Amazon used “security” to offer Ring doorbells, then blamed customers when hackers burglarized them

[Amazon’s surveillance doorbell company Ring sells “security” — the sense that surveilling your porch or your driveway or your home can make you safe. But when the company experienced a grotesque and completely predictable breach that saw hackers breaking into Ring cameras and spying on and tormenting their owners, Amazon blamed their customers for recycling passwords. In this outstanding Deeplinks post, my EFF colleagues, Cooper Quintin and Bill Budington explain just how odious this victim-blaming really is. -Cory]

Simply a week after hackers got into a Ring cam in a kids’ bedroom teasing the kid and triggering major issues about the company’s security practices, Buzzfeed News is reporting that over 3,600 Ring owners’ email addresses, passwords, cam places, and video camera names were disposed online. This Includes cameras tape-recording personal areas inside homes.

This sensational brand-new leakage could potentially provide bad guys and stalkers with access to see live video feeds from inside and around countless Ring clients’ houses, see archived videos, and get the precise area of all Ring gadgets connected to the compromised account by studying the orientation of the video footage and area details connected to each electronic camera.

Ring has claimed that this attack was the outcome of credential stuffing, a technique where assailants gather usernames and passwords jeopardized in another data breach and attempt them on other sites. Ring is attempting to put the blame directly at the feet of their clients for reusing passwords, using weak passwords, and not turning on two-factor authentication.

We don’t currently know how the Ring account information was gotten however for the moment let’s take Ring at their word that this was a credential packing attack. That indicates that an aggressor attempted 10s and even hundreds of thousands of username and password combinations on Ring’s site, and Ring didn’t even discover till they were alerted by security researchers.

Best practices in site security offer a couple of standard standards. Various subsequent stopped working attempts on an account must result in extra examination for logging in to that account.

Ring cameras have exceptionally sensitive data– live footage adjacent to and frequently within the house— at their disposal. This indicates that Ring ought to be additional cautious with account information, not simply utilizing standard account defenses. And although Ring has 2FA available for accounts, they rarely motivate its usage to safeguard user accounts, with the exception of the e-mail above. They appear to have not even followed any of the other finest practices noted above. And rather of giving users clear channels of remediation, they’re placing the blame for the information breach on their own users.

Ring has actually shown a pattern of being negligent in enforcing even standard web application security controls As late as February they sent video feeds to their cloud providers completely unencrypted

( Crossposted from EFF Deeplinks).

Find Out More

Angie Ronson

Angie Ronson is Editor-in-Chief at THRS. She covers the transformative impact of new technology on all sectors.