Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras

from the DUMPSTER-FIRE-2019-???? dept

Amazon's Ring has been uniformly terrible ever since it decided its primary market (homeowners) should be treated with less care and concern than the market it's actually courting and subsidizing (law enforcement agencies).

Since it's not really in the customer service business anymore, the end users who thought they were buying some security and peace of mind have discovered they've actually become part of a law enforcement surveillance network run by a company that doesn't really seem to be in the security business.

A group of forum members found Ring cameras incredibly easy to hijack. Running scripts utilizing lists of credentials harvested from the web's many security breaches, some sociopathic idiots were able to brute force their way into taking control of devices. Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners for the enjoyment of their podcast audience. (I really wish I were making that last part up but this is the internet we have.)

When the news cycle of "hacked" Ring cameras began, Ring was quick to point out this wasn't its fault. To a certain point, Ring is right. Ring says it encourages the use of two-factor authentication and strong passwords. Great. So do lots of IoT device makers. But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go "live" on the web. Ring isn't doing this either.

It's even worse in Ring's case. Ring says it's the customers that are wrong, but it does absolutely nothing to prevent this sort of hijacking. There's no lockout after a certain number of failed logins. No warnings are sent to owners about logins from unrecognized devices or IP addresses. Repeated failed login attempts aren't flagged as suspicious. For a company supposedly in the security business, this is a pretty insecure way to run a business.

It's this latest insecurity that's getting the company sued.

Amazon and its home security subsidiary Ring are facing a federal lawsuit in California over allegations that its "lax security standards" led to a series of invasive and frightening hacks over the past year.

The lawsuit, which alleges Ring security cameras have been hacked six times across the U.S., comes as Amazon's Ring faces a barrage of scrutiny from lawmakers, privacy advocates and the public over its cybersecurity standards and widespread partnerships with local police departments.

The lawsuit [PDF], filed by a victim of just such a "hacking" hopes to become a class action when it's all grown up and fully-represented. Until then, there's this incident, which happened to the plaintiff.

Plaintiff John Baker Orange is a resident of Jefferson County Alabama. He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00. The Ring camera was installed over his garage with a view of the driveway. Mr. Orange purchased the Ring camera to provide additional security for him and his family which include his wife and three children aged 7, 9, and 10. Recently, Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system. An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication. Prior to changing his password, Mr. Orange protected his Ring camera with a medium-strong password.

Orange alleges that Ring did almost nothing to protect its customers while promising its products will protect its customers.

Unfortunately, Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed. The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use. This obligation is even more critical in instances where the device, like the Ring camera, is related to the safety and security of person and property.

Ring failed to meet this most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack. Notably, Ring only required users enter a basic password and did not offer or did not compel two-factor authentication.

He's not wrong. Security is pretty much an afterthought for this security company. It likes to put its resources into pitching its products to cops, who can then hand the flawed products to citizens in exchange for possible glimpses of camera recordings in the future.

But is it enough to win a lawsuit? The plaintiff alleges negligence and a few other related torts, but he'll have to prove Ring deliberately sold a product it knew was insecure. Ring is probably aware of the lack of built-in security, but is it more deliberately negligent than any other IoT device maker that decides to dumb down security options to increase adoption and marketshare? And if it's just as terrible as its competitors, should that be enough to allow it to escape a lawsuit?

Maybe this one will hit Ring hard and force it and its competitors in the IoT marketplace to actually take the security of their customers seriously, rather than just saying that after their customers have already been compromised. Or maybe I just want Ring to get smacked around for pushing an insecure product on consumers with the assistance of over 600 law enforcement agencies. Ring has been an absentee landlord in its market, grabbing all the market share it can while leaving its millions of customers to fend for themselves when it comes to securing their devices properly.

Filed Under: doorbells, iot, lawsuit, ring, security
Companies: amazon, ring

Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names

from the Ring-PR-team-looking-to-expand:-masochism/sociopathy-a-plus! dept

The eternal flame that is Ring's dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:

• Engage in law enforcement stings that don't sting anyone
• Teach cops how to bypass warrant requirements
• Sign up a bunch of people for its snitch app
• Use said snitch app to generate "suspicious person" alerts
• Blame users for not securing their cameras properly
• Admit the company places no restrictions on sharing of subpoenaed footage by law enforcement agencies
• Let everyone know it's collecting images of children

The latest bad news for Ring -- via Caroline Haskins of BuzzFeed -- is another PR black eye inflicted on a company whose face that still hasn't healed from the last half-dozen black eyes.

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

Ring says this leak of personal data isn't its fault. The company claims there's been no breach. Maybe so, but the information is out there and presumably being exploited.

And it's kind of hard to take Ring's word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.

“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

Ring's spokesperson did not specify which other "companies" it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. "Unable to assist" is not a proper response to notification of a possible breach, but that's exactly what Ring reps told the researcher when he first informed them of what he had found.

Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and "strong passwords" (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.

This is a garbage company. There's no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it's selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of "we care about our customers" statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.

Filed Under: credentials, data breach, doorbells, leaks, ring, security
Companies: amazon, ring

Online Forum Members Exploited Weak Credentials To Turn Ring Cameras Against Their Owners

from the i-m-in-ur-house-yelling-at-ur-kids dept

To add to all the bad news that is Ring camera's life cycle to this point comes the report that a group of malcontents has been exploiting default/weak credentials to gain access to cameras. Joseph Cox has the this-would-be-funny-if-it-weren't-so-scary details at Motherboard.

Hackers have created dedicated software for breaking into Ring security cameras, according to posts on hacking forums reviewed by Motherboard. The camera company is owned by Amazon, which has hundreds of partnerships with police departments around the country.

On Wednesday, local Tennessee media reported that a hacker broke into a Ring camera installed in the bedroom of three young girls in DeSoto County, Mississippi, and spoke through the device's speakers with one of the children.

The family said they had the camera for four days, during which time the hacker could have been watching the kids go about their day.

There's not much actual hacking going on. What appears to be happening is purchasers aren't choosing unique passwords when they set up their cameras. They also aren't using the two-factor authentication Ring recommends.

There are enough cameras out there (and more being installed every day) that there's an entire forum set up just for the hijacking of Ring cameras/doorbells. Forum members are selling exploit tools to each other which allow these jackasses to brute force Ring devices using credentials (usernames/email addresses and passwords) found elsewhere on the web.

The popular exploitables have even spawned a podcast featuring unsuspecting device owners being trolled by jerks who have gained access to Ring and Nest cameras. This is what's in store for device owners who haven't properly secured their new purchases.

A blaring siren suddenly rips through the Ring camera, startling the Florida family inside their own home.

"It's your boy Chance on Nulled," a voice says from the Ring camera, which a hacker has taken over. "How you doing? How you doing?"

"Welcome to the NulledCast," the voice says.

The NulledCast is a podcast livestreamed to Discord. It's a show in which hackers take over people's Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners. In the example above, Chance blared noises and shouted racist comments at the Florida family.

Good times. Nulled forum members are starting to scatter, now that Joseph Cox has shined a light on their dirty little games. The Nulled admin has nailed an unbelievable statement to the top of the forum, saying that Nulled does not tolerate the "harassments of individuals over Ring cameras or any similar." This posting followed some "unscheduled maintenance," which occurred shortly after Motherboard's first article on Ring exploitation went live.

Panic has ensued. Cox reports the forum is in disarray, with members quitting or changing their usernames. Some appeared to be worried law enforcement is all over this. Others think the only ones going to jail are the members who participated in the podcasted Ring hijacking.

But it's not over yet. A few members appear to be willing to roll the dice on possible legal charges.

It doesn't seem the livestreaming of Ring hacking is going to end just yet, however.

"Podcast dead?" one user on the Nulled Discord asked Wednesday night.

Another user replied, "Nope. Tune in Friday. Like and subscribe."

Perhaps the focus of the podcast will change. Considering the channel's been dedicated to finding exploitable devices and exploiting them to create content, any pivot will likely be short lived.

In the meantime, Ring is doing about the only responsible thing it's ever done.

"As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords," [Ring] added.

Perhaps more education of consumers is in order. Security recommendations are great, but purchasers appear to feel installing the cameras is the end of the job. It's one thing to get your sidewalk-facing doorbell camera hacked. It's quite another to have your interior cameras turned against you. The Internet of Things continues to be awful. Ring's general awfulness kind of obscures the fact that this particular debacle isn't really Ring's fault. But it could be doing more. It could prevent deployment until two-factor authentication is engaged. And it could ease up a bit on its promises of home security when the default setup process allows outsiders to virtually enter the homes of Ring owners.

Filed Under: hackers, harassment, podcast, ring
Companies: amazon, ring

Cops Offered Deeper Discounts On Ring Cameras Depending On How Much Of The Neighborhood The Cameras Would Surveil

from the sweet-goddamn-christ-wtf-is-wrong-with-you dept

"You know what would be cool," said the consumer product that wished it was a cop? "If everything we made catered to law enforcement rather than the end user." That's the Ring business model: make inroads with security-conscious homeowners by inserting them into a toxic ecosystem that includes a snitch app that amps up the worst aspects of humanity, and breaks down the walls between "sharing" and "giving law enforcement agencies footage they can keep and distribute forever without limitation."

Ring doorbells have 95% of the doorbell camera market. That's a lot of "fuck you" market share. Ring says all doorbell camera footage belongs to homeowners, even as it renders homeowners extraneous by handing over footage stored in the cloud in response to subpoenas. Ring says it cares about the privacy of its customers, even as it tallies up doorbell rings and partners with law enforcement in sting operations.

The never ending negative news cycles continues for Ring with these details tucked away in another long, scathing report on the the doorbell company that wants so badly to be deputized, it's willing to cross lines most tech companies aren't willing to cross.

Caroline Haskins of Vice has been tracking Ring's incestuous relationship with law enforcement for several months now, using a slew of public records requests to make the things Ring and law enforcement don't want to discuss publicly public.

In her latest post -- one that should be read start to finish, especially if you haven't kept current with Ring's endless deluge of self-owns -- Haskins points out some more reprehensible behavior by the home security company that thinks it's a domestic surveillance contractor.

Being a good citizen involves more than flying an American flag over your driveway.

West Hollywood, CA distributed flyers advertising its Ring subsidy program at voter registration events, according to documents obtained by Motherboard. West Hollywood also sold subsidized Ring products “exclusively” to residents in areas moderated by neighborhood watches. Everyone who bought a discounted camera was added to a registry list with their name and address.

Ah, there's nothing more American than implicating the First and Fourth Amendments at the same time. The only way this would have been more American is if law enforcement asked citizens to turn over their weapons until troops were done staying at their homes.

Ask not what your [insert law enforcement agency name here] can do for you. Ask what you can do for [REDONDO BEACH POLICE DEPARTMENT].

Police from Redondo Beach, CA even used the pretense of camera registries to determine who should get a discount and who shouldn’t, according to a city council meeting memo obtained by Motherboard. Police said that they inspected the facades of homes of each applicant, and looked for who had the most “optimal viewpoints that could assist with criminal investigations.”

Kind of fucked up. What makes it really fucked up is the Redondo Beach PD offered steeper discounts to homeowners who agreed to place cameras in areas where they could capture footage "of the entire block" (60% stipend) or a "neighboring residence" (50% stipend).

Meanwhile, further north, Green Bay, WI police handed out cameras to residents under a "loan" program that predicated end user "ownership" on police ownership of all footage.

The implicit ask becomes explicit. Ring has partnered with 600+ law enforcement agencies. There's no reason to believe what's been revealed here is an anomaly.

Filed Under: doorbells, police, privacy, ring, surveillance
Companies: amazon, ring

Cops Are Running Ring Camera Footage Through Their Own Facial Recognition Software Because Who's Going To Stop Them

from the ALL-DOORS-ARE-RECORDED dept

Ring may be holding off on adding facial recognition tech to its already-problematic security cameras, but that's not stopping any of its not-exactly-end-users from doing it for themselves.

Ring is swallowing up the doorbell camera market with aggressive marketing that includes the free use of taxpayer-funded services. It calls over 600 law enforcement agencies "partners." In exchange for agency autonomy and free cameras, police departments all over the nation are pushing cameras on citizens and asking them to upload anything interesting to Ring's "I saw someone brown in my neighborhood" app, Neighbors.

The company that has someone in charge of its facial recognition division Ring claims it's not using to implement facial recognition tech is handing out cameras like laced candy. Law enforcement agencies are snatching the cameras up. And they're snatching the footage up, using subpoenas to work around recalcitrant homeowners. Once they have the footage, they can keep it forever and share it with whoever they want.

They can also run the footage through whatever hardware or software they have laying around, as Caroline Haskins reports for BuzzFeed.

Amazon does not offer the ability to recognize faces in footage on its Ring doorbell cameras. But just one month after police in Chandler, Arizona, received 25 surveillance cameras for free from the company, the department's then–assistant chief discussed using its own facial recognition technology on Ring footage at a meeting of the International Association of Chiefs of Police, according to his slideshow obtained in a public records request.

In an April presentation titled “Leveraging Consumer Surveillance Systems,” Jason Zdilla discussed various consumer surveillance devices and platforms. Examples cited in the presentation included Ring cameras and the Neighbors app.

It's the perfect storm of unaccountability. Footage can be obtained from Ring with a subpoena. Ring hands it over with zero strings attached. Cop shop runs it through the Zoom Enhancer and any databases it has or has access to. Bingo: facial recognition in cameras supplied by a company that says it's not all that into facial recognition at the moment.

Now, you may be wondering why this is a big deal. Why does any of this matter when other surveillance systems with cloud storage are likely similarly responsive to subpoenas and place no restrictions on footage they hand over to law enforcement?

Well, two things: first, Ring claims all footage belongs to camera owners, but treats camera owners as if they're not a stakeholder when it comes to sharing their recordings with the government.

Second -- and far more importantly -- Ring aggressively courts police departments as "partners," turning consumer products into unofficial extensions of existing government camera networks. Ring hands out free cameras to cops and hands out even more freebies if cops convince homeowners to download the Neighbors app and share as much footage as possible. Ring also takes control of all PR efforts and official statements involving Ring doorbells that cops have given to citizens. And Ring coaches cops how to obtain footage without having to trouble the courts with a warrant.

This is unlike any other company in the home security business. Ring's assimilation of hundreds of law enforcement agencies blurs the line between public and private in the name of commerce. Taxpayers are contributing to their own co-opting into a surveillance mesh network propelled by one of the largest companies in the world. This isn't acceptable. But the longer Ring's expansion remains unchecked, the sooner its behavior will become normalized. And once it's normalized, it's over.

Filed Under: cameras, doorbells, facial recognition, police, ring
Companies: amazon, ring

Ring Coyness About Adding Facial Recognition Tech To Its Cameras Doesn't Extend To Its Marketing Materials

from the unreasonable-suspicion dept

Ring may say it's not getting into the facial recognition business, but its internal documents say otherwise. The company has a head of facial recognition tech in its Ukraine office. And its answers to Senator Edward Markey's questions make it clear Ring hasn't ruled out adding this tech to its doorbell cameras. Specifically, the company said it had no plans at the present but was always looking to "innovate" to meet "customer demand."

Documents obtained by The Intercept show Ring is still "innovating," even if there's no apparent customer demand for facial recognition tech. Sam Biddle has the details:

Ring, Amazon's crimefighting surveillance camera division, has crafted plans to use facial recognition software and its ever-expanding network of home security cameras to create AI-enabled neighborhood “watch lists,” according to internal documents reviewed by The Intercept.

The planning materials envision a seamless system whereby a Ring owner would be automatically alerted when an individual deemed “suspicious” was captured in their camera’s frame, something described as a “suspicious activity prompt.”

In the mockup seen by The Intercept, "suspicious" apparently translates to "shabbily dressed man." This person is shown walking past a garage-mounted camera (which the company says users shouldn't point at public areas like streets and sidewalks) with the alert "This person appears to be acting suspicious."

Dress better, citizens. Otherwise, your image might be uploaded to Ring's snitch app, Neighbors, where local randos can collectively gin up fear and sic the cops on you. Nowhere in the document does Ring define what triggers its "suspicion" sensors.

Here's where the facial recognition tech is pitched but never named specifically:

A third potentially invasive feature referenced in the Ring documents is the addition of a “proactive suspect matching” feature, described in a manner that strongly suggests the ability to automatically identify people suspected of criminal behavior — again, whether by police, Ring customers, or both is unclear — based on algorithmically monitored home surveillance footage. Ring is already very much in the business of providing — with a degree of customer consent — valuable, extrajudicial information to police through its police portal. A “proactive” approach to information sharing could mean flagging someone who happens to cross into a Ring video camera’s frame based on some cross-referenced list of “suspects,”

Ring may not have facial recognition tech built in (yet), but plenty of police departments utilize or have access to this software. Any images or footage shared with law enforcement agencies -- either voluntarily by Ring owners or acquired with a subpoena from the company -- can be subjected to facial recognition tech and placed on a Ring-enabled "watchlist."

Ring remains mostly a dump pipe in this scenario, but its aggressive marketing to law enforcement suggests it wants its 600+ government partners to take advantage of the tools they have on hand to make the most of footage cops are invited to download and hold onto indefinitely. Ring can then remain in a state of plausible deniability when being questioned by critics and/or Congress while still giving hundreds of law enforcement agencies all the reason they need to act as Ring brand ambassadors.

Filed Under: doorbells, facial recognition, ring, ring doorbells
Companies: amazon, ring

Amazon: Cops Can Get Recordings From Ring, Keep Them Forever, And Share Them With Whoever They Want

from the prime-video dept

Even more alarming news has surfaced about Amazon's Ring doorbell/camera and the company's ultra-cozy relationship with police departments.

Since its introduction, Ring has been steadily increasing its market share -- both with homeowners and their public servants. At the beginning of August, this partnership included 200 law enforcement agencies. Three months later, that number has increased to 630.

What do police departments get in exchange for agreeing to be Ring lapdogs? Well, they get a portal that allows them to seek footage from Ring owners, hopefully without a warrant. They also get a built-in PR network that promotes law enforcement wins aided by Ring footage, provided the agencies are willing to let Ring write their press releases for them.

They also get instructions on how to bypass warrant requirements to obtain camera footage from private citizens. Some of this is just a nudge -- an unstated quid pro quo attached to the free cameras cops hand out to homeowners. Some of this is actual instructions on how to word requests so recipients are less likely to wonder about their Fourth Amendment rights. And some of this is Ring itself, which stores footage uploaded by users for law enforcement perusal.

If it seems like a warrant might slow things down -- or law enforcement lacks probable cause to demand footage -- Ring is more than happy to help out. Footage remains a subpoena away at Ring HQ. And, more disturbingly, anything turned over to police departments comes with no strings attached.

Statements given to Sen. Edward Markey by Amazon indicate footage turned over to cops is a gift that keeps on giving.

Police officers who download videos captured by homeowners’ Ring doorbell cameras can keep them forever and share them with whomever they’d like without providing evidence of a crime, the Amazon-owned firm told a lawmaker this month.

Brian Huseman, Amazon's VP of Public Policy, indicates the public is kind of an afterthought when it comes to Ring and its super-lax policies.

Police in those communities can use Ring software to request up to 12 hours of video from anyone within half a square mile of a suspected crime scene, covering a 45-day time span, Huseman wrote. Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.

Ring itself maintains that it's still very much into protecting users and their safety. Maybe not so much their privacy, though. The company says it takes the "responsibility" of "protecting homes and communities" very seriously. But when it comes to footage, well… that footage apparently belongs to whoever it ends up with.

Ring… "does not own or otherwise control users’ videos, and we intentionally designed the Neighbors Portal to ensure that users get to decide whether to voluntarily provide their videos to the police.”

It's obvious Ring does not "control" recordings. Otherwise, it would place a few more restrictions on the zero-guardrail "partnerships" with law enforcement agencies. But pretending Ring owners are OK with cops sharing their recordings with whoever just because they agreed to share the recording with one agency is disingenuous.

Ring's answers to Markey's pointed questions are simply inadequate. As the Washington Post article notes, Ring claims it makes users agree to install cameras so they won't record public areas like roads or sidewalks, but does nothing to police uploaded footage to ensure this rule is followed. It also claims its does not collect "personal information online from children under the age of 13," but still proudly let everyone know how many trick-or-treaters came to Ring users' doors on Halloween. And, again, it does not vet users' footage to ensure they're not harvesting recordings of children under the age of 13.

The company also hinted it's still looking at adding facial recognition capabilities to its cameras. Amazon's response pointed to competitors' products utilizing this tech and said it would "innovate" based on "customer demand."

While Ring's speedy expansion would have caused some concern, most of that would have been limited to its competitors. That it chose to use law enforcement agencies to boost its signal is vastly more concerning. It's no longer just a home security product. It's a surveillance tool law enforcement agencies can tap into seemingly at will.

Many users would be more than happy to welcome the services of law enforcement if their doorbell cameras captured footage of criminal act that affected them, but Ring's network of law enforcement partners makes camera owners almost extraneous. If cops want footage, Ring will give it to them. And then the cops can do whatever they want with it, even if it doesn't contribute to ongoing investigations.

These answers didn't make Sen. Markey happy. Hopefully, other legislators will find these responses unsatisfactory and start demanding more -- both from law enforcement agencies and Ring itself.

Filed Under: doorbell, ed markey, police, privacy, ring, videos
Companies: amazon, ring

Ring Spends The Week Collecting Data On Trick-Or-Treating Kids And Being An Attack Vector For Home WiFi Networks

from the going-to-have-to-mark-this-'needs-improvement' dept

Nothing owns like a self-own. And Ring -- Amazon's doorbell surveillance project -- is so into self-abuse, it's almost kinky. It's a DOM when it picks up another submissive law enforcement partner (400+ at last count, so maybe get tested if you install a doorbell without protection). Any other time, it seems to be a relentlessly cheery masochist. Hopefully it's deriving some pleasure from the endless negative news cycles. Maybe 95% market share heals all wounds.

Ring is putting the "creep" back in the phrase "surveillance creep." While there's some value to keeping an eye on your front doorstep when you're expecting an expensive delivery, the downside is Ring might be letting cops know you've got a camera on your house. What it won't be letting you know is that it will part with your footage at the drop of a subpoena.

If you're not eyeballing your neighbors by proxy, you're not living right. That's the message of the Neighbors app, which is pushed by Ring and cops alike. Breaking down "sharing" barriers is the first step toward bypassing the warrant process. Ring is the grease and the wheel.

The pushback against Ring's law enforcement adoption offensive has had minimal effect on the company. It continues undeterred, even as it attempts to explain both its lack of interest in adding facial recognition software to its doorbells and its retention of a facial recognition division head. It's things like this that make one believe the public's opinion ultimately doesn't matter, not if Ring can convince enough cop shops to start pushing its offerings on the public.

Ring is back in the news again. And, again, it's not because it did anything right. Or competently.

First, Buzzfeed reports the doorbell company is as tone deaf as it is dominant in its market sector. What Ring thinks is cute and fun is actually just very, very creepy.

In a company blog and series of Instagram stories, posted Monday and Tuesday, the company showed that it collects, stores, and analyzes sensitive data about how, when, and where people use its doorbell cameras. Ring said that nationwide, its doorbell cameras were activated 15.8 million times on Halloween. The company makes several other types of surveillance cameras in addition to its doorbell camera.

As it has on other occasions, like Super Bowl Sunday, Ring turned Halloween into a marketing opportunity. As reported by Mashable, Ring circulated videos of children on Halloween on Twitter. Ring also promoted Halloween-themed skins to decorate doorbell cameras on its company blogs and Instagram. However, in promoting itself as a family-friendly company, Ring showed that it collects user data on a granular level.

Friends, neighbors, visitors… children -- nothing but data and footage to be used to promote Ring's version of everyday life in the United States. The information a Ring doorbell collects belongs to Ring, not its customers. And if it belongs to Ring, it can be had without a warrant in most cases. Ring knows how often customers' doorbells ring. It says it anonymizes this data, but first you have to trust that it actually did what it said it did. And then you have to believe anonymizing data actually anonymizes it, which it kind of doesn't.

But trading trick-or-treating kids for social media impressions isn't the only headline Ring made this past week. It also showed it's not immune to the IoT curse: connected "smart' things tend to be attack vectors. And if they're not actually being attacked, they're just giving info away to whoever wants it.

A vulnerability in the Amazon Ring doorbells could have exposed homes’ WiFi username and password to hackers.

Discovered earlier this year by Romanian cybersecurity firm Bitdefender, the issue caused users’ WiFi credentials to be transmitted unencrypted while they were setting up the internet-connected device.

“When entering configuration mode, the device receives the user’s network credentials from the smartphone app,” Bitdefender notes. “Data exchange is performed through plain HTTP, which means that the credentials are exposed to any nearby eavesdroppers.”

While this method requires a hacker to be near the doorbell or on the targeted WiFi network in order to intercept the credentials, this doesn't mean exploitation is only a crime of opportunity. As Bitdefender noted, hackers could flood the device with de-authentication messages which would kick the doorbell off the network. When Ring users try to reconnect their doorbell to their network, hackers could jump in and grab the credentials as they sail by in plaintext.

The good news is this issue has been fixed. The bad news is this is the second time Ring's doorbells have been caught handing out WiFi credentials. At least last time, malicious hackers needed physical access to the doorbell. The last misstep allowed hackers to stay in their cars.

The further bad news is Ring is still Ring and mainly interested in turning doorbells in spy cams that can be easily accessed by its hundreds of law enforcement "partners." It has never expressed any sincere desire to protect the privacy of its users. As far as it's concerned, every camera is just another eye it owns, feeding it footage and data it can use at will.

Filed Under: doorbell, halloween, police, ring, surveillance
Companies: amazon, ring

Civil Rights Groups Ask Legislators To Block Ring's Surveillance Partnerships With Law Enforcement

from the and-we'll-see-what-legislators-actually-care dept

If Amazon's not interested in scaling back its aggressive rollout of Ring doorbell/cameras -- a rollout achieved largely through partnerships with law enforcement agencies -- maybe some legislators will be willing to step in.

Amazon's Ring has nailed down 95% of the doorbell camera market. Some of this is due to name recognition. Amazon and doorsteps go together and who wouldn't want a passive eyeball "guarding" the front door to deter package thieves from walking off with a homeowner's purchased goods?

But Amazon has also received a lot of support from hundreds government agencies. Amazon gives local police departments discounts on the cameras in exchange for pushing residents to use Ring's snitch app, Neighbors. The app encourages users to post footage of suspicious happenings, further erasing the line between public and private, and making Ring owners more receptive to law enforcement requests for footage.

The wheels are further greased by law enforcement, which gives these cameras away to homeowners (sometimes even going so far as to help install them) with the implicit suggestion homeowners will return the favor when cops make warrantless requests for recordings. If law enforcement agencies feel uneasy about this public/private partnership, Ring is more than willing to handle agencies' PR work by issuing press releases and editing planned public statements.

Ring also provides a portal for officers to request footage from camera owners. There's nothing in the process that encourages the use of a warrant. If users reject the request, cops can just grab a subpoena and get it from Ring directly, bypassing warrant requirements completely.

The rollout continues unabated, with Ring receiving another PR black eye with every set of released public records. At some point, Ring was providing officers with a map of every installed Ring camera -- even those officers didn't hand out themselves. It also gave officers stats on how often their warrantless requests for recordings were rejected. Ring has also claimed it won't be adding facial recognition tech to its cameras (yet), but it also employs a "Head of Facial Recognition Tech."

Since Ring's not going to stop being Ring, a coalition of more than 30 civil rights groups is asking legislators to start paying attention to what's happening on millions of doorsteps in America. (via Boing Boing)

Today, 30+ civil rights organizations signed an open letter sounding the alarm about Amazon’s spreading Ring doorbell partnerships with police. The letter calls on local, state, and federal officials to use their power to investigate Amazon Ring’s business practices, put an end to Amazon-police partnerships, and pass oversight measures to deter such partnerships in the future.

Specifically, the letter asks city, state, and federal legislators to step into the regulatory void created by this new market -- one that expands government surveillance powers by tying law enforcement agencies to cameras owned by private citizens.

Amazon Ring partnerships with police departments threaten civil liberties, privacy and civil rights, and exist without oversight or accountability. Given its significant risks, no surveillance partnerships with Amazon Ring should have been established, or should be established in the future, without substantial community engagement and input and elected official approval. To that end, we call on mayors and city councils to require police departments to cancel any and all existing Amazon Ring partnerships, and to pass surveillance oversight ordinances that will deter police departments from entering into such agreements in the future. We further call on Congress to investigate Ring’s practices and demand more transparency from the company.

Fight for the Future points out footage obtained by law enforcement agencies can be held onto indefinitely. Once stored locally, agencies are free to apply facial recognition tech Ring hasn't added to its product yet. They can also turn this over to federal agencies like ICE and the FBI without needing to go through the hassle of receiving a judge's signature.

And if legislators aren't worried about police access to footage, maybe they'll show some concern about Ring's access to its cameras. Contractors employed by Ring have access to live footage as well as any recordings stored in its cloud.

Ring has cornered the market. It also has 400+ law enforcement agencies in its pocket. The expansion isn't slowing and Ring has shown it's willing to speak on behalf of the government through press releases and to edit the government's statements if it doesn't like what's being said. This isn't normal. And the potential downsides of allowing cops and private companies to coexist as equal partners in surveillance have just begun to be explored.

Filed Under: cameras, doorbells, law enforcement, police, surveillance
Companies: amazon, ring

Ring Considered Using 911 Calls To Trigger Automated Streaming Of Camera Footage To Local PDs

from the bringing-the-police-state-home dept

Amazon's Ring doorbell/camera venture hasn't met a news cycle it can't fill with unintentionally-bad PR. Every time someone thinks they've heard the last odious effort by this company to become an unofficial extension of police department surveillance networks, another set of documents obtained through public records requests resets the counter to "zero days since last PR black eye."

To date, the company that's already formed partnerships with nearly 400 law enforcement agencies has:

• Instructed cops on how to obtain doorbell footage without a warrant
• Provided cops with info on how often their requests are rejected by citizens
• Written/re-written public statements involving Ring cameras for law enforcement agencies
• Engaged in a heavily-publicized sting operation that failed to net any criminals
• Denied it wants to implement facial recognition technology while employing a "Head of Facial Recognition Technology"

Here's the latest PR coup by the expert self-maligners, as reported by Alfred Ng for CNET:

Ring considered building a tool that would use calls to the 911 emergency number to automatically activate the video cameras on its smart doorbells, according to emails obtained by CNET. The Amazon-owned company isn't currently working on the project, but it told a California police department in August 2018 that the function could be introduced in the "not-so-distant future."

One email obtained by CNET expressed the company's desire to implement a "call-for-service" trigger for recording. And not just recording. The cameras would start streaming footage to police departments partnering with Ring to give them a live feed of the affected (triggered?) area. Ring doorbell users would have to opt in, at least, but the pressure to do so would obviously be increased if the users got their doorbell cameras for free from their friendly local PD.

It appears this plan has been ditched, which will allow Ring to steer clear of at least one more terrible news cycle. That being said, everything else that's bad about this private/public partnership remains true, which isn't going to somehow start being less bad any time soon.

Ring's stated prioritization of customer privacy continues to ring (sorry) hollow. The company pushes users and police departments to gravitate towards its snitch app, where users can be encouraged to "share" footage of "suspicious" events, relieving cops of the burden of requesting footage from users or Ring itself. Investigators can still approach Ring directly for camera footage if residents aren't willing to cooperate. Ring says it only complies with "lawful demands" for recordings. What it doesn't say it that the "lawful demand" is usually a subpoena, not a warrant.

This is working out well for Ring. It's probably also working out fine for local law enforcement agencies. The latter seems very willing to cede creative control to Ring, so whatever relationship these parties have must be beneficial enough that cop shops don't mind taking a backseat to Ring's spin team. Ring seems willing to ride out these turbulent news cycles without making any changes to its business model. And why should it? It has claimed over 95% of the doorbell/camera market and is living rent-free in the hearts and minds of over 400 law enforcement agencies.

Filed Under: 911 calls, doorbells, police, privacy, streaming
Companies: amazon, ring