Ring Throws A Moist Towelette On Its Dumpster Fire With A Couple Of Minimal Security Tweaks

from the [yelling-over-the-roaring-flame]-WE-CARE-DEEPLY-ABOUT-OUR-USERS dept

Things have gotten worse and worse for Amazon’s Ring over the past several months. Once just the pusher of a snitch app that allowed city residents to engage in racial profiling from the comfort of their homes, Ring is now synonymous with poor security practices and questionable “partnerships” with hundreds of law enforcement agencies around the nation.

Ring owners recently discovered how easily their cameras could be hijacked by assholes with no moral compass and too much time on their hands. Using credentials harvested from security breaches, online forum members took control of people’s cameras to entertain a podcast audience who listened along as hijackers verbally abused Ring owners and their children.

Ring is now being sued for selling such an easily-compromised product. Ring’s response to the original reports of hijackings was to blame customers for not taking their own security more seriously. Ring does recommend two-factor authentication but that’s about all it does. It does not inform users when login attempts are made from unrecognized IP addresses or devices, and does not put the system on lockdown after a certain number of failed attempts are made.

Yes, users should use strong passwords (and not reuse passwords), but blaming customers for engaging in behavior most customers will engage in is unproductive. Instead of making two-factor authentication a requirement before deployment, Ring has just repeatedly pointed to its prior statements about its “encouragement” of 2FA — an “encouragement” that is mostly comprised of defensive statements issued in response to another negative news cycle.

Since it can’t keep blaming its millions of customers for its own failings, Ring is taking a very, very small step in the direction of actually taking its customers’ security seriously. [Please hold your tepid applause until the end of the announcement.]

Ring has announced that it is adding a new privacy dashboard to its mobile apps that will let Ring owners manage their connected devices, third-party services, and whether local police partnered with Ring can make requests to access video from the Ring cameras on the account. The company says that other privacy and security settings will be added to the dashboard in the future. This new Control Center will be available in the iOS and Android versions of the Ring app later this month.

It’s barely enough to make any one feel whelmed, much less overly so. There are two small additions that put this ahead of what Ring offered prior to the newsworthy camera hijackings. First, the app will allow users to see who’s logged in at any given time and logout unrecognized IP addresses or locations from within the app.

The second addition finally puts some (baby) teeth into Ring’s 2FA recommendation:

[R]ing is continuing to inform its customers of the importance of two-factor authentication on their accounts and will be making it an “opt-out” thing for new account setups, as opposed to the opt-in setup it currently is.

Swell. So that’s kind of… fixed. I guess. Now Ring just needs to work on all the other problematic things about itself, like the fact that it’s still not going to notify users when new IP addresses, devices, or locations attempt to access their cameras. And it’s not going to stop using cop shops as Ring marketing street teams. And for all of its insistence footage is never handed over to cops without the proper paperwork, it still deals from the bottom of the deck by claiming end users own all their footage even as it’s handing this footage to law enforcement without the end user’s permission or involvement.

Ring has a lot to fix if it’s ever going to make its way out of the PR pit it’s dug for itself. This is something, but it’s just barely something. It’s not enough. And it says Ring still isn’t serious about protecting its customers — not from law enforcement and not from malicious idiots who’ve found a new IoT toy to play with.

Filed Under: , , , , ,
Companies: amazon, ring

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Ring Throws A Moist Towelette On Its Dumpster Fire With A Couple Of Minimal Security Tweaks”

Subscribe: RSS Leave a comment
Anonymous Coward says:

i have to wonder what Amazon had to give/got out of allowing multiple law enforcement agencies access to customers camera footage? no way was this done for nothing and no reason. when that comes to light, hopefully shit will really hit the fan! one thing this certainly shows me is that Amazon head, Bezos has far more power than he should have!

Anonymous Coward says:

Re: Re:

Are you new here? Have you avoided tech news completely the last few years?

Ring "partnered" with law enforcement, offering them free or near-free cameras to distribute in their neighborhoods in exchange for easy access to the footage and pre-written press statements pumping up how awesome Ring is. Though Ring already had the major market share of the internet-connected doorbell market (note: not "smart") this effort has catapulted them to the undisputed champion of the space.

Somehow no fecal matter managed to strike any wind generation devices. And it’s not about individual power. It’s about being first to market(ing) and taking advantage of that position in morally questionable ways.

Ed (profile) says:

Ring isn't the problem

Idiot users are the problem. Ring’s system has never been "hacked". Unrelated companies had their systems breached, with idiots who use both services using the same login credentials for their Ring system. Those login credentials are then posted for thousands of criminals to try to use anywhere they can. The fact that they found idiot Ring users who didn’t bother to secure their system any better than to use the same login credentials is not the problem of Ring. Ring has always provided a way to keep your system safer. If idiot users can’t be bothered to use what is given, that’s not on Ring.

Anonymous Coward says:

Rings "proper paperwork" is green with a presidents face on it.

they literally take cash directly to produce as much video footage from ANY ring device the cops want.

Whether thats an actual warrant case or just a cop that wants to spy on children getting undressed, ring doesn’t give two shits and will happily give access to anyone and everyone for a fee.

Most of the "hackers" of ring are just people who said they were law enforcement and Ring did zero background checks and just handed over access.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...