Ring slightly overhauls security and privacy, but it’s still not enough

Security camera maker Ring is updating its service to improve account security and give more control when it comes to privacy. Once again, this is yet another update that makes the overall experience slightly better but the Amazon-owned company is still not doing enough to protect its users.

First, Ring is reversing its stance when it comes to two-factor authentication. Two-factor authentication is now mandatory — you can’t even opt out. So the next time you login on your Ring account, you’ll receive a six-digit code via email or text message to confirm your login request.

This is very different from what Ring founder Jamie Siminoff told me at CES in early January:

“So now, we’re going one step further, which is for two-factor authentication. We really want to make it an opt-out, not an opt-in. You still want to let people opt out of it because there are people that just don’t want it. You don’t want to force it, but you want to make it as forceful as you can be without hurting the customer experience.”

Security experts all say that sending you a code by text message isn’t perfect. It’s better than no form of two-factor authentication, but text messages are not secure. They’re also tied to your phone number. That’s why SIM-swapping attacks are on the rise.

As for sending you a code via email, it really depends on your email account. If you haven’t enabled two-factor authentication on your email account, then Ring’s implementation of two-factor authentication is basically worthless. Ring should let you use app-based two-factor with the ability to turn off other methods in your account.

And that doesn’t solve Ring’s password issues. As Motherboard originally found out, Ring doesn’t prevent you from using a weak password and reusing passwords that have been compromised in security breaches from third-party services.

A couple of weeks ago, TechCrunch’s Zack Whittaker could create a Ring account with “12345678” and “password” as the password. He created another account with “password” a few minutes ago.

When it comes to privacy, the EFF called out Ring’s app as it shares a ton of information with third-party services, such as branch.io, mixpanel.com, appsflyer.com and facebook.com. Worse, Ring doesn’t require meaningful consent from the user.

You can now opt out of third-party services that help Ring serve personalized advertising. As for analytics, Ring is temporarily removing most third-party analytics services from its apps (but not all). The company plans on adding a menu to opt out of third-party analytics services in a future update.

Enabling third-party trackers and letting you opt out later isn’t GDPR compliant. So I hope the onboarding experience is going to change as well as the company shouldn’t enable these features without proper consent at all.

Ring could have used this opportunity to adopt a far stronger stance when it comes to privacy. The company sells devices that you set up in your garden, your living room and sometimes even your bedroom. Users certainly don’t want third-party companies to learn more about your interactions with Ring’s services. But it seems like Ring’s motto is still: “If we can do it, why shouldn’t we do it.”

Gadgets – TechCrunch

Ring’s new security ‘control center’ isn’t nearly enough

On the same day that a Mississippi family is suing Amazon -owned smart camera maker Ring for not doing enough to prevent hackers from spying on their kids, the company has rolled out its previously announced “control center,” which it hopes will make you forget about its verifiably “awful” security practices.

In a blog post out Thursday, Ring said the new “control center,” “empowers” customers to manage their security and privacy settings.

Ring users can check to see if they’ve enabled two-factor authentication, add and remove users from the account, see which third-party services can access their Ring cameras, and opt-out of allowing police to access their video recordings without the user’s consent.

But dig deeper and Ring’s latest changes still do practically nothing to change some of its most basic, yet highly criticized security practices.

Questions were raised over these practices months ago after hackers were caught breaking into Ring cameras and remotely watching and speaking to small children. The hackers were using previously compromised email addresses and passwords — a technique known as credential stuffing — to break into the accounts. Some of those credentials, many of which were simple and easy to guess, were later published on the dark web.

Yet, Ring still has not done anything to mitigate this most basic security problem.

TechCrunch ran several passwords through Ring’s sign-up page and found we could enter any easy to guess password, like “12345678” and “password” — which have consistently ranked as some of the most common passwords for several years running.

To combat the problem, Ring said at the time users should enable two-factor authentication, a security feature that adds an additional check to prevent account breaches like password spraying, where hackers use a list of common passwords in an effort to brute force their way into accounts.

But Ring still uses a weak form of two-factor, sending you a code by text message. Text messages are not secure and can be compromised through interception and SIM swapping attacks. Even NIST, the government’s technology standards body, has deprecated support for text message-based two-factor. Experts say although text-based two-factor is better than not using it at all, it’s far less secure than app-based two-factor, where codes are delivered over an encrypted connection to an app on your phone.

Ring said it’ll make its two-factor authentication feature mandatory later this year, but has yet to say if it will ever support app-based two-factor authentication in the future.

The smart camera maker has also faced criticism for its cozy relationship with law enforcement, which has lawmakers concerned and demanding answers.

Ring allows police access to users’ videos without a subpoena or a warrant. (Unlike its parent company Amazon, Ring still does not published the number of times police demand access to customer videos, with or without a legal request.)

Ring now says its control center will allow users to decide if police can access their videos or not.

But don’t be fooled by Ring’s promise that police “cannot see your video recordings unless you explicitly choose to share them by responding to a specific video request.” Police can still get a search warrant or a court order to obtain your videos, which isn’t particularly difficult if police can show there’s reasonable grounds that it may contain evidence — such as video footage — of a crime.

There’s nothing stopping Ring, or any other smart home maker, from offering a zero-knowledge approach to customer data, where only the user has the encryption keys to access their data. Ring cutting itself (and everyone else) out of the loop would be the only meaningful thing it could do if it truly cares about its users’ security and privacy. The company would have to decide if the trade-off is worth it — true privacy for its users versus losing out on access to user data, which would effectively kill its ongoing cooperation with police departments.

Ring says that security and privacy has “always been our top priority.” But if it’s not willing to work on the basics, its words are little more than empty promises.

Gadgets – TechCrunch