Bill Buchanan: Did You Buy A Ring Doorbell From 2015 to 2019 - Then You Could Get Compensation?
ASecuritySite Podcast - A podcast by Professor Bill Buchanan OBE
Categories:
Blog: https://medium.com/asecuritysite-when-bob-met-alice/did-you-buy-a-ring-doorbell-from-2015-to-2019-then-you-could-get-compensation-c8434916b2da I know the title sounds like one of those adverts that say, “Did you buy a car between 1890 and 2023, then you can get compensation, because they didn’t tell you that you needed to put fuel in your car! In fact, you don’t even have to have bought a car or bought anything; you just have to show that you are still breathing, and you might still also get it. Call us now! Before COVID-19, I used to demonstrate live at conferences the Ring doorbell and showcase weak practices. The video wasn’t encrypted at all, and where I could easily view it. Along with this, user credentials were left unencrypted. But, after we went into lockdown, it was not so easy to give practical demonstrations, so I’ve not done a demo for a few years. But you will be glad to know that I’m all set up for hacks on electrical sockets, doorbells, kettles, door locks, and many other things, so if your company wants a demo, please get in contact. Overall, I have found that for the balance between useability/ease of setup, and security, most companies go for useability/ease of setup, as they know their users are often not that technical. Now, it has been shown that there are thousands of customers of the Ring doorbell that have been affected by cyberattacks. For this, Amazon will have to pay out $5.8 million in payments to around 55,000 customers for its weak data security practices. For this, it has been well known that some employees at Amazon had been spying on user videos: It was also found that there was no encryption on the video streams and that credentials were sent in a plaintext format. There were also attacks on previously breached passwords or in using repeated attempts at guessing credentials. Normally, this type of practice would be defended with a lock-out policy or by monitoring password usage, and which was weakly implemented. The case was brought by the FTC (Federal Trade Commission) in a federal court [here]: It is thought that 1,250 devices were breached with passwords, that the live stream was compromised, and that there were at least 20 cases that involved a breach of over one month. The suit outlines cases involving screaming obscenities, demanding ransoms, and threatening murder and sexual assault [here], and covers those who bought Ring doorbells between 2015 and 2019 — even if they have not been hacked. These will be used to pay for refunds for the doorbell and requires that Amazon delete all the video information gathered and any user credentials. Amazon will also have to inform the FTC about future incidents. Along with this, the FTC reported that Amazon failed to encrypt video streams from 2016 and 2020, along with no encryption for user credentials and details, and failed to get user consent for the viewing of video streams. Also, they failed to provide adequate training for their staff in supporting the Ring doorbell. In 2021, though, Amazon finally implemented encryption and proactive monitoring on the product [here]: Alongside this, Amazon will also have to pay $25 million for Alexa with the FTC Act and Children’s Online Privacy Protection Act by retaining children’s information without parental permission. Amazon will also be required to stop using geolocation, voice information, and children’s voice information for any product improvement purposes. Conclusions When ease of use and usability are placed before cybersecurity, there’s likely to be a storm brewing. I like Apple devices, as they seem to be able to span both sides of this. My demos for Ring, though, don’t work anymore, but I’ve got many other things to showcase. Overall, one bad product implementation can taint a whole brand. Amazon needs to watch that its Ring doorbell doesn’t give the company a bad name, as it has its e-commerce and cloud infrastructure to look after.