Ring—which Amazon acquired in February—makes a smart doorbell that has a camera connected to Wi-Fi. And this Amazon doorbell has a security flaw that let a man harass his ex-boyfriend (via The Information).
[CES – Ring Alarm Home Security System Coming in 2018]
Don’t Ring the Amazon Doorbell
Although Ring claims to have fixed the security flaw back in January, there are still problems. The software behind the doorbell lets users stay logged in on the app, even if the password was changed.
That’s exactly what Jesus Echezarreta found out. After breaking up with his boyfriend, he changed the password on the Ring doorbell. But his ex was still logged in, and downloaded video footage from the camera, and remotely rang the doorbell during the night.
Mr. Echezarreta contacted the company in January, around the time when the Ring app was updated. But Jaime Siminoff, CEO of Ring, told The Information that there are still problems. Users are now logged out when a password is changed and are required to log back in. But the process doesn’t happen right away, and it could take up to an hour for a person to be logged out.
Cases like this are exactly why I stay away from so-called “smart” home devices. There is too much risk for my personal taste, and I really don’t mind getting off my butt to turn lights on or off (although I do see the usefulness of a security camera you can access with your phone).
Update
A Ring spokesperson reached out to us with a statement:
Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.
We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users.
Our team is taking additional steps to further improve the password change experience.
Which is pretty standard: Don’t share your login information with others. But that doesn’t help in Mr. Echezarreta’s situation. If you change a password, you should be automatically logged out of all instances of where you are logged in. But now Ring has changed its system so that will be the case going forward.
@cubefan:
That’s very useful intel and insight. This corroborates what I’ve heard from security experts, or at least people with more training in security than I’ve had.
Given your assessment, and the point that security has to be inbuilt from the conception and design of the product, and as most of these products are being built in countries that are hostile to user privacy and data security, this seems unlikely to occur, barring international agreement on security protocols and specs as a standard for market access.
Equally valid is your point about secure gateways or gatekeepers, however that only underscores the nascent market for AI equipped with sentry mode that can stand guard over your devices, and backed by a hardened router system.
This is a problem that plays to Apple’s strengths to solve, and a market ripe for them to dominate.
I’ve been giving presentations on #IoT security, or lack of it for over two years. There are numerous examples of sloppy and lazy execution in code development for many ‘security’ and ‘smart home’ devices. The outcome of which is devices being used for DDoS attacks in their hundreds of thousands, where the result is material harm.
Worse are organisations connecting their SCADA systems without adequate firewall protection, because taking control of power distribution or national infrastructure is possible.
A truly secure gateway doesn’t exist – because home broadband routers aren’t up to the job – they too suffer from the same inadequate code development and testing regimes – or originate from countries/organisations with a vested interest in leaving more holes than a swiss cheese.
So, right now, if you want a secure smart home, you’ll need to build it yourself.
Smart Device security has to be built in from the start of product development, with rigorous testing throughout the process before release to an unsuspecting customer base.
Andrew:
I’ve taken a similar position for basically the same reasons. I actually want to instal smart devices in my home for many practical purposes, including energy conservation (my wife is hardwired to leave lights on in her wake…I can tell the path she’s taken) and security (remotely managing locks and lights are obvious security enhancements). However, I’ve talked to enough people in the business to appreciate how vulnerable the devices remain, and that’s for the exploits that professionals know about. Never mind hacker ingenuity and state-sponsored exploits. I recognise when I’m out of my depth.
What is needed is for industrial level protection that can serve as a gatekeeper, and can decide what things a given device can and cannot do without alerting the user that an unusual request is being made, and alerting the user when an anomalous request, as defined by the background range of requests from both the entire population users and that user’s personal history. This is a function that I would like HomeKit or its successor to perform, or perhaps Siri in tactical mode.
At some point, this oversight is something that will likely to handed off to a hardened AI, whose vigilance can be updated in realtime in the background to keep pace with all known and theoretical exploits.