CES With criticism mounting, Amazon’s Ring revealed a web dashboard of privacy controls it hopes will slash the number of horror stories coming from customers.
On Monday, in time for this year’s CES in Las Vegas, the home surveillance camera and internet-connected doorbell specialist made a point of unveiling an account control panel it hopes will allow users to better manage the access settings on their devices and keep hackers and other intruders out. The new controls will be available across all products.
“This latest feature will make it easy to view and control privacy and security settings from one dashboard,” Ring said of the new feature.
“The Control Center will initially let you see and manage your connected mobile, desktop, and tablet devices, as well as third-party services; it will also enable you to opt out of receiving video requests in areas where local police have joined the Neighbors app.”
This comes after Ring found itself under fire on a number of fronts for its privacy policies and security protections. In particular, the close relationship Ring struck with America’s plod has worried civil rights groups who believe that the cameras provide officers with excessive levels of surveillance power. In short, Ring encourages folks to share their web-connected cam footage with neighbors and the police, opening up a whole can of worms regarding privacy and consent.
And it doesn’t alert owners to multiple logins from across the country or world – a tell-tale sign of an account compromise – nor limit the rate at which miscreants can attempt to guess account passwords. It does not direct people to use multi-factor authentication, nor does it require strong passwords, and nor does it reject username-password combinations known to be stolen from other websites. It basically fails to prevent netizens from falling foul of brute-force attacks and credential stuffing, and subsequent security device hijackings, by miscreants on the other side of the internet.
Don’t expect the dashboard rollout to solve any of these worries. Digital-rights group Fight for the Future was quick to dismiss the CES announcement as “a total joke.” The dashboard “amounts to little more than a cosmetic redesign,” the campaigners added, and no new protections have been added, we’re told.
“Amazon is still putting the responsibility on users to protect these devices, knowing full well that they won’t,” thundered Fight for the Future deputy director Evan Greer.
“You can’t sell a car without seat belts or airbags and then say the driver should have installed them when they get in a crash. Amazon is selling cheap, insecure, internet-connected surveillance cameras and convincing people to put them inside their homes, knowing that they put those people in danger.”
And then there’s the matter of the lawsuits. In December, a class-action case emerged in the US over a spate of hacks of in-home Ring surveillance cameras. And in California on Friday, a second suit [PDF] was filed complete with harrowing details of what lawyers for the plaintiffs call a “living nightmare” enabled by shoddy Ring security.
No wonder cops are so keen on Ring – they can slurp your doorbell footage with few limits, US senators complain
Named Plaintiffs Ashley LeMay and Dylan Blakeley recounted a time when a hacker broke into the couple’s Ring security camera over the internet, and began playing music over the gizmo to lure their 8-year-old daughter into a bedroom where the miscreant could speak to the child.
“Intrigued by the music, the Blakeleys’ eight-year-old daughter, A., went to the room she shares with two of her younger sisters to investigate. But the room was empty. As A. wandered the room, looking for the source of the music, the song abruptly stopped, and a man’s voice rang out: ‘Hello there’,” the filing recounts.
“It was a stranger — an unknown hacker, who had taken over the Blakeleys’ account and had the ability to see, hear, and speak to A. inside her own room. In a chilling exchange captured on the device’s video recording, the hacker began shouting racial slurs at A. and encouraging her to misbehave.”
The lawsuit states that there are a number of glaring flaws in Ring’s security, such as allowing multiple logins from different IP addresses, not insisting on two-factor authentication and, even then, only using text messages for multi-factor login codes, leaving people open to SIM-jacking attacks.
It might take a bit more than a dashboard to fix this. ®
Tech News from Search $ Technology