Ring is a perfect storm of security threats

Ring

The Electronic Frontiers Foundation (EFF) has called the Ring security camera system, “A perfect storm of security threats” finding its smartphone app packed with third-party trackers. Oh, and then there are all those camera hacks!

GadgetGuy asked Sam Bocetta, our US correspondent and senior security adviser, to check out Ring and the EFF claims. Sam is also writing a series on each FAANG member assessing their level of trust. He writes:

Established in 1990, The Electronics Frontiers Foundation was in response to a series of actions by law enforcement agencies that led them to conclude that the authorities were gravely uninformed about emerging forms of online communication.

Since then it has become the leading not-for-profit digital rights organisation that provides funds for

  • legal defence in court presents briefs, defends individuals and new technologies from what it considers abusive legal threats
  • works to expose government malfeasance
  • provides guidance to the government and courts
  • organises political action and mass mailings
  • supports some new technologies which it believes preserve personal freedoms and online civil liberties
  • maintains a database and web sites of related news and information
  • monitors and challenges potential legislation that it believes would infringe on personal liberties and fair use
  • solicits a list of what it considers abusive patents with intentions to defeat those that it considers without merit.

So, when EFF speaks, we listen.

EFF says Ring is not just a product used for home security. Ring (owned by Amazon) surveils its owners for other monetisation purposes.

EFF found the Ring app has a ‘plethora of third-party trackers sending customers’ personally identifiable information (PII) to four leading analytics and marketing companies. The information includes names, private IP addresses, mobile network carriers, persistent identifiers, and Ring device sensor data (time of day, location, image, voice, scene).

The real danger is that the analytics companies (including Amazon and Facebook) can use the unique Advertising ID to add that data to the customer’s private profile and send even more targeted advertising. The Ring app also feeds information from other apps on the smartphone – real-time spying.

All this takes place without meaningful user notification or consent. It gets worse when you use a free Neighbours app to nominate a neighbour or trusted third-party to receive security camera notifications – they are spied on too.

EFF states,

Ring claims to prioritise the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short but harm the customers and community members who engage with Ring’s surveillance system. In the past, we’ve illuminated the mismanagement of user information which has led to data breaches, and the attempt to place the blame for such blunders at the customers’ feet.

Ring – the gift that just keeps on snooping

You may not have seen this in Australia yet but it has scared the hell out of law-abiding citizens here.

EFF states that Ring has partnered with over 600 US police departments to hawk this new surveillance system (using homeowners Ring security camera feeds). It sends out masses of press statements and social media posts to promote Ring cameras. This creates a vicious cycle in which police promote the adoption of Ring; Ring terrifies people into thinking their homes are in danger, and then Amazon sells more cameras.

Ring

But my data is my data! Well, no!

Sorry no. It belongs to Ring/Amazon that has harvested pictures of people’s faces and posted them alongside accusations that they were guilty of a crime, without consulting the person pictured or the owners of the cameras.

Ring

According to Ring/Amazon terms of service, it has “an unlimited, irrevocable, fully-paid, and royalty-free, perpetual, worldwide right to re-use, distribute store, delete, translate, copy, modify, display, sell, create derivative works,” concerning the footage taken from your front door.

Oh, and that does not include the personal data used by Amazon to sell you more stuff, you did not know you need.

But wait there is more

Just before Xmas, Ring had an ‘alleged’ hack that exposed the personal data of more than 100,000 owners. Information including login names and passwords were posted on the dark web-enabling cybercriminals to login to an and view Ring cameras.

Ring said it has notified 4,000 customers whose accounts were exposed and reset passwords but insists that it did not have a data breach.

That does not bode well for the little girl in Mississippi that was terrified as a Ring camera in her bedroom was compromised. There were three similar cases reported last month in Connecticut, Georgia, and Florida.

Ring

Lawsuits are starting. “Even as its customers are repeatedly hacked, spied on, and harassed by unauthorised third parties, Ring has made the non-credible assertions that it has not suffered any data breaches and that there are no problems with the privacy and security of its devices,” writes the plaintiff’s counsel from Tycko & Zavareei and Stueve Siegel Hanson.

Ring

Ring offers no comment.

GadgetGuy’s take – where there is smoke

Ring has responded by saying that breaches, not that it had any, are the customer’s fault because they often use the same password for all IoT or accounts. But the system is flawed. The convenience of logging in from any internet-connected computer without multi-factor authentication (MFA) is insecure.

Ring says two-factor authentication is sufficient but it will only be enforced for new accounts.

We have nothing against Ring although its Stick Up Cam 2019 Gen 2 was one of the worst performers we have reviewed. It lost a lot of points because it did not meet the typical Amazon marketing hype.

But IoT privacy is the real issue

I object to the use of my camera for police surveillance. I object to the use of my images for Ring promotion. And I most strongly object to buying something from master marketer Amazon that uses my information to know too much about me anyway.

At CES 2020 Arlo, another security system maker introduced Privacy as a Pledge. At face value, this pledge is impressive – read the link above but the pledge includes unambiguous statements

Arlo states categorically – We

  • Don’t sell your data.
  • Don’t share your data.
  • Give you all the control
  • Support privacy legislation
  • Keep your data safely secured.
  • Made security part of our culture

OK, Mr Ring/Amazon – we dare you to top this.