Tag: Security

Posted on

Ring slightly overhauls security and privacy, but it’s still not enough

Security camera maker Ring is updating its service to improve account security and give more control when it comes to privacy. Once again, this is yet another update that makes the overall experience slightly better but the Amazon-owned company is still not doing enough to protect its users.

First, Ring is reversing its stance when it comes to two-factor authentication. Two-factor authentication is now mandatory — you can’t even opt out. So the next time you login on your Ring account, you’ll receive a six-digit code via email or text message to confirm your login request.

This is very different from what Ring founder Jamie Siminoff told me at CES in early January:

“So now, we’re going one step further, which is for two-factor authentication. We really want to make it an opt-out, not an opt-in. You still want to let people opt out of it because there are people that just don’t want it. You don’t want to force it, but you want to make it as forceful as you can be without hurting the customer experience.”

How Ring is rethinking privacy and security

Security experts all say that sending you a code by text message isn’t perfect. It’s better than no form of two-factor authentication, but text messages are not secure. They’re also tied to your phone number. That’s why SIM-swapping attacks are on the rise.

As for sending you a code via email, it really depends on your email account. If you haven’t enabled two-factor authentication on your email account, then Ring’s implementation of two-factor authentication is basically worthless. Ring should let you use app-based two-factor with the ability to turn off other methods in your account.

And that doesn’t solve Ring’s password issues. As Motherboard originally found out, Ring doesn’t prevent you from using a weak password and reusing passwords that have been compromised in security breaches from third-party services.

A couple of weeks ago, TechCrunch’s Zack Whittaker could create a Ring account with “12345678” and “password” as the password. He created another account with “password” a few minutes ago.

When it comes to privacy, the EFF called out Ring’s app as it shares a ton of information with third-party services, such as branch.io, mixpanel.com, appsflyer.com and facebook.com. Worse, Ring doesn’t require meaningful consent from the user.

You can now opt out of third-party services that help Ring serve personalized advertising. As for analytics, Ring is temporarily removing most third-party analytics services from its apps (but not all). The company plans on adding a menu to opt out of third-party analytics services in a future update.

Enabling third-party trackers and letting you opt out later isn’t GDPR compliant. So I hope the onboarding experience is going to change as well as the company shouldn’t enable these features without proper consent at all.

Ring could have used this opportunity to adopt a far stronger stance when it comes to privacy. The company sells devices that you set up in your garden, your living room and sometimes even your bedroom. Users certainly don’t want third-party companies to learn more about your interactions with Ring’s services. But it seems like Ring’s motto is still: “If we can do it, why shouldn’t we do it.”

Gadgets – TechCrunch

Posted on

Ring’s new security ‘control center’ isn’t nearly enough

On the same day that a Mississippi family is suing Amazon -owned smart camera maker Ring for not doing enough to prevent hackers from spying on their kids, the company has rolled out its previously announced “control center,” which it hopes will make you forget about its verifiably “awful” security practices.

In a blog post out Thursday, Ring said the new “control center,” “empowers” customers to manage their security and privacy settings.

Ring users can check to see if they’ve enabled two-factor authentication, add and remove users from the account, see which third-party services can access their Ring cameras, and opt-out of allowing police to access their video recordings without the user’s consent.

But dig deeper and Ring’s latest changes still do practically nothing to change some of its most basic, yet highly criticized security practices.

Questions were raised over these practices months ago after hackers were caught breaking into Ring cameras and remotely watching and speaking to small children. The hackers were using previously compromised email addresses and passwords — a technique known as credential stuffing — to break into the accounts. Some of those credentials, many of which were simple and easy to guess, were later published on the dark web.

Yet, Ring still has not done anything to mitigate this most basic security problem.

TechCrunch ran several passwords through Ring’s sign-up page and found we could enter any easy to guess password, like “12345678” and “password” — which have consistently ranked as some of the most common passwords for several years running.

To combat the problem, Ring said at the time users should enable two-factor authentication, a security feature that adds an additional check to prevent account breaches like password spraying, where hackers use a list of common passwords in an effort to brute force their way into accounts.

But Ring still uses a weak form of two-factor, sending you a code by text message. Text messages are not secure and can be compromised through interception and SIM swapping attacks. Even NIST, the government’s technology standards body, has deprecated support for text message-based two-factor. Experts say although text-based two-factor is better than not using it at all, it’s far less secure than app-based two-factor, where codes are delivered over an encrypted connection to an app on your phone.

Ring said it’ll make its two-factor authentication feature mandatory later this year, but has yet to say if it will ever support app-based two-factor authentication in the future.

The smart camera maker has also faced criticism for its cozy relationship with law enforcement, which has lawmakers concerned and demanding answers.

Ring allows police access to users’ videos without a subpoena or a warrant. (Unlike its parent company Amazon, Ring still does not published the number of times police demand access to customer videos, with or without a legal request.)

Ring now says its control center will allow users to decide if police can access their videos or not.

But don’t be fooled by Ring’s promise that police “cannot see your video recordings unless you explicitly choose to share them by responding to a specific video request.” Police can still get a search warrant or a court order to obtain your videos, which isn’t particularly difficult if police can show there’s reasonable grounds that it may contain evidence — such as video footage — of a crime.

There’s nothing stopping Ring, or any other smart home maker, from offering a zero-knowledge approach to customer data, where only the user has the encryption keys to access their data. Ring cutting itself (and everyone else) out of the loop would be the only meaningful thing it could do if it truly cares about its users’ security and privacy. The company would have to decide if the trade-off is worth it — true privacy for its users versus losing out on access to user data, which would effectively kill its ongoing cooperation with police departments.

Ring says that security and privacy has “always been our top priority.” But if it’s not willing to work on the basics, its words are little more than empty promises.

Over 1,500 Ring passwords have been found on the dark web

Gadgets – TechCrunch

Posted on

How Ring is rethinking privacy and security

Ring is now a major player when it comes to consumer video doorbells, security cameras — and privacy protection.

Amazon acquired the company and promotes its devices heavily on its e-commerce websites. Ring has even become a cultural phenomenon with viral videos being shared on social networks and the RingTV section on the company’s website.

But that massive success has come with a few growing pains; as Motherboard found out, customers don’t have to use two-factor authentication, which means that anybody could connect to their security camera if they re-use the same password everywhere.

When it comes to privacy, Ring’s Neighbors app has attracted a ton of controversy. Some see it as a libertarian take on neighborhood watch that empowers citizens to monitor their communities using surveillance devices.

Others have questioned partnerships between Ring and local police to help law enforcement authorities request videos from Ring users.

In a wide-ranging interview, Ring founder Jamie Siminoff looked back at the past six months, expressed some regrets and defended his company’s vision. The interview was edited for clarity and brevity.

TechCrunch: Let’s talk about news first. You started mostly focused on security cameras, but you’ve expanded way beyond security cameras. And in particular, I think the light bulb that you introduced is pretty interesting. Do you want to go deeper in this area and go head to head against Phillips Hue for instance?

Jamie Siminoff: We try not to ever look at competition — like the company is going head to head with… we’ve always been a company that has invented around a mission of making neighborhoods safer.

Sometimes, that puts us into a place that would be competing with another company. But we try to look at the problem and then come up with a solution and not look at the market and try to come up with a competitive product.

No one was making — and I still don’t think there’s anyone making — a smart outdoor light bulb. We started doing the floodlight camera and we saw how important light was. We literally saw it through our camera. With motion detection, someone will come over a fence, see the light and jump back over. We literally could see the impact of light.

So you don’t think you would have done it if it wasn’t a light bulb that works outside as well as inside?

For sure. We’ve seen the advantage of linking all the lights around your home. When you walk up on a step light and that goes off, then everything goes off at the same time. It’s helpful for your own security and safety and convenience.

The light bulbs are just an extension of the floodlight. Now again, it can be used indoor because there’s no reason why it can’t be used indoor.

Following Amazon’s acquisition, do you think you have more budget, you can hire more people and you can go faster and release all these products?

It’s not a budget issue. Money was never a constraint. If you had good ideas, you could raise money — I think that’s Silicon Valley. So it’s not money. It’s knowledge and being able to reach a critical mass.

As a consumer electronics company, you need to have specialists in different areas. You can’t just get them with money, you kind of need to have a big enough thing. For example, wireless antennas. We had good wireless antennas. We did the best we thought we could do. But we get into Amazon and they have a group that’s super highly focused on each individual area of that. And we make much better antennas today.

Our reviews are up across the board, our products are more liked by our customers than they were before. Jamie Siminoff

Our reviews are up across the board, our products are more liked by our customers than they were before. To me, that’s a good measure — after Amazon, we have made more products and they’re more beloved by our customers. And I think part of that is that we can tap into resources more efficiently.

And would you say the teams are still very separate?

Amazon is kind of cool. I think it’s why a lot of companies that have been bought by Amazon stay for a long time. Amazon itself is almost an amalgamation of a lot of little startups. Internally, almost everyone is a startup CEO — there’s a lot of autonomy there.

Gadgets – TechCrunch

Posted on

This autonomous security drone is designed to guard your home

One of the new products unveiled at CES this year is a new kind of home security system – one that includes drones to patrol your property, along with sensors designed to mimic garden light and a central processor to bring it all together.

Sunflower Labs debuted their new Sunflower Home Awareness System, which includes the eponymous Sunflowers (motion and vibration sensors that look like simple garden lights but can populate a map to show you cars, people and animals on or near you property in real time); the Bee (a fully autonomous drone that deploys and flies on its own, with cameras on board to live stream video); and the Hive (a charging station for the Bee, which also houses the brains of the operation for crunching all the data gathered by the component parts.)

Roving aerial robots keeping tabs on your property might seem a tad dystopian, and perhaps even unnecessary, when you could maybe equip your estate with multiple fixed cameras and sensors for less money and with less complexity. But Sunflower Labs thinks its security system is an evolution of more standard fare because it “learns and reacts to its surroundings,” improving over time.

The Bee is also designed basically to supplement more traditional passive monitoring, and can be deployed on demand to provide more detailed information and live views of any untoward activity detected on your property. So it’s a bit like having someone always at the ready to go check out that weird noise you heard in the night – without the risk to the brave checker-upper.

Sunflower Labs was founded in 2016, and has backing from General Catalyst, among others, with offices in both San Francisco and Zurich. The system doesn’t come cheap, which shouldn’t be a surprise given what it promises to do on paper – it starts at $ 9,950 and can range up depending on your specific property’s custom needs. The company is accepting pre-orders now, with a deposit of $ 999 required, and intends to start delivering the first orders to customers beginning sometime in the middle of this year.

CES 2020 coverage - TechCrunch

Gadgets – TechCrunch

Posted on

‘Plundervolt’ attack breaches chip security with a shock to the system

Today’s devices have been secured against innumerable software attacks, but a new exploit called Plundervolt uses distinctly physical means to compromise a chip’s security. By fiddling with the actual amount of electricity being fed to the chip, an attacker can trick it into giving up its innermost secrets.

It should be noted at the outset that while this is not a flaw on the scale of Meltdown or Spectre, it is a powerful and unique one and may lead to changes in how chips are designed.

There are two important things to know in order to understand how Plundervolt works.

The first is simply that chips these days have very precise and complex rules as to how much power they draw at any given time. They don’t just run at full power 24/7; that would drain your battery and produce a lot of heat. So part of designing an efficient chip is making sure that for a given task, the processor is given exactly the amount of power it needs — no more, no less.

The second is that Intel’s chips, like many others now, have what’s called a secure enclave, a special quarantined area of the chip where important things like cryptographic processes take place. The enclave (here called SGX) is inaccessible to normal processes, so even if the computer is thoroughly hacked, the attacker can’t access the data inside.

Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

The creators of Plundervolt were intrigued by recent work by curious security researchers who had, through reverse engineering, discovered the hidden channels by which Intel chips manage their own power.

Hidden, but not inaccessible, it turns out. If you have control over the operating system, which many attacks exist to provide, you can get at these “Model-Specific Registers,” which control chip voltage, and can tweak them to your heart’s content.

Modern processors are so carefully tuned, however, that such tweak will generally just cause the chip to malfunction. The trick is to tweak it just enough to cause the exact kind of malfunction you expect. And because the entire process takes place within the chip itself, protections against outside influence are ineffective.

The Plundervolt attack does just this, using the hidden registers to very slightly change the voltage going to the chip at the exact moment that the secure enclave is executing an important task. By doing so they can induce predictable faults inside SGX, and by means of these carefully controlled failures cause it and related processes to expose privileged information. It can even be performed remotely, though of course full access to the OS is a prerequisite.

In a way it’s a very primitive attack, essentially giving the chip a whack at the right time to make it spit out something good, like it’s a gumball machine. But of course it’s actually quite sophisticated, since the whack is an electrical manipulation on the scale of millivolts, which needs to be applied at exactly the right microsecond.

The researchers explain that this can be mitigated by Intel, but only through updates at the BIOS and microcode level — the kind of thing that many users will never bother to go through with. Fortunately for important systems there will be a way to verify that the exploit has been patched when establishing a trusted connection with another device.

Intel, for its part, downplayed the seriousness of the attack. “We are aware of publications by various academic researchers that have come up with some interesting names for this class of issues, including “VoltJockey” and “Plundervolt,” it wrote in a blog post acknowledging the existence of the exploit. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”

Plundervolt is one of a variety of attacks that have emerged recently taking advantage of the ways that computing hardware has evolved over the last few years. Increased efficiency usually means increased complexity, which means increased surface area for non-traditional attacks like this.

The researchers who discovered and documented Plundervolt hail from the UK’s University of Birmingham, Graz University of Technology in Austria, and KU Leuven in Belgium. They are presenting their paper at IEEE S&P 2020.

Gadgets – TechCrunch