RANDOM ACCESS
Joel Burgess examines the string of security questions around Amazon’s home security software, to see who is safe.
Are you being spied on?
A string of reports concerning the exposure of thousands of Ring user account names and passwords appeared online in December, followed by some sobering videos of hackers speaking to young children through the camera’s two-way talk functionality. BuzzFeed was the first to report on a 3,672 item long list of breached accounts, including both log-in emails and passwords that could give hackers access to everything from telephone information to full access to historical and current camera feeds. In a response to the publication, Ring stated that the data did not come from a breach of Ring’s systems, and that the list may be compiled from the security breaches of other companies where the users have the same log-in credentials. It is, however, a strange response given the list contained the camera names and time zones of Ring users, information that could not come from outside sources.
Just before Christmas TechCrunch found a subsequent list of 1,562 unique login credentials circulating a dark web messaging site that appeared to have similar details to the original list.
In response to the numerous credential leaks Motherboard did a security audit on Ring’s video security system. It wasn’t good. In addition to not encouraging two-factor authentication, Ring also had no protocol for checking the authenticity of first time logins from new IP addresses and allows numerous people to be logged in to the online account concurrently. It also doesn’t flag IP addresses as suspicious or attempt to block a device if it enters the wrong password multiple times, a pretty standard security practice to make it more difficult for bots or hackers to infiltrate accounts.
Considering the Ring security cameras are often in sensitive areas, such as bedrooms, the number of security protocols adopted by the Amazon-owned company is surprisingly few. If the risks of this weren’t abundantly clear already, the recent data breaches are believed to be linked to reports of Ring cameras being used to yell at sleeping residents, demand a bitcoin ransom and provide the backdrop of a hacker’s live stream video. These recent hacks are the most dramatic instance of misuse we’ve seen, but there have been ongoing concerns with an audit by Mozilla in November finding that the company does not encrypt video feeds and the accusations from earlier in the year that Ring let employees view and share the video files of its users, whether they needed access to the videos to complete their duties or not.
While in the wrong hands the potential for misuse of these devices is high, you probably don’t want footage of your house’s interior in anyone’s hands. Yet Ring doesn’t seem to share those concerns since this year it has also struck up arrangements with over 400 local US police agencies, to streamline the sharing of video footage.
Opposition to the mass network of surveillance have raised concerns over the lack of transparency concerning the arrangements and the potential for misuse. While the products are decent from a technical perspective, you might want to consider upping your security if you’re going to trust Amazon with your security videos.