Typical users don’t take extra steps for security. Companies need to require them.
In the wake of news last week that a hacker was able to watch and communicate with an 8-year-old girl in Mississippi by using an Amazon Ring camera her parents had installed in her bedroom, the connected security-camera company downplayed the incident and deflected the blame from itself.
“Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorized intrusion or compromise of Ring’s systems or network,” read an email sent to Ring users a few days after the highly publicized incident. Yet some Ring customers across the country reported similar hacks of their smart cameras and video doorbells.
Ring’s defense misses the point and is a disservice to its customers. Yes, it’s important to know that the hack wasn’t a breach of Ring’s internal systems, but that is unlikely to prevent such hacks from continuing to happen. Rather than dismissing the incident and putting the blame on users, the company could roll out a simple change that privacy experts have long advocated for on just about any service or product requiring a login: mandatory two-factor authentication.
The hacker had gotten access to the camera by using a login and password found online, in a database of previously compromised login info (you can check if your logins have been compromised by going to haveibeenpwned.com). Connecting to a Ring camera from anywhere is a feature of Ring, though it’s intended to be available only to the device owners and the people they choose.
Ring suggests in the email that consumers practice better password security by not reusing passwords, updating passwords regularly, and by enabling two-step authentication, a process that requires users to supplement their username and password with an extra piece of information, usually a personal code generated from their phone, in order to log in.
Ring’s advice is sound. People should absolutely set up two-factor authentication on their devices and they can also check to see if any of their logins have been compromised by going to haveibeenpwned.com. But expecting regular consumers to take these precautions on their own rarely works. One study found that less than one-third of Americans are using two-factor authentication, and more than half had never even heard of it.
Most people simply go with the easiest thing possible: the username and password they actually remember — the one they’ve used before.
It’s ironic that a product that unrealistically inflates users’ fear of crime is itself less than secure. These issues, of course, are not unique to Ring.
“Ring isn’t a camera; it’s an internet-connected computer that happens to have a camera on it,” Brian Vecci, field CTO at data protection and analytics company Varonis, told Recode. “Any internet-connected computer is vulnerable to attack.”
Ring is a mass-market, highly popular device that’s likely showing up under trees and in gift wrap across the country this holiday season, despite warnings from consumer groups of its various privacy issues, including the inadvertent sharing of the location of your Ring device without permission and police handing over Ring footage to ICE and other law enforcement agencies, in addition to the ongoing potential for hacking.
Ring could make consumers do the right thing and mandate two-factor authentication, or assign its own unique passwords.
There’s also more Ring could be doing itself.
It could require confirmation from device owners before allowing new sign-ons. It could also better detect suspicious behavior like multiple login attempts or logins from strange locations.
This is, of course, a trade-off.
“Security is often in contrast to convenience,” Vecci said. “Ring could hypothetically require using a fingerprint reader every time, but no one would use it. They’re trying to balance convenience with security.”
Small inconveniences, however, are preferable to big violations of personal privacy.
Author: Rani Molla