Amazon Rolls Out Encryption For Ring Doorbells (zdnet.com) 53
Starting today in the U.S. (and other countries in the not too distant future), you'll be able to encrypt the video footage captured via your Ring devices. ZDNet reports: This is done with Amazon's Video End-to-End Encryption (E2EE). If you decide to install this optional privacy feature, you'll need to install a new version of the Ring application on your smartphone. Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.
Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring's servers (at rest). Law enforcement doesn't have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer's enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device. In addition, you'll need to opt into using E2EE. It doesn't turn on automatically with the software update. You'll also need to set a passphrase, which you must remember. AWS doesn't keep a copy. If you lose it, you're out of luck. [Just know that if you use E2EE, various features will be missing, such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline. E2EE also won't work with many Ring devices.] ZDNet notes that while police can still ask for or demand your video and audio content, they won't be able to decrypt your E2EE end-to-end encrypted video "because the private keys required to decrypt the videos are only stored on customer's enrolled mobile devices."
Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring's servers (at rest). Law enforcement doesn't have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer's enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device. In addition, you'll need to opt into using E2EE. It doesn't turn on automatically with the software update. You'll also need to set a passphrase, which you must remember. AWS doesn't keep a copy. If you lose it, you're out of luck. [Just know that if you use E2EE, various features will be missing, such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline. E2EE also won't work with many Ring devices.] ZDNet notes that while police can still ask for or demand your video and audio content, they won't be able to decrypt your E2EE end-to-end encrypted video "because the private keys required to decrypt the videos are only stored on customer's enrolled mobile devices."
Only viewable on the mobile device? (Score:2)
Waste of potential (Score:2)
This could have been a massively useful tool for rescue services.
Privacy isn't a concern for me when I'd willingly and openly share information, and I'd certainly be doing that if I could fucking trust the police.
Policing is getting way too complicated and nuanced to just keep going with the armed goon approach.
Re: (Score:2)
As long as your cameras are only pointing at your property, I have no problem with that, but I am not really interested in you sharing my privacy when I walk past your property.
Re: (Score:3)
Re: (Score:2)
Actually, you can. In my country, I have the right to not be randomly recorded, even in public.
You cannot reasonably expect to not be seen when you're in public. But you can reasonably expect to not be monitored and recorded with every step you take.
Re: (Score:2)
https://legalbeagle.com/860863... [legalbeagle.com]
Taking Photos in Public
If you stand in a public place, you can usually take a photo of anything you can see. That means in a public park, on a public beach, on a city street or in an outdoor spectacle, like a marathon, you can shoot photos to your heart's content. Take snaps of trees and sidewalks, yes, but go ahead and snap shots of people, too. Be a little careful however if you are using a telephoto lens. Just because your feet are on public land doesn't mean that you can shoot into private property.
Honoring Expectations of Privacy
If a person has a reasonable expectation of privacy in a location, even if it's public, you cannot take photos there. This includes public bathrooms and sports club locker rooms. It certainly includes private homes, including backyards and pool patios.
So if you're on a public sidewalk or street, you can be photographed without your consent. You could not, however be photographed in your home from the sidewalk or street.
In the UK there are a reported 4.2M surveillance cameras, or one for every 14 people. In principle th
Re: (Score:2)
if you can see it you can photograph it
You may not want to test that theory on a synagogue.
Re: (Score:2)
The road in front of them is.
Re: (Score:2)
Re: (Score:2)
Our law here generally states that yes, you cannot. The only exception is when you can credibly claim that the person is not the intended focus of the picture. If you take a picture of a cathedral, you will invariably have some people in the picture. That's permissive.
Trying to pull that off with a nondescript wall where your target "just happens" to be in front of will probably not fly.
Remember boys and girls (Score:5, Insightful)
If you don't control the encryption algorithms and method with code you can view, it's not really encrypted.
Re: (Score:3)
Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.
Translated from marketing English, they're throwing buzzwords and big numbers around to make it look like they're pretty damn secure. The devil is in the details though, and I pretty much guarantee an encryption bypass either within a couple of weeks when people get time to look at it or when the first conference paper on it is published.
Re: (Score:2)
Also:
Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.
Translated from marketing English, they're throwing buzzwords and big numbers around to make it look like they're pretty damn secure. The devil is in the details though, and I pretty much guarantee an encryption bypass either within a couple of weeks when people get time to look at it or when the first conference paper on it is published.
RSA, really?
I consider RSA to be a design smell in any new cryptosystem design. It's slow, has overly-large keys and using it correctly is surprisingly hard. None of these mean that RSA-based systems are necessarily weak, but there's just no reason to use RSA given the wide availability of better options, and that means that if you invite a competent cryptographer or cryptograhic security engineer to design your system, they'll basically never use RSA.
So when you see RSA being used, it's a strong hint t
Re: (Score:2)
Re: (Score:2)
All of my professional academic cryptographer friends disagree with you.
Re: (Score:2)
academic cryptographer
In other words people whose target platform for the crypto is a whiteboard. This is why you need to get practitioners involved in the design process, otherwise you end up with mathematically elegant solutions that no-one can get ever working reliably in practice because they've abstracted away all the real-world issues.
Re: (Score:2)
So this means (Score:1)
Re: (Score:2)
You think the NSA is sharing that tech with local PDs chasing down Amazon porch pirates? And, all those PDs keep their mouths shut. And, no one will ever discover they obtained and cracked "encrypted" ring videos?
Re: (Score:2)
I first read it as (Score:1)
"Amazon Trolls Out-Encrypt Ring Doorbells"
Sounds like overkill (Score:3)
You donâ(TM)t need RSA to encrypt your video stream nor would you want to - itâ(TM)s too slow. Itâ(TM)s not a stream cipher.
No, you use a stream cipher for real-time data. And, if you need to store it as a file, you can use a stronger block cipher like AES and convert it on the fly. However, that would entail sharing a key with the server. So, write the encrypted stream and be done with it. You can store the associated key for the file using RSA - still overkill.
RSA can be used to exchange the keys between the ring device and the mobile device. However, other algorithms are better for this purpose. And, why use RSA rather than Elliptic Curve when EC offers the same level of security with smaller keys. And, EC is generally faster.
Sounds more like they just wanted to âoeWowâ people by sayingâ¦âlook at my key size, babyâ.
My doorbell can't be hacked remotely. (Score:3)
-Oldie but goody.
Re: (Score:2)
As a bonus, if you have one made of metal you can connect it directly to AC and then it also serves as a door-to-door salesmen deterrent.
Re: (Score:2)
I advise against it. The pile of rotting corpses in front of your door is not only a salesman deterrent, it also isn't really something the HOA is looking favorably at.
And do you know what corpse removal services cost? Besides, the people you're dealing with are among those that you want to press the doorbell themselves...
Re: (Score:2)
Re: (Score:2)
Salesmen usually enjoy air conditioning. Especially the door-to-door types.
Re: (Score:2)
My TV remote never needs batteries. I just get up and change the dial.
Sometimes convenience is pretty cool. And there are plenty of Ring equivalents without the privacy concerns (that don't connect to any cloud.)
Good (Score:2)
I would only hand over video to the popos if it is to investigate a serious violent crime such as rape or homicide, and that too only for a specific time or per warrant.. all other investigations can fuck off.
No thank you (Score:2)
Why would I buy something that's already obsolete by design?
No Thread/Matter, no sale!
Re: (Score:2)
No, it's like with the cell phones, you're paying to get spied on.
What happens if you lose the phone? (Score:2)
"[T]he private keys required to decrypt the videos are only stored on customer's enrolled mobile devices." If you only have one phone and it is destroyed/lost/stolen, do you lose access to that data?
wait what? (Score:2)
You mean to say, they were sending data in the CLEAR all this time? Wow, that's so... last century.
Re: (Score:1)
Re: (Score:2)
I know reading the article is not allowed, but that's actually covered in the summary. No, the data wasn't in the clear, it was just encrypted with keys that Amazon knew. This feature is for encrypting with keys that (supposedly) Amazon doesn't know.
Ok, understood, and yes, you're right, I didn't read the article.
So now the question was, who thought encrypting every device with the same keys was a good idea? That's almost like leaving it at the default password.
Re: (Score:1)
"keys that amazon knows" is not the same thing as "encrypting every device with the same keys"
Maybe amazon knows a lot of keys?
Re: wait what? (Score:2)
maybe. but is that the way to bet?
So,,, when did vendors realize... (Score:2)
Insecurity. (Score:2)
Ah no... Of course they can decrypt it (Score:2)
That the key is only installed on your device, assuming it's true, only means that they can't decrypt the video if you pull the ring offline quick enough. They have a command and control link to their device and obviously they can request the device to give them the key.
This is just marketing and damage control.
Key backup? (Score:2)
This idea appears to rely on you continuing to possess the same mobile device and it continuing to work, without any way for you to back up these keys. I think the disadvantage is obvious.
Preventing wide-ranging Police fishing expeditions is an obvious advantage.
Re: (Score:1)
As in physical comedy when someone has a car crash (Score:2)
and right after the airbag triggers.
Unfortunately they also encrypted the bell tune... (Score:3)
when breaking into a "ring" house... (Score:2)
"[T]he private keys required to decrypt the videos are only stored on customer's enrolled mobile devices."
Step 1: Kick the door in and find the occupants.
Step 2: Smash their phone destroying the ability to view any video evidence from step 1.
Step 3: Profit
Silly question (Score:2)