Amazon Ring App Found To Be (Again) Exposing User Locations, Home Addresses
from the fool-me-once dept
While Amazon Ring and other doorbells certainly deliver a certain convenience, they've created no shortage of entirely new problems. Problems that could have been avoided with just a bit of foresight and ethical behavior. First comes the fact they're being integrated into our already accountability-optional law enforcement and intelligence apparatus. Then, like the rest of the "let's connect everything to the internet but do a shit job on basic security and privacy because it costs money" IOT sector, they can't be bothered to get the fundamentals right when it comes to consumer security.
The latest example involves Ring failing to adequately secure users information when they share to the Ring "Neighbors" portion of the Ring app. Journalists had already showcased how Ring's security standards were hot garbage. And while Amazon has taken some steps to address those concerns (like making two-factor authentication mandatory), this week it was revealed that Ring’s Neighbors app was exposing the precise locations and home addresses of users who had posted to the app:
"While users’ posts are public, the app doesn’t display names or precise locations — though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes."
Whoops-a-daisy!
The disclosure comes on the heels of a similar report from Gizmodo last year that found it wasn't too difficult to ferret out hidden data allowing journalists (and anybody else) to map the location of Ring users nationwide:
"Examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision, accurate enough to pinpoint roughly a square inch of ground."
Neat! Ring's already facing a class action lawsuit from users not particularly happy about receiving death threats and racist slurs after their Ring smart cameras were hacked.
Purportedly, Ring's Neighborhood functionality is generally supposed to help communities band together and discuss potential security threats. Kind of a neighborhood watch for the modern era. More often, however, the functionality results in people engaging in paranoid hyperventilation about minorities or homeless people getting a skosh too close to the azaleas.
If you're going to be earning additional billions from selling access to consumer residential cameras to intelligence and law enforcement every year, it seems like the very least you can do is invest a little bit more in taking consumer privacy and security seriously, even if "caring about consumers" and "selling their camera surveillance and location data to any nitwit with a nickel" operate somewhat discordantly.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doorbell, locations, privacy, ring
Companies: amazon, ring
Reader Comments
Subscribe: RSS
View by: Time | Thread
It seems to me that selling access to intelligence and law enforcement means that they do not take privacy seriously. Given the attitude of US cops, being seen at a demonstration would be enough for the camera being used to monitor visitors to your house.
[ link to this | view in chronology ]
and just like every other industry and company in the USA that is making a fortune from customer data, regardless of the risks to customers themselves, not a damn thing will be done to stop or change this! so much privacy and freedom have been lost, or more like, taken away from us in the last 20 years-ish. i'll bet the Founding Fathers etc are turning in their graves! all the revolutions etc just to keep independant of the English influence, governing and rules dictating what could and couldn't happen or be done and a couple of hundred years later we are implementing ourselves the very rules that were deplored. where's the sense?
[ link to this | view in chronology ]
The best way to think about the Internet of Things (IoT) is by mixing it with Freud's theory of the instinctual part of the brain that is governed by self-interest and desire, or id. And when you mix this id + IoT... well, I rest my case.
[ link to this | view in chronology ]
and yet we still want self driving cars because they'll never malfunction or get hacked
[ link to this | view in chronology ]
Re:
the contemporary "normal" cars are bad enough.
[ link to this | view in chronology ]
Facts instead of hyperbole
While it is pretty egregious that location data is still attached to video that is shared to the Neighbors app, participating and using that Neighbors app is entirely optional. I have three Ring cameras. I don't participate or use the Neighbors app because I found it to be a nuisance. It is filled with idiots who are paranoid and racist (that's not hyperbole). The cameras themselves, and the video, are encrypted and protected by 2FA and one-time-use security codes. Even Ring techs can't view video without getting a one-time-use code from me. Videos are also not just handed over to law enforcement. That would require a valid subpoena and me turning over passwords to my account. The years-ago incident of so-called "hacking" wasn't actually "hacking" of Ring but examples of malicious actors taking advantage of idiot users with account passwords like "password", or even their home wifi being totally open with no security or password.
So, I'm not concerned about these BS things that gets reported because I know my setup is safe because I'm not an idiot. My cameras work very well and are secure.
[ link to this | view in chronology ]
Re: Facts instead of hyperbole
What makes you believe this to be true? You have an awful lot of faith in a company already shown to be lax about security.
[ link to this | view in chronology ]
Re: Re: Facts instead of hyperbole
I know it to be true.
[ link to this | view in chronology ]
Re: Facts instead of hyperbole
2FA only protects the remote login to your account, and not the videos that are stored online. Also, the one time use code is to enable someone else to login to your account, and has nothing to do with video encoding. Neither has a lot to do with preventing Amazon looking at, or enabling others to look at your videos.
[ link to this | view in chronology ]
Re: Re: Facts instead of hyperbole
Videos are encrypted. The one-time-use code is NOT to log into the account, it is to view the video. Each video requires a different one-time code.
[ link to this | view in chronology ]
Re: Facts instead of hyperbole
So what happens when someone asks the Court for a warrant to your account, without your say?
Do you think a 3rd party will deny it? NOT recently, and NOT in texas,
[ link to this | view in chronology ]
Re: Re: Facts instead of hyperbole
What happens when someone petitions the court for a warrant to access your phone records? To access your Apple phone? To access the inside of your home for a search?
[ link to this | view in chronology ]
Re: Facts instead of hyperbole
10-days in is a little early to declare E2E-encryption beta a success.
Also, no mention of a secure erase feature previously stored recordings.
The article was about location leaking metadata in their social sharing network. Think EXIF data not displayed in app, but not cleansed from the file/feed either.
None of that has anything to do with the article we are commenting on. We are both superfluous & hyperbolic to the topic at hand.
;)
[ link to this | view in chronology ]
Ethical behavior?
From the likes of Amazon, Google, Facebook, and their ilk? Not likely!
People need to learn to just say "No!" to all this IOT junk. Much easier than buying it and then filing a lawsuit, although maybe not as profitable.
[ link to this | view in chronology ]
Re: Ethical behavior?
100% agree.
And I mean this is great until everything we own becomes IOT crap. I can't live without a cell phone, but it absolutely is an IOT device.
What really needs to happen is that these companies get a slap that makes them change their behavior. filing a lawsuit is very personally profitable, but isn't going to change their business dynamics to make them alter their behaviors to at least make their shoddy IOT products more secure.
[ link to this | view in chronology ]
Why do people buy this crap?
First is the smart speakers which always listen in, then the doorbells which give away your location and if you're home or not.
[ link to this | view in chronology ]