Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras
from the DUMPSTER-FIRE-2019-???? dept
Amazon’s Ring has been uniformly terrible ever since it decided its primary market (homeowners) should be treated with less care and concern than the market it’s actually courting and subsidizing (law enforcement agencies).
Since it’s not really in the customer service business anymore, the end users who thought they were buying some security and peace of mind have discovered they’ve actually become part of a law enforcement surveillance network run by a company that doesn’t really seem to be in the security business.
A group of forum members found Ring cameras incredibly easy to hijack. Running scripts utilizing lists of credentials harvested from the web’s many security breaches, some sociopathic idiots were able to brute force their way into taking control of devices. Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners for the enjoyment of their podcast audience. (I really wish I were making that last part up but this is the internet we have.)
When the news cycle of “hacked” Ring cameras began, Ring was quick to point out this wasn’t its fault. To a certain point, Ring is right. Ring says it encourages the use of two-factor authentication and strong passwords. Great. So do lots of IoT device makers. But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go “live” on the web. Ring isn’t doing this either.
It’s even worse in Ring’s case. Ring says it’s the customers that are wrong, but it does absolutely nothing to prevent this sort of hijacking. There’s no lockout after a certain number of failed logins. No warnings are sent to owners about logins from unrecognized devices or IP addresses. Repeated failed login attempts aren’t flagged as suspicious. For a company supposedly in the security business, this is a pretty insecure way to run a business.
It’s this latest insecurity that’s getting the company sued.
Amazon and its home security subsidiary Ring are facing a federal lawsuit in California over allegations that its “lax security standards” led to a series of invasive and frightening hacks over the past year.
The lawsuit, which alleges Ring security cameras have been hacked six times across the U.S., comes as Amazon’s Ring faces a barrage of scrutiny from lawmakers, privacy advocates and the public over its cybersecurity standards and widespread partnerships with local police departments.
The lawsuit [PDF], filed by a victim of just such a “hacking” hopes to become a class action when it’s all grown up and fully-represented. Until then, there’s this incident, which happened to the plaintiff.
Plaintiff John Baker Orange is a resident of Jefferson County Alabama. He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00. The Ring camera was installed over his garage with a view of the driveway. Mr. Orange purchased the Ring camera to provide additional security for him and his family which include his wife and three children aged 7, 9, and 10. Recently, Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system. An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication. Prior to changing his password, Mr. Orange protected his Ring camera with a medium-strong password.
Orange alleges that Ring did almost nothing to protect its customers while promising its products will protect its customers.
Unfortunately, Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed. The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use. This obligation is even more critical in instances where the device, like the Ring camera, is related to the safety and security of person and property.
Ring failed to meet this most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack. Notably, Ring only required users enter a basic password and did not offer or did not compel two-factor authentication.
He’s not wrong. Security is pretty much an afterthought for this security company. It likes to put its resources into pitching its products to cops, who can then hand the flawed products to citizens in exchange for possible glimpses of camera recordings in the future.
But is it enough to win a lawsuit? The plaintiff alleges negligence and a few other related torts, but he’ll have to prove Ring deliberately sold a product it knew was insecure. Ring is probably aware of the lack of built-in security, but is it more deliberately negligent than any other IoT device maker that decides to dumb down security options to increase adoption and marketshare? And if it’s just as terrible as its competitors, should that be enough to allow it to escape a lawsuit?
Maybe this one will hit Ring hard and force it and its competitors in the IoT marketplace to actually take the security of their customers seriously, rather than just saying that after their customers have already been compromised. Or maybe I just want Ring to get smacked around for pushing an insecure product on consumers with the assistance of over 600 law enforcement agencies. Ring has been an absentee landlord in its market, grabbing all the market share it can while leaving its millions of customers to fend for themselves when it comes to securing their devices properly.