The rapidly growing smart home market has a serious security problem, and Ring’s product line has been a prime example. The Amazon-owned company offers doorbells and home security cameras that are connected to the Internet to allow homeowners remote access to video feeds. Some of its products will now receive end-to-end encryption for the first time, two years after Amazon acquired the company and six years after the launch of the flagship doorbell camera product.
During that time, the company has struggled with a variety of security issues related to unauthorized access to user feeds, as well as questionable partnerships with law enforcement agencies that have raised concerns about extrajudicial surveillance. .
Ring’s end-to-end encryption launches in response to criticism
Ring has a troubling history of security and privacy issues, the most prominent of which after Amazon’s acquisition of the company. A series of security breaches in 2019 caused hackers to take over user accounts, in some cases talking to them through the system. While Ring systems are password protected, investigations by security experts found that there is no system in place to identify multiple suspicious login attempts. This made it trivial for attackers to use “brute force” systems by guessing passwords or working from information obtained from other data breaches. A flaw was also discovered that leaked WiFi information locally, including usernames and passwords, although it does not appear to have ever been used in an attack.
Ring has since patched these vulnerabilities, but end-to-end encryption provides much stronger security against any similar issues that may arise in the future. A company blog post indicates that stored video is already encrypted on Ring’s cloud system, but will now also be encrypted in transit to authorized user devices.
However, the feature is not available to all users yet; It is in a “technical preview” mode that is scheduled to be fully rolled out over the next several months. The feature should appear in the Ring App “Control Center” once it is available. However, Ring notes that some of its features that rely on decryption video will not work while end-to-end encryption is enabled, including “Motion Verification” and “People Only Mode.” This would seem to preclude the use of end-to-end encryption in modes that attempt to verify that the movement is caused by a human before sending a notification to the user.
The feature is apparently not coming to all of the company’s devices either, at least not initially. End-to-end encryption will be available on the “Pro” and “Elite” models of the Video Doorbell product, but not on the most basic wireless doorbell model. In addition to a price difference of about $ 50 per unit, the Pro model must be wired to work. Product lines that are no longer supported, such as the first generation of video doorbells, are also not supported. The “peephole camera” and the cordless versions of the Stick-Up Cam and Spotlight Cam are also not eligible for end-to-end encryption. And users must have a fairly recent version of iOS (12.0 or newer) or Android (8.0 or newer) for the feature to be available.
End-to-end encryption may not resolve trust issues
While end-to-end encryption helps protect users from unauthorized access to videos by hackers, it doesn’t necessarily do much to address two other trust issues that have been looming over the business: your access. internal to users’ videos and exactly what it shares with law enforcement agencies.
Ring’s policy has long been that employees are not supposed to access customer videos without express permission. Complaints and investigations dating back to 2016 have claimed that this is not the case. It’s unclear whether the end-to-end encryption feature will completely prevent this possibility, if the device in question even has the capability.
Amazon’s partnerships with law enforcement agencies also became a problem in 2019. The company offered law enforcement agencies access to Neighbors, a companion app that allows users to upload videos of potentially suspicious activity with various levels of public exchange. Critics noted that law enforcement agencies are generally forced to obtain a court order to install or access video recording devices on private property, something for which Ring created a shortcut. Of particular concern was the potential for Amazon to link its Rekognition facial recognition database, also used by law enforcement agencies until a one-year moratorium was issued in 2020, to the images reviewed by law enforcement. Even with end-to-end encryption in place, images uploaded to Neighbors will first need to be decrypted before they can be shared.
While end-to-end encryption helps protect users from hackers, it doesn’t necessarily do much to address other trust issues that have been looming over the company. #privacy #respectdata
Ring users will also need to be proactively aware of the new video encryption feature as it will not be enabled by default.