Ring Throws A Moist Towelette On Its Dumpster Fire With A Couple Of Minimal Security Tweaks

from the [yelling-over-the-roaring-flame]-WE-CARE-DEEPLY-ABOUT-OUR-USERS dept

Things have gotten worse and worse for Amazon's Ring over the past several months. Once just the pusher of a snitch app that allowed city residents to engage in racial profiling from the comfort of their homes, Ring is now synonymous with poor security practices and questionable "partnerships" with hundreds of law enforcement agencies around the nation.

Ring owners recently discovered how easily their cameras could be hijacked by assholes with no moral compass and too much time on their hands. Using credentials harvested from security breaches, online forum members took control of people's cameras to entertain a podcast audience who listened along as hijackers verbally abused Ring owners and their children.

Ring is now being sued for selling such an easily-compromised product. Ring's response to the original reports of hijackings was to blame customers for not taking their own security more seriously. Ring does recommend two-factor authentication but that's about all it does. It does not inform users when login attempts are made from unrecognized IP addresses or devices, and does not put the system on lockdown after a certain number of failed attempts are made.

Yes, users should use strong passwords (and not reuse passwords), but blaming customers for engaging in behavior most customers will engage in is unproductive. Instead of making two-factor authentication a requirement before deployment, Ring has just repeatedly pointed to its prior statements about its "encouragement" of 2FA -- an "encouragement" that is mostly comprised of defensive statements issued in response to another negative news cycle.

Since it can't keep blaming its millions of customers for its own failings, Ring is taking a very, very small step in the direction of actually taking its customers' security seriously. [Please hold your tepid applause until the end of the announcement.]

Ring has announced that it is adding a new privacy dashboard to its mobile apps that will let Ring owners manage their connected devices, third-party services, and whether local police partnered with Ring can make requests to access video from the Ring cameras on the account. The company says that other privacy and security settings will be added to the dashboard in the future. This new Control Center will be available in the iOS and Android versions of the Ring app later this month.

It's barely enough to make any one feel whelmed, much less overly so. There are two small additions that put this ahead of what Ring offered prior to the newsworthy camera hijackings. First, the app will allow users to see who's logged in at any given time and logout unrecognized IP addresses or locations from within the app.

The second addition finally puts some (baby) teeth into Ring's 2FA recommendation:

[R]ing is continuing to inform its customers of the importance of two-factor authentication on their accounts and will be making it an “opt-out” thing for new account setups, as opposed to the opt-in setup it currently is.

Swell. So that's kind of… fixed. I guess. Now Ring just needs to work on all the other problematic things about itself, like the fact that it's still not going to notify users when new IP addresses, devices, or locations attempt to access their cameras. And it's not going to stop using cop shops as Ring marketing street teams. And for all of its insistence footage is never handed over to cops without the proper paperwork, it still deals from the bottom of the deck by claiming end users own all their footage even as it's handing this footage to law enforcement without the end user's permission or involvement.

Ring has a lot to fix if it's ever going to make its way out of the PR pit it's dug for itself. This is something, but it's just barely something. It's not enough. And it says Ring still isn't serious about protecting its customers -- not from law enforcement and not from malicious idiots who've found a new IoT toy to play with.

Filed Under: cybersecurity, dashboard, doorbells, police, ring doorbell, security
Companies: amazon, ring


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 10 Jan 2020 @ 8:06pm

    meta: these titles and departments have a higher frequency of actual LOL funny of late.

    moist towelettes and wikipedia brown, indeed.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 10 Jan 2020 @ 8:33pm

    Ring, owned by Amazon. The interest they have in the security of your information? Only as much as will keep them out of court, not a penny more.

    reply to this | link to this | view in chronology ]

  • icon
    Techsticles (profile), 10 Jan 2020 @ 9:08pm

    Doorbot

    The company that brought you DoorBot would never do this. It must be a mistake.

    reply to this | link to this | view in chronology ]

  • identicon
    bobob, 11 Jan 2020 @ 2:12am

    So, they've put a bandaid on an axe wound. The only cure for a ring doorbell is total destruction of the device.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jan 2020 @ 5:58am

    i have to wonder what Amazon had to give/got out of allowing multiple law enforcement agencies access to customers camera footage? no way was this done for nothing and no reason. when that comes to light, hopefully shit will really hit the fan! one thing this certainly shows me is that Amazon head, Bezos has far more power than he should have!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jan 2020 @ 4:59pm

      Re:

      Are you new here? Have you avoided tech news completely the last few years?

      Ring "partnered" with law enforcement, offering them free or near-free cameras to distribute in their neighborhoods in exchange for easy access to the footage and pre-written press statements pumping up how awesome Ring is. Though Ring already had the major market share of the internet-connected doorbell market (note: not "smart") this effort has catapulted them to the undisputed champion of the space.

      Somehow no fecal matter managed to strike any wind generation devices. And it's not about individual power. It's about being first to market(ing) and taking advantage of that position in morally questionable ways.

      reply to this | link to this | view in chronology ]

  • icon
    Ed (profile), 11 Jan 2020 @ 7:36am

    Ring isn't the problem

    Idiot users are the problem. Ring's system has never been "hacked". Unrelated companies had their systems breached, with idiots who use both services using the same login credentials for their Ring system. Those login credentials are then posted for thousands of criminals to try to use anywhere they can. The fact that they found idiot Ring users who didn't bother to secure their system any better than to use the same login credentials is not the problem of Ring. Ring has always provided a way to keep your system safer. If idiot users can't be bothered to use what is given, that's not on Ring.

    reply to this | link to this | view in chronology ]

    • identicon
      Wyatt Derp, 11 Jan 2020 @ 8:30am

      Re: Ring isn't the problem

      Amazon gaslighting the general public for fame and fortune, film at eleven.

      reply to this | link to this | view in chronology ]

    • identicon
      bobob, 11 Jan 2020 @ 1:29pm

      Re: Ring isn't the problem

      Yes, idiot users are the problem, but not for the reasons you give. They are idiots for using ring at all.

      reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 13 Jan 2020 @ 7:17am

      Re: Ring isn't the problem

      I like to refer to this as the "Why do cars need seatbelts? Everybody should just be a good driver" school of design.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jan 2020 @ 8:08am

      Re: Ring isn't the problem

      Idiot users are the problem.

      Sure, but you can't fix stupid. All you can do is cover your own ass in legalese and child safety devices for adults to avoid getting sued when stupid does what stupid does.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jan 2020 @ 9:34am

    Rings "proper paperwork" is green with a presidents face on it.

    they literally take cash directly to produce as much video footage from ANY ring device the cops want.

    Whether thats an actual warrant case or just a cop that wants to spy on children getting undressed, ring doesn't give two shits and will happily give access to anyone and everyone for a fee.

    Most of the "hackers" of ring are just people who said they were law enforcement and Ring did zero background checks and just handed over access.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.