Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

'We Tested Ring's Security. It's Awful' (vice.com) 48

"Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers," reports Motherboard: Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in -- entirely common security measures across a wealth of online services... Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password....

Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha....

Ring does offer two-factor authentication, where a user is required to enter a second code sent to them as well as their password, but Ring does not force customers to use it. Motherboard verified that Ring's two-factor authentication does work as advertised, but multiple people who were logged into the app didn't have to log back in after it was enabled -- Ring didn't eject them nor ask them to enter a two-factor token...

From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera's microphone, speak through the camera's speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime "incidents." This shows the specific, user-selected home address plotted on a map. Ring requires that a user input a home address to set up the camera.

This discussion has been archived. No new comments can be posted.

'We Tested Ring's Security. It's Awful'

Comments Filter:
  • by Brett Buck ( 811747 ) on Saturday December 21, 2019 @06:44PM (#59545862)

    Said no one, ever.

    • by raymorris ( 2726007 ) on Saturday December 21, 2019 @08:11PM (#59546076) Journal

      I expected to read that they came with default passwords, they don't support 2FA, etc - real problems. That's not the case.

      The author of the article found that Ring doesn't add more security protections that nobody else does either, such as "Ring doesn't appear to check a user's chosen password against known compromised user credentials". Approximately no products do that. Turning off 2FA and turning it on again doesn't log out other family members. Okay maybe logging everybody off when you do that would be a good idea, but it seems like rather a minor quibble.

      If what they reported are actually the worst things about Ring security, apparently Ring did a decent job (though not Fort Knox level security).

      • by Ryzilynt ( 3492885 ) on Saturday December 21, 2019 @11:40PM (#59546428)

        I expected to read that they came with default passwords, they don't support 2FA, etc - real problems. That's not the case.

        The author of the article found that Ring doesn't add more security protections that nobody else does either, such as "Ring doesn't appear to check a user's chosen password against known compromised user credentials". Approximately no products do that. Turning off 2FA and turning it on again doesn't log out other family members. Okay maybe logging everybody off when you do that would be a good idea, but it seems like rather a minor quibble.

        If what they reported are actually the worst things about Ring security, apparently Ring did a decent job (though not Fort Knox level security).

        The part about not checking if you are a bot and also not limiting the number of failed password attempts is curiously absent in your list of "worst offenses"

        • Those are good things to check. Actually the first real money I made in security was selling login software I made which basically counted failed logins from IPs and had a captcha. It eaa cool captcha I invented, way better than the distorted text ones. The captcha was a bit of a red herring but that's a different story.

          I sold about $2 million of that software, so I'm really kinda fond of those checks. Still, many, probably most, logins don't have a captcha.

          Every month I gather with some friends in the s

      • yes, exactly. they do support 2fa etc what you want.

        did they test a real password after testing 10 false ones from the tor network? if you're logging yourself from tor network, how are they supposed to block the exit points?

        it might not be perfect but at least they make optional things that should be optional. it's not as awful as googles multi factor authentication which ACTUALLY just turns into multi route password reset.. thats the kind of stuff I'd have liked to known. not some shoddy two bit pen tes

      • I lived at Fort Knox once during my term of service, believe me it's not very secure. A public highway runs right through the middle of it.

        But yeah, I really hate it when some services implement the security measures that motherboard is asking for. Captchas are either totally useless or totally annoying. Recaptcha in particular tends to be hard to solve as it is very nitpicky. Some of the measures motherboard is asking for would pretty well piss me off as these are things that Amazon already does, and it su

      • Interestingly enough, I think AWS is working on the whole "check a user's chosen password against known compromised user credentials" as a service offering. Since Amazon owns Ring, I would hope that would be coming soon...
      • Ring is not offering basic security precautions, such as

        - double-checking whether someone logging in from an unknown IP address is the legitimate user

        That's not basic. That's pretty uncommon.

        or providing a way to see how many users are currently logged in -- entirely common security measures across a wealth of online services

        That's not basic either. That's pretty uncommon too. a "wealth of online services"? Can I postulate a guess at 1%?

        Ring doesn't appear to check a user's chosen password against known

    • [It's a shocking surprise!] Said no one, ever.

      There was a /. piece a couple weeks ago about the Ring system where I said basically the same thing as TFS and got modded down for it. Many Slashdotters are schizo as hell, apparently. Hilarious! :D

      Allow me to borrow a phrase from "Raz0rfist" the Rageaholic from YT fame:

      [spins in computer chair]

      "Fuck you, I was right!
      Fuck you, I was right!
      Fuck you, I was right!"

      Strat :D

  • I mean, they do absolutely nothing to protect customers that are not security-savvy. No mandatory 2FA, login from everywhere, no checks against leaked passwords, no nothing. For a company selling to the general public, that is not acceptable.

    • Even if they had 5FA, they'd still be a shit company ... the data generated by their cameras is stored on Someone Else's (Amazon's) computer without encryption at rest. The average Joe doesn't realize how bad of an idea this is.
      • by gweihir ( 88907 ) on Saturday December 21, 2019 @07:20PM (#59545958)

        Even if they had 5FA, they'd still be a shit company ... the data generated by their cameras is stored on Someone Else's (Amazon's) computer without encryption at rest. The average Joe doesn't realize how bad of an idea this is.

        And that is just it. They shamelessly do it on-the-cheap, relying on ordinary people not knowing what a bad idea that is.

        • by b0s0z0ku ( 752509 ) on Saturday December 21, 2019 @07:23PM (#59545970)
          The issue isn't "on the cheap." It's that their entire business model (essentially creating a worldwide, private surveillance network) sucks rocks. Unless they started using encryption at rest and/or allowed for local storage, no "security" measures would change my opinion of them. Fuck Ring, fuck Amazon.
          • by gweihir ( 88907 )

            That too, agreed.

          • by AmiMoJo ( 196126 ) on Saturday December 21, 2019 @10:03PM (#59546328) Homepage Journal

            If you live in Europe and your neighbor gets a Ring camera be sure to hit them with some GDPR data subject access requests and some data removal requests. Remind them to put up CCTV warning signs too.

            If you live and elsewhere then you better start lobbying for privacy laws.

            • In America, you cannot trespass the eyes So if I can see it, I can record it (watch first amendment audits on youtube)
              • by gweihir ( 88907 )

                Definitely different in Europe. If you record it in any way (your mind does not count as "recording"), the GDPR and other laws apply. CCTV _without_ recording is different.

            • Or you could try not committing crimes in your neighborhood.

            • by gweihir ( 88907 )

              May also be that you need written consent from your neighbor and any of their visitors. CCTV in public places is done with some kind of security exception, private citizens will not get that. Worst case, you even need written consent from the snail-mail-person and anybody else doing deliveries to you. You will definitely be prohibited from having the camera see any public space.

              In fact, nobody really knows what the full implications from the GDPR are, as it was (as usual) written by lawyers, not by people w

  • Vice is really rocking it these days, they've got a 24 hour cable channel on my system, and a website they cite here daily, and a good report of record on HBO.

    Thing is, they don't report all the news, they just report the "vices" as they call it. The fact they're on this story indicates there's some evil use of Ring cameras, and they're basically reporting that to the good people so they think of the problem.

    Seems like this is a little functionality to you, big gift to the local government in the form of do

  • by sphealey ( 2855 ) on Saturday December 21, 2019 @07:01PM (#59545918)

    I guess people thought the product was a standalone security system. Turns out that was just the loss leader and they were the product [1]. Who would have expected that from a company that Google found a good acquisition target?

    [1] also turns out their neighbors, who had no part and no say in the transaction, were the product too

    • Ring is Scumazon, not Scroogle, but otherwise, you're 100% spot-on.
    • by AmiMoJo ( 196126 )

      Ring is owned by Amazon. If it was Google they would be using Google accounts which are decently secure.

      People thought they were buying a cloud security system. That's the main selling point. You can watch it from anywhere, and you can join a social surveillance network of curtain twitchers in your local neighborhood. They knew exactly what they were getting.

      Their only mistake was to think that Amazon has competent security.

      • social surveillance network of curtain twitchers

        "Curtain twitchers". Perfect!

        You made me smile. Well done!

  • check a user's chosen password against known compromised user credentials

    This is a thing. Actually if there is a match, the user should be denied an account and asked to return the device.

    • by gweihir ( 88907 )

      check a user's chosen password against known compromised user credentials

      This is a thing. Actually if there is a match, the user should be denied an account and asked to return the device.

      Well, not really. Nobody selling to the general public would make much business with this. But forcing a password change would be the thing to do and checking the new password against the whole set of leaked passwords before accepting it would also be a good idea.

  • by RhettLivingston ( 544140 ) on Saturday December 21, 2019 @07:07PM (#59545930) Journal
    Ring cameras are very obviously, given the freedom with which they are sharing video with neighbors and police, an open public resource. There is thus little to no need for security. Everyone of any importance has access anyway. If you don't like that, don't buy one.
  • "Basic" redefined (Score:5, Insightful)

    by Rick Zeman ( 15628 ) on Saturday December 21, 2019 @07:35PM (#59545988)

    "Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers," reports Motherboard:
    Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in -- entirely common security measures across a wealth of online services... Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password..."

    Those are hardly "basic security features." This is more of a hit job than anything else.

    • Ring's entire business model stinks to hell -- if it's a hit job, I say hit away.
      • Yeah, what a horrible business model. They charge me about the same for a monitored security and fire alarm system as what I can get as a discount in my HO insurance. Horrible. And the camera on my porch, pointing at nothing private what so ever but able to monitor my porch for things like package theft, also included in that above fee, letâ(TM)s burn them to the ground! GTFO
        • If your camera is only pointing at your porch, good on you. But how many fucking sheep are as scrupulous about others' privacy as you?
    • by jwymanm ( 627857 )
      Yep, another week another anti Ring thing. Can't wait for next report saying the CEO doesn't wash their hands after doing number 2 or doesn't donate 50% of profits to charities. Or my favorite donates but to the wrong anti gay charities.
    • by AmiMoJo ( 196126 )

      Those are basic security features for anything beyond a throwaway forum account. Even some of those warn me when I use a new IP for the first time.

      It's really not acceptable to sell someone an internet connected camera and not help them secure it. Demand more corporate responsibility.

  • by Freischutz ( 4776131 ) on Saturday December 21, 2019 @08:15PM (#59546104)
    One Ring (Amazon Registered Trademark, all rights apply) for the Dark Lord Bezos on his dark throne
    In the Land of Amazon where the Shadows lie.
    One Ring (Amazon Registered Trademark, all rights apply) to rule them all,
    One Ring (Amazon Registered Trademark, all rights apply) to find them,
    One Ring (Amazon Registered Trademark, all rights apply) to bring them all,
    and in the darkness bind them under copyright, patent and trademark law,
    In the Land of Amazon where the Shadows lie.
  • Seriously. Everyone should go purchase a Ring, get it on your home network but NOT on your door. Somewhere in a closet or in a basement with a light shining on it. Together we'll find the epitome of goatse photos and aim all of our Rings at that. And just leave it there.

    • Absolutely, I think it's high time the world discovered the truth behind the Ring: an elaborate well organized scheme to bring goatse to Joe Sixpack, and for him to find that he can't take his eyes off of it. He'll wind up ordering another--for *research* of course. On their less-than-basic approach to security, etc.

  • Hint: It's not even scary. Don't spend a dime to feature the homeless of LA as paid extras on this one. Hello, Hollywood, are you even listening? Don't be reading Slashdot for story ideas (sheesh talk about bottom of the barrel stuff; you came to the right place)

  • Security is "awful" when it's easy to compromise. This is not the case. The author could have rewritten the article as "Amazon could improve the security of their product by implementing some best practices we'd like them to have" but then he wouldn't have a clickbait headline. This constant use of exaggeration is rendering words useless and is deteriorating the quality of discourse, first online an then IRL.
  • by Tony Isaac ( 1301187 ) on Sunday December 22, 2019 @09:43AM (#59547196) Homepage

    So, I have a Nest Hello doorbell, not Ring, but the issues are similar, I'm sure.

    My doorbell does its job. I can tell because every time I walk out or in, or my lawn service arrives, or a deliver comes, it alerts me that someone is at the door. It never misses.

    If someone with hacking skills cares enough about me to hack my doorbell, they probably will succeed. Who on earth would that be? And why would they do that?

    Somebody could hack my car, too. It takes, what, 30 seconds for a car thief to bypass the security measures and steal my car. Do I worry? Not really. Do I spend thousands on upgraded car security? No.

    Let's not hyperventilate. Sorry folks, you just aren't important enough to have somebody try to hack YOUR doorbell.

  • If you are a politician, beware. But if you're a "regular" person, why would anyone want to hack your doorbell? If somebody cares enough about _you_ to spend the time and effort, not to mention risking jail, to hack your doorbell, you are screwed. But before you hyperventilate, think about this: Who in the world has the skills, and the inclination, and the motive, to hack your specific doorbell?

  • ..their doorbells are shit too. I had one and had hundreds of great videos of the backs of people's heads as they walked away because the app takes forever to connect.

An authority is a person who can tell you more about something than you really care to know.

Working...