Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras

from the DUMPSTER-FIRE-2019-???? dept

Amazon’s Ring has been uniformly terrible ever since it decided its primary market (homeowners) should be treated with less care and concern than the market it’s actually courting and subsidizing (law enforcement agencies).

Since it’s not really in the customer service business anymore, the end users who thought they were buying some security and peace of mind have discovered they’ve actually become part of a law enforcement surveillance network run by a company that doesn’t really seem to be in the security business.

A group of forum members found Ring cameras incredibly easy to hijack. Running scripts utilizing lists of credentials harvested from the web’s many security breaches, some sociopathic idiots were able to brute force their way into taking control of devices. Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners for the enjoyment of their podcast audience. (I really wish I were making that last part up but this is the internet we have.)

When the news cycle of “hacked” Ring cameras began, Ring was quick to point out this wasn’t its fault. To a certain point, Ring is right. Ring says it encourages the use of two-factor authentication and strong passwords. Great. So do lots of IoT device makers. But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go “live” on the web. Ring isn’t doing this either.

It’s even worse in Ring’s case. Ring says it’s the customers that are wrong, but it does absolutely nothing to prevent this sort of hijacking. There’s no lockout after a certain number of failed logins. No warnings are sent to owners about logins from unrecognized devices or IP addresses. Repeated failed login attempts aren’t flagged as suspicious. For a company supposedly in the security business, this is a pretty insecure way to run a business.

It’s this latest insecurity that’s getting the company sued.

Amazon and its home security subsidiary Ring are facing a federal lawsuit in California over allegations that its “lax security standards” led to a series of invasive and frightening hacks over the past year.

The lawsuit, which alleges Ring security cameras have been hacked six times across the U.S., comes as Amazon’s Ring faces a barrage of scrutiny from lawmakers, privacy advocates and the public over its cybersecurity standards and widespread partnerships with local police departments.

The lawsuit [PDF], filed by a victim of just such a “hacking” hopes to become a class action when it’s all grown up and fully-represented. Until then, there’s this incident, which happened to the plaintiff.

Plaintiff John Baker Orange is a resident of Jefferson County Alabama. He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00. The Ring camera was installed over his garage with a view of the driveway. Mr. Orange purchased the Ring camera to provide additional security for him and his family which include his wife and three children aged 7, 9, and 10. Recently, Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system. An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication. Prior to changing his password, Mr. Orange protected his Ring camera with a medium-strong password.

Orange alleges that Ring did almost nothing to protect its customers while promising its products will protect its customers.

Unfortunately, Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed. The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use. This obligation is even more critical in instances where the device, like the Ring camera, is related to the safety and security of person and property.

Ring failed to meet this most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack. Notably, Ring only required users enter a basic password and did not offer or did not compel two-factor authentication.

He’s not wrong. Security is pretty much an afterthought for this security company. It likes to put its resources into pitching its products to cops, who can then hand the flawed products to citizens in exchange for possible glimpses of camera recordings in the future.

But is it enough to win a lawsuit? The plaintiff alleges negligence and a few other related torts, but he’ll have to prove Ring deliberately sold a product it knew was insecure. Ring is probably aware of the lack of built-in security, but is it more deliberately negligent than any other IoT device maker that decides to dumb down security options to increase adoption and marketshare? And if it’s just as terrible as its competitors, should that be enough to allow it to escape a lawsuit?

Maybe this one will hit Ring hard and force it and its competitors in the IoT marketplace to actually take the security of their customers seriously, rather than just saying that after their customers have already been compromised. Or maybe I just want Ring to get smacked around for pushing an insecure product on consumers with the assistance of over 600 law enforcement agencies. Ring has been an absentee landlord in its market, grabbing all the market share it can while leaving its millions of customers to fend for themselves when it comes to securing their devices properly.

Filed Under: , , , ,
Companies: amazon, ring

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re: Soo?

Its just, that if someones Home gets robbed, and the camera worked, Who has the pictures?

Likely the thief has the pictures — the pictures from the previous few weeks that they used to scope out the house to see when people come and go.

And some guy with a podcast probably has the audio.

The police probably have access, but are unlikely to actually use that access unless it pertains to some active case they’re already working on.

Anonymous Coward says:

But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go "live" on the web.

The kind of "two factor authentication" you’re talking about, which basically consists of sending a message to somebody’s phone, is a stupid, ugly, surprisingly easily defeated hack… which is both made possible and made to appear necessary by the mind-shatteringly moronic decision to have the things centrally controlled from "the cloud". Relying on it would tend to further entrench the fundamental mistake.

The entire architecture they have is unsecurable, period. That central control point can never be protected adequately and therefore should never have been allowed to exist. Until they fix that, they’re mostly masturbating.

The best fix is not to put your goddamned doorbell (or door lock) on the goddamned Internet. But if you absolutely must do that, there are authentication systems and protocols that work. They mostly don’t emphasize passwords, let alone have default passwords, because we know at this point that people can’t handle passwords.

So let them implement something that actually helps. In the devices, not in the "cloud".

… and, to be fair, anybody who sets their password to 12345, or to anything they use with any other service, is in fact an idiot, who probably can’t be saved regardless of what the freaking doorbell does. 12345 is probably also the combination on their luggage. And the key is probably under the mat. And they’re probably obsessing about the front door when they have a big, fat, unprotected, unobserved window in the back.

There’s no lockout after a certain number of failed logins

1980s style "lockouts" create DoS vulnerabilities, and probably aren’t the right choice for a device that may be your only way of getting into your house. A rate limit almost always makes sense, though. And, sure, warnings when there are a lot of tries.

Anonymous Coward says:

Re: Re:

The entire architecture they have is unsecurable, period. That central control point can never be protected adequately and therefore should never have been allowed to exist.

I don’t see anything in the article about a central control point. It looked like they were talking about people directly connecting to cameras. If that’s not the case, what’s the architecture they’re using?

Anonymous Anonymous Coward (profile) says:

Re: even Netflix is better than this.

Both Amazon and my bank ask for a verification code, for me sent through email (the passwords to each of these is changed several times a year) every time. Even if I am using the same computer I always use ( my bank claims to care, Amazon doesn’t seem to). The use of a password manager makes using difficult passwords, often changed, easy.

Anonymous Coward says:

Re: With a Mic

Aside the fact that all mics are speakers and all speakers are mics (when connected as not-intended, and with roughly the efficacy one might expect), i am guessing that, yes, speaker may have been what was meant, unless mic is the short form for a dual-purpose microphone-speaker device in the current parlance.

That Anonymous Coward (profile) says:

Something something we never expected shitlords would shitlord, so we discounted that possibility.

It let us save money to not be even slightly more proactive.

Our goal wasn’t security for you, but for creating a network for police to access how they want.
You people bitching that your leaked credentials were used to break in & scare children are at fault!
Just because someone can try 10 million passwords in sequence without triggering any sort of alert is your fault, not ours. Use stronger passwords.

Anonymous Coward says:

Re: Re:

Suitable IP cameras are available, as is open source software to set up motion detection systems. i.e. OpenCV. Raspberry pi’s are powerful enough for the server for such systems, and various ways of setting up a secure online connection are possible. A mobile dongle would allow direct text sending from such systems. Also, cloud storage, own cloud included, for videos when motion is detected would be a good idea.

While it would take a little research and effort, such a system would not be difficult to set for a computer literate person.

tom (profile) says:

If you connect something to the Internet and don’t have a real firewall that defaults to no traffic either way and only allows traffic you have authorized, you should expect to lose control of your device.

But most ISPs don’t want you to have a real firewall as they will get stuck answering all those "Why doesn’t my latest IOT gizmo work." questions.

Neither do most IOT gizmo makers. A real firewall setup means the IOT maker has to fully disclose what traffic their gizmo generates and all of the places that info is going as well as everyone that will be viewing the images.

As for a secure surveillance system, either build it yourself or buy one of the old school CCTV systems with an on site recorder setup. Eliminate any vendor that needs a cloud account for their gizmo to work.

Anonymous Coward says:

I might not want to be forced into 2FA, if it is shit 2FA, but then, i probably wouldn’t want any natively internet-connected camera in the first place. If they can do local 2FA, that would be better.

On the other hand, gee it is fucking easy to send an email or txtmsg saying, "hey we have login attempts from an unrecognized device".

Smartassicus the Roman says:

Starship Discovery

Just imagine for a moment that documents turned up in discovery reveal that Amazon was working in tandem with the DOJ and other LEAs to develop these damned things to create a gigantic surveillance network.

Would it affect how people use them?

Not in the slightest, because people who have them are abysmally stupid.

Ed (profile) says:

Misleading title

Ring cameras were never "hacked". The Ring system was never "hacked". Stop with this misleading bullshit which doesn’t actually address the problem. The lawsuit is stupid and should be thrown out because, again, the Ring cameras were never "hacked". The USERS used the same login credentials for their Ring cameras as they used on some other unrelated service that WAS HACKED. Criminals simply scoured the net using those stolen credentials and lucked out on finding idiot Ring users who used the same logins on everything. Yes, Ring should have forced users to enable 2FA or some other means, but instead they chose to make it more simple for the users, not realizing that users are typically STUPID.

This lawsuit, again, is a stupid waste of time and the courts should throw it out. RING WAS NEVER HACKED. That’s it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...