will let Ring owners manage their connected devices, third-party services, and whether local police partnered with Ring can make requests to access video from the Ring cameras on the account. The company says that other privacy and security settings will be added to the dashboard in the future. This new Control Center will be available in the iOS and Android versions of the Ring app later this month.
It's barely enough to make any one feel whelmed, much less overly so. There are two small additions that put this ahead of what Ring offered prior to the newsworthy camera hijackings. First, the app will allow users to see who's logged in at any given time and logout unrecognized IP addresses or locations from within the app.
The second addition finally puts some (baby) teeth into Ring's 2FA recommendation:
[R]ing is continuing to inform its customers of the importance of two-factor authentication on their accounts and will be making it an “opt-out” thing for new account setups, as opposed to the opt-in setup it currently is.
Swell. So that's kind of… fixed. I guess. Now Ring just needs to work on all the other problematic things about itself, like the fact that it's still not going to notify users when new IP addresses, devices, or locations attempt to access their cameras. And it's not going to stop using cop shops as Ring marketing street teams. And for all of its insistence footage is never handed over to cops without the proper paperwork, it still deals from the bottom of the deck by claiming end users own all their footage even as it's handing this footage to law enforcement without the end user's permission or involvement.
Ring has a lot to fix if it's ever going to make its way out of the PR pit it's dug for itself. This is something, but it's just barely something. It's not enough. And it says Ring still isn't serious about protecting its customers -- not from law enforcement and not from malicious idiots who've found a new IoT toy to play with.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, dashboard, doorbells, police, ring doorbell, security
Companies: amazon, ring
Reader Comments
Subscribe: RSS
View by: Time | Thread
meta: these titles and departments have a higher frequency of actual LOL funny of late.
moist towelettes and wikipedia brown, indeed.
[ link to this | view in chronology ]
Ring, owned by Amazon. The interest they have in the security of your information? Only as much as will keep them out of court, not a penny more.
[ link to this | view in chronology ]
Doorbot
The company that brought you DoorBot would never do this. It must be a mistake.
[ link to this | view in chronology ]
So, they've put a bandaid on an axe wound. The only cure for a ring doorbell is total destruction of the device.
[ link to this | view in chronology ]
i have to wonder what Amazon had to give/got out of allowing multiple law enforcement agencies access to customers camera footage? no way was this done for nothing and no reason. when that comes to light, hopefully shit will really hit the fan! one thing this certainly shows me is that Amazon head, Bezos has far more power than he should have!
[ link to this | view in chronology ]
Re:
Are you new here? Have you avoided tech news completely the last few years?
Ring "partnered" with law enforcement, offering them free or near-free cameras to distribute in their neighborhoods in exchange for easy access to the footage and pre-written press statements pumping up how awesome Ring is. Though Ring already had the major market share of the internet-connected doorbell market (note: not "smart") this effort has catapulted them to the undisputed champion of the space.
Somehow no fecal matter managed to strike any wind generation devices. And it's not about individual power. It's about being first to market(ing) and taking advantage of that position in morally questionable ways.
[ link to this | view in chronology ]
Ring isn't the problem
Idiot users are the problem. Ring's system has never been "hacked". Unrelated companies had their systems breached, with idiots who use both services using the same login credentials for their Ring system. Those login credentials are then posted for thousands of criminals to try to use anywhere they can. The fact that they found idiot Ring users who didn't bother to secure their system any better than to use the same login credentials is not the problem of Ring. Ring has always provided a way to keep your system safer. If idiot users can't be bothered to use what is given, that's not on Ring.
[ link to this | view in chronology ]
Re: Ring isn't the problem
Amazon gaslighting the general public for fame and fortune, film at eleven.
[ link to this | view in chronology ]
Re: Ring isn't the problem
Yes, idiot users are the problem, but not for the reasons you give. They are idiots for using ring at all.
[ link to this | view in chronology ]
Re: Ring isn't the problem
I like to refer to this as the "Why do cars need seatbelts? Everybody should just be a good driver" school of design.
[ link to this | view in chronology ]
Re: Ring isn't the problem
Sure, but you can't fix stupid. All you can do is cover your own ass in legalese and child safety devices for adults to avoid getting sued when stupid does what stupid does.
[ link to this | view in chronology ]
Rings "proper paperwork" is green with a presidents face on it.
they literally take cash directly to produce as much video footage from ANY ring device the cops want.
Whether thats an actual warrant case or just a cop that wants to spy on children getting undressed, ring doesn't give two shits and will happily give access to anyone and everyone for a fee.
Most of the "hackers" of ring are just people who said they were law enforcement and Ring did zero background checks and just handed over access.
[ link to this | view in chronology ]