Amazon Ring: Explaining concerns about the smart, controversial doorbell, from privacy to hacking

Click to play video: 'How secure are camera doorbells?'
How secure are camera doorbells?
How secure are camera doorbells? – Mar 5, 2020

You’ve likely done it more than a few times: step up to someone’s door and ring the bell.

However, since the advent of the smart doorbell known as Ring, that simple act has brought on a whole host of other concerns — chief among them, privacy and security.

When Ring was first introduced, people weren’t exactly lining up to buy the video-enabled Doorbot connected to their smartphones. In fact, the CEO, Jamie Siminoff, struck out on the hit show Shark Tank when he tried to sell the Doorbot, a video-enabled smart doorbell that could connect to your phone, to the Sharks back in 2013.

Fast-forward to 2020 and the Doorbot is now Ring, with a massive parent company behind it — Amazon. Now those Ring doorbells and even interior security cameras are finding their way into millions of homes all over the globe.

Story continues below advertisement

But they’ve also sparked security and privacy concerns that just will not go away.

Security and privacy concerns

Ring established itself as a home security device by selling customers on its ability to help keep their homes safe. The device connects to your smartphone or other internet-connected device via Wi-Fi. It also allows consumers to connect to its social media platform called Neighbours.

It is here where customers can upload footage from their own devices of any suspicious activity. But it’s also this social media platform that has caused concern among some about racism and privacy.

Former Ontario Information and Privacy Commissioner Anne Cavoukian says these concerns are real, particularly with respect to facial recognition and identifying the wrong person as the perpetrator of a crime.

“There was a study that came out a few months ago. It said that 81 per cent of matches arising from facial recognition use by the UK police are false positives,” said Cavoukian.

“They falsely identify someone being a person of interest and it is wrong. Can you imagine trying to clear your name?”

Story continues below advertisement

Although the company is not using these types of facial recognition technologies in their video doorbell systems, Cavoukian says there is still strong concern over privacy.

People may not have any idea they are being filmed and the cameras might be getting more than just the front door, including public spaces such as sidewalks or other private spaces — like a neighbour’s home.

“The Ring cameras were theoretically intended to be very narrow in scope,” Cavoukian said. “If anything they have tripled their scope, and it’s upsetting a lot of people.”

Privacy concerns extend beyond just capturing footage of people on the doorbell video system. There is also concern about the company’s own privacy policies. Some feel the policy is too porous and that the consumer has no protection of anything captured on the device.

Story continues below advertisement

Lisa Kearney is a cybersecurity consultant and head of the Women CyberSecurity Society and has examined Ring’s privacy policy. She warns that the policy is constantly evolving and allows your private data to be shared with others.

“If you go to their privacy policy and you drill down, there’s actually four other agreements that they have with four other partners, which pretty much gives you no expectation of privacy,” said Kearney.

Cavoukian adds that privacy is the very foundation of our society, saying she worries that those lax security policies and vulnerabilities are eroding it.

“You cannot have free and democratic societies without a solid foundation of privacy. If you value your privacy…if you value your freedom, you value your privacy, do not let it slip away,” said Cavoukian.

“We have to protect this.”

It was concerns over privacy — and by extension, security — that prompted the U.S. Senate to write a letter to Amazon CEO Jeff Bezos, expressing concerns that Ring was providing sensate data to third parties in countries like Ukraine that could ultimately put U.S. national security at risk.

It’s also these concerns over privacy that prompted an Amazon engineer to take the rare step of speaking out against the device in a blog post on Medium, saying the Ring should be discontinued.

Story continues below advertisement

Hacking fears and links to law enforcement agencies

Privacy concerns have become central to fears over how secure these devices really are.

“The downside is that they don’t build in security mechanisms or controls prior to shipping to market or putting into production, so usually they come with default usernames and passwords,” said Kearney.

“Oftentimes the applications that the products are built upon are not tested for security vulnerabilities.”

It’s those vulnerabilities that are being exploited by hackers, and although Ring is doing its best to keep up with patching security, the ultimate fix lies with consumers who need to constantly download the fixes and check for updates.

“You need to be updating and patching these devices as often as you can, and that would equally apply to the Ring doorbell,” said David Masson, director of enterprise security for DarkTrace, a cybersecurity consulting group.

Not only do consumers need to ensure they are updating the devices they use, including Ring, but another gold mine for hackers are data breaches where usernames and passwords end up on the dark web for the taking.

Story continues below advertisement

Kevin Mitnick was once one of the most wanted hackers in the United States. He was eventually caught and spent time behind bars, before turning his skills for hacking into a business protecting companies and individuals from hackers.

Since then, he has become one of the leading authorities on cybersecurity in the U.S., regularly appearing on shows like Dr. Phil to discuss how to protect yourself online.

“There are tons of people out there that use the same username and password for years. They don’t change it or they use it in multiple locations, and then we have a problem with a ton of data breaches,” said Mitnik.

“Data breaches are when companies are compromised, databases are leaked or made public by hackers that contain usernames and passwords of people like you and I. So all this information is aggregated and there are sites out there.”

So how can you protect yourself?

If you still want a Ring doorbell or already have one, there are ways to mitigate the risks associated with having them. One of the primary ways to protect yourself is to strengthen your passwords and change them more frequently and to enable two-factor authentication for all your devices.

Story continues below advertisement

From both a technical and a personal standpoint, Kearney had the following recommendations:

  • Consumers should carefully research any Internet of things (IoT) devices to ensure they don’t’ have inherent vulnerabilities and poor privacy protection in place before purchasing.
  • Use a strong, complex password using uppercase and lowercase letters, numbers and special characters. Using a password manager helps with that.
  • Ensure your password is unique. Do not reuse passwords. Use a password service like HaveIBeenPwned to alert of hacked accounts.
  • Do not share your password with anyone. Create a separate account for those that need device access.
  • Enable two-factor authentication. Use SMS, authenticator app, hardware key or other OTP
  • Update your software, OS and other applications on your personal device
  • Limit physical access to your home network devices and equipment.
  • Perform regular offline backups to remediate against ransomware.
  • Disable unnecessary ports, protocols and services.
  • Isolate IoT devices on a separate isolated network.
  • Use geolocation blocking at the device or firewall level to prevent anyone from logging in from countries outside of your home region.
  • As an additional layer you can enable IP range or MAC (Media Access Control) address filtering to whitelist your own IPs and MAC address.
  • Update firmware and apply patches when released to prevent malware.
  • Perform regular offline backups to remediate against ransomware.

Sponsored content