CONSUMER REPORTS: Ring says it’s developing a new privacy and security “dashboard” aimed at making it easier for consumers to keep their Ring accounts secure. The announcement comes just a few weeks after the company revealed that thousands of Ring doorbell and security cameras could be vulnerable to hackers.
The company warned that usernames and passwords for many accounts could have been acquired by criminals, who could then access Ring smartphone apps and view live camera feeds, phone numbers, and other information.
In one highly publicized incident, hackers managed to access the Ring account of a Mississippi family in December, taking control of a security camera to harass an 8-year-old girl while she was alone in her bedroom.
The new privacy dashboard will let Ring consumers manage their connected mobile, desktop, and tablet devices to ensure that hackers and other unauthorized users do not have access to their Ring accounts or devices.
The new dashboard will be part of the Ring mobile app for Android and iOS and is expected to be released later this month.
“The goal was always to build for our customers what I call digestible security,” Ring CEO Jamie Siminoff said in a phone call. “We started this a while ago by making our privacy policy in a digestible form with sentences that people could actually understand. This [dashboard] supercharges that both on a security-privacy side as well as on the control side.”
Ring, which was bought by Amazon in 2018, will soon also enable two-factor authentication (2FA) by default for new accounts as well as new devices for existing accounts.
Two-factor is a security mechanism that typically requires users to input a secondary, temporary password when logging into a device or service. That means that if someone else tries to use your username and password, they’ll be blocked from accessing your account unless they have that additional piece of information.
In Ring’s case, this is a code delivered by text message to the user’s smartphone. Consumers can opt out if they don’t want to enable 2FA, but doing so may lessen the security of their account. Consumer Reports recommends that people use 2FA whenever it’s available, especially for email, financial, shopping, and other critical accounts.
Ring says that in the recent incidents, it found no evidence that hackers had managed to break into Ring servers. Instead, Ring says, hackers used account credentials compromised in data breaches from other companies. The technique is known as “credential stuffing,” and it’s one of the primary reasons that security experts warn consumers to never reuse passwords and to consider employing password managers.
More Fixes Could Be Coming
Privacy advocates say they welcome the changes but encourage Ring and other security camera and video doorbell companies to do more to protect consumers.
“We're glad to see Ring make these changes that allow consumers more transparency and control over their data, in addition to pushing new users and users of new cameras to put two-factor authentication in place,” says Katie McInnis, a policy counsel at Consumer Reports. “However, in order to more fully protect consumers, Ring should also take other heightened security measures."
Consumer Reports is urging Ring and other video doorbell makers to take a number of specific steps, McInnis says. For instance, the companies should ensure that user passwords haven’t been exposed in previous data breaches, a step already taken by password managers. Additionally, companies should adopt measures to guard against hackers entering large numbers of usernames and passwords to try accessing customer accounts.
Ring CEO Siminoff said the company was “always evaluating” additional security measures while weighing them against customer convenience. “If you don’t continue to look at security and adjust it, then you’re not doing security properly,” he added. But Siminoff wouldn’t specify whether the company would follow any of the additional steps Consumer Reports and other advocacy groups are recommending.
“Everything that they’re doing with this dashboard is a good step, but it’s very much just that—a step,” said Hannah Quay-de la Vallee, senior technologist at the Center for Democracy & Technology, a digital rights advocacy group. “I hope it’s part of a larger process about improving consumers’ ability to manage this stuff.”
Ring also said it would make it easier for consumers to opt out of having local police request their security camera footage.
As news outlets including Vice Motherboard and Gizmodo have reported, Ring has partnered with police departments across the U.S. to make it easier for police to request Ring footage to help solve crimes. Privacy advocates and other civil liberties groups have suggested that these partnerships encourage a culture of fear at a time when serious crime, including violent crime and property crime, is at historically low levels.
“The fact is that even if Ring fixed all of its security flaws, these devices would still be dangerous,” said Evan Greer, deputy director of Fight for the Future, a digital rights advocacy group. “Crime has been steadily falling for decades. But Amazon wants you to be afraid. They want you to distrust and spy on your neighbors. These devices are corrosive for our society.”
The exposure of Ring account credentials is just the latest in a series of hacks and vulnerabilities that have affected security cameras and video doorbells, from multiple manufacturers.
In November, it was revealed that Ring video doorbells contained a vulnerability that exposed WiFi network names and passwords. Last May, a vulnerability was discovered that let individuals stay logged in to Ring accounts even after a password change. And last January, there were reports of Nest cameras, which are owned by Google, being hacked through credential stuffing.
