Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras

from the DUMPSTER-FIRE-2019-???? dept

Amazon's Ring has been uniformly terrible ever since it decided its primary market (homeowners) should be treated with less care and concern than the market it's actually courting and subsidizing (law enforcement agencies).

Since it's not really in the customer service business anymore, the end users who thought they were buying some security and peace of mind have discovered they've actually become part of a law enforcement surveillance network run by a company that doesn't really seem to be in the security business.

A group of forum members found Ring cameras incredibly easy to hijack. Running scripts utilizing lists of credentials harvested from the web's many security breaches, some sociopathic idiots were able to brute force their way into taking control of devices. Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners for the enjoyment of their podcast audience. (I really wish I were making that last part up but this is the internet we have.)

When the news cycle of "hacked" Ring cameras began, Ring was quick to point out this wasn't its fault. To a certain point, Ring is right. Ring says it encourages the use of two-factor authentication and strong passwords. Great. So do lots of IoT device makers. But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go "live" on the web. Ring isn't doing this either.

It's even worse in Ring's case. Ring says it's the customers that are wrong, but it does absolutely nothing to prevent this sort of hijacking. There's no lockout after a certain number of failed logins. No warnings are sent to owners about logins from unrecognized devices or IP addresses. Repeated failed login attempts aren't flagged as suspicious. For a company supposedly in the security business, this is a pretty insecure way to run a business.

It's this latest insecurity that's getting the company sued.

Amazon and its home security subsidiary Ring are facing a federal lawsuit in California over allegations that its "lax security standards" led to a series of invasive and frightening hacks over the past year.

The lawsuit, which alleges Ring security cameras have been hacked six times across the U.S., comes as Amazon's Ring faces a barrage of scrutiny from lawmakers, privacy advocates and the public over its cybersecurity standards and widespread partnerships with local police departments.

The lawsuit [PDF], filed by a victim of just such a "hacking" hopes to become a class action when it's all grown up and fully-represented. Until then, there's this incident, which happened to the plaintiff.

Plaintiff John Baker Orange is a resident of Jefferson County Alabama. He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00. The Ring camera was installed over his garage with a view of the driveway. Mr. Orange purchased the Ring camera to provide additional security for him and his family which include his wife and three children aged 7, 9, and 10. Recently, Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system. An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication. Prior to changing his password, Mr. Orange protected his Ring camera with a medium-strong password.

Orange alleges that Ring did almost nothing to protect its customers while promising its products will protect its customers.

Unfortunately, Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed. The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use. This obligation is even more critical in instances where the device, like the Ring camera, is related to the safety and security of person and property.

Ring failed to meet this most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack. Notably, Ring only required users enter a basic password and did not offer or did not compel two-factor authentication.

He's not wrong. Security is pretty much an afterthought for this security company. It likes to put its resources into pitching its products to cops, who can then hand the flawed products to citizens in exchange for possible glimpses of camera recordings in the future.

But is it enough to win a lawsuit? The plaintiff alleges negligence and a few other related torts, but he'll have to prove Ring deliberately sold a product it knew was insecure. Ring is probably aware of the lack of built-in security, but is it more deliberately negligent than any other IoT device maker that decides to dumb down security options to increase adoption and marketshare? And if it's just as terrible as its competitors, should that be enough to allow it to escape a lawsuit?

Maybe this one will hit Ring hard and force it and its competitors in the IoT marketplace to actually take the security of their customers seriously, rather than just saying that after their customers have already been compromised. Or maybe I just want Ring to get smacked around for pushing an insecure product on consumers with the assistance of over 600 law enforcement agencies. Ring has been an absentee landlord in its market, grabbing all the market share it can while leaving its millions of customers to fend for themselves when it comes to securing their devices properly.

Filed Under: doorbells, iot, lawsuit, ring, security
Companies: amazon, ring


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ECA (profile), 7 Jan 2020 @ 11:03am

    Soo?

    So, the cops have access to the camera's, but do the Customers?

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 7 Jan 2020 @ 11:06am

      Re: Soo?

      Its just, that if someones Home gets robbed, and the camera worked, Who has the pictures?
      Is anyone going to tell these people that the backdoor, is easier to use to rob a home..as generally, its hidden from anyone seeing it.

      1 camera does not a security system make.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jan 2020 @ 11:36am

        Re: Re: Soo?

        Its just, that if someones Home gets robbed, and the camera worked, Who has the pictures?

        Likely the thief has the pictures -- the pictures from the previous few weeks that they used to scope out the house to see when people come and go.

        And some guy with a podcast probably has the audio.

        The police probably have access, but are unlikely to actually use that access unless it pertains to some active case they're already working on.

        reply to this | link to this | view in chronology ]

    • icon
      Designerfx (profile), 8 Jan 2020 @ 3:49am

      Re: Soo?

      Of course they do!

      Cops don't have to follow a legal process, so they get it automatically.

      Customers have to yet follow a quasi-legal process, so they may get it someday if they sue in a court and pay tons of money.

      /sad

      reply to this | link to this | view in chronology ]

  • identicon
    Michael, 7 Jan 2020 @ 12:03pm

    Wow

    He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00.

    He forgot to include being robbed as one of his complaints.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jan 2020 @ 1:01pm

    But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go "live" on the web.

    The kind of "two factor authentication" you're talking about, which basically consists of sending a message to somebody's phone, is a stupid, ugly, surprisingly easily defeated hack... which is both made possible and made to appear necessary by the mind-shatteringly moronic decision to have the things centrally controlled from "the cloud". Relying on it would tend to further entrench the fundamental mistake.

    The entire architecture they have is unsecurable, period. That central control point can never be protected adequately and therefore should never have been allowed to exist. Until they fix that, they're mostly masturbating.

    The best fix is not to put your goddamned doorbell (or door lock) on the goddamned Internet. But if you absolutely must do that, there are authentication systems and protocols that work. They mostly don't emphasize passwords, let alone have default passwords, because we know at this point that people can't handle passwords.

    So let them implement something that actually helps. In the devices, not in the "cloud".

    ... and, to be fair, anybody who sets their password to 12345, or to anything they use with any other service, is in fact an idiot, who probably can't be saved regardless of what the freaking doorbell does. 12345 is probably also the combination on their luggage. And the key is probably under the mat. And they're probably obsessing about the front door when they have a big, fat, unprotected, unobserved window in the back.

    There's no lockout after a certain number of failed logins

    1980s style "lockouts" create DoS vulnerabilities, and probably aren't the right choice for a device that may be your only way of getting into your house. A rate limit almost always makes sense, though. And, sure, warnings when there are a lot of tries.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jan 2020 @ 5:52am

      Re:

      The entire architecture they have is unsecurable, period. That central control point can never be protected adequately and therefore should never have been allowed to exist.

      I don't see anything in the article about a central control point. It looked like they were talking about people directly connecting to cameras. If that's not the case, what's the architecture they're using?

      reply to this | link to this | view in chronology ]

  • identicon
    jilocasin, 7 Jan 2020 @ 1:05pm

    even Netflix is better than this.

    Wow, even Netflix will send me an email whenever someone (usually me) logs into my account from a new device (or one where I've deleted the Netflix cookie).

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 7 Jan 2020 @ 1:17pm

      Re: even Netflix is better than this.

      Both Amazon and my bank ask for a verification code, for me sent through email (the passwords to each of these is changed several times a year) every time. Even if I am using the same computer I always use ( my bank claims to care, Amazon doesn't seem to). The use of a password manager makes using difficult passwords, often changed, easy.

      reply to this | link to this | view in chronology ]

  • identicon
    bobob, 7 Jan 2020 @ 1:51pm

    I have difficulty sympathizing with the customers. The concept of having some corporate entity collecting all that information should itself been enough to make people say no. One need not even understand the security issues to know the concept is flawed.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jan 2020 @ 2:04pm

    With a Mic

    > Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners

    How's that work? The Ring has a mic a hacker can talk through? Strange magic

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jan 2020 @ 8:58pm

      Re: With a Mic

      Aside the fact that all mics are speakers and all speakers are mics (when connected as not-intended, and with roughly the efficacy one might expect), i am guessing that, yes, speaker may have been what was meant, unless mic is the short form for a dual-purpose microphone-speaker device in the current parlance.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 7 Jan 2020 @ 2:08pm

    Something something we never expected shitlords would shitlord, so we discounted that possibility.

    It let us save money to not be even slightly more proactive.

    Our goal wasn't security for you, but for creating a network for police to access how they want.
    You people bitching that your leaked credentials were used to break in & scare children are at fault!
    Just because someone can try 10 million passwords in sequence without triggering any sort of alert is your fault, not ours. Use stronger passwords.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 7 Jan 2020 @ 2:39pm

    Serious question: is there any way to set up a surveillance system at home that's actually safe and private? You know, don't depend on centralized servers and stuff. Or is there any manufacturer you can trust to have good security and privacy policies?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jan 2020 @ 3:42pm

      Re:

      Suitable IP cameras are available, as is open source software to set up motion detection systems. i.e. OpenCV. Raspberry pi's are powerful enough for the server for such systems, and various ways of setting up a secure online connection are possible. A mobile dongle would allow direct text sending from such systems. Also, cloud storage, own cloud included, for videos when motion is detected would be a good idea.

      While it would take a little research and effort, such a system would not be difficult to set for a computer literate person.

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 8 Jan 2020 @ 12:04pm

        Re: Re:

        I'm sticking to known brands. I'm doing some research and I'm pretty sure I can do it. Still, it's a nightmare for those with little skill with computers.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Jan 2020 @ 12:22pm

          Re: Re: Re:

          Still, it's a nightmare for those with little skill with computers.

          That why the likes of Ring can extend their data gathering operations by selling security systems.

          reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 7 Jan 2020 @ 3:17pm

    If you connect something to the Internet and don't have a real firewall that defaults to no traffic either way and only allows traffic you have authorized, you should expect to lose control of your device.

    But most ISPs don't want you to have a real firewall as they will get stuck answering all those "Why doesn't my latest IOT gizmo work." questions.

    Neither do most IOT gizmo makers. A real firewall setup means the IOT maker has to fully disclose what traffic their gizmo generates and all of the places that info is going as well as everyone that will be viewing the images.

    As for a secure surveillance system, either build it yourself or buy one of the old school CCTV systems with an on site recorder setup. Eliminate any vendor that needs a cloud account for their gizmo to work.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jan 2020 @ 4:39pm

    Put in a wired camera with no wireless antennas or internet connections if you want a secure home recording system.

    There are attack vectors that don't include hacking those electronics however.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jan 2020 @ 9:05pm

    I might not want to be forced into 2FA, if it is shit 2FA, but then, i probably wouldn't want any natively internet-connected camera in the first place. If they can do local 2FA, that would be better.

    On the other hand, gee it is fucking easy to send an email or txtmsg saying, "hey we have login attempts from an unrecognized device".

    reply to this | link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 7 Jan 2020 @ 10:34pm

    Starship Discovery

    Just imagine for a moment that documents turned up in discovery reveal that Amazon was working in tandem with the DOJ and other LEAs to develop these damned things to create a gigantic surveillance network.

    Would it affect how people use them?

    Not in the slightest, because people who have them are abysmally stupid.

    reply to this | link to this | view in chronology ]

  • identicon
    Avideogameplayer, 8 Jan 2020 @ 6:01am

    And here I thought the horror movie The Ring was fiction. I guess I was wrong.

    reply to this | link to this | view in chronology ]

  • icon
    Ed (profile), 8 Jan 2020 @ 8:37am

    Misleading title

    Ring cameras were never "hacked". The Ring system was never "hacked". Stop with this misleading bullshit which doesn't actually address the problem. The lawsuit is stupid and should be thrown out because, again, the Ring cameras were never "hacked". The USERS used the same login credentials for their Ring cameras as they used on some other unrelated service that WAS HACKED. Criminals simply scoured the net using those stolen credentials and lucked out on finding idiot Ring users who used the same logins on everything. Yes, Ring should have forced users to enable 2FA or some other means, but instead they chose to make it more simple for the users, not realizing that users are typically STUPID.

    This lawsuit, again, is a stupid waste of time and the courts should throw it out. RING WAS NEVER HACKED. That's it.

    reply to this | link to this | view in chronology ]

  • identicon
    Sam, 8 Jan 2020 @ 8:15pm

    How is this surprising ato anyone? Anyone in tech knew that there was zero security built into these stupid devices. I mean, cmon they were crap devices for the terminally lazy. The only ones that thought they were useful were the ones that believed the stupid hype.

    So teddy bear nanny cams weren't enough?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.