Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Businesses Mozilla Privacy Google

Mozilla's Annual Buyer's Guide Rates Amazon and Google Security Cameras 'Very Creepy' (which.co.uk) 40

"Be Smart. Shop Safe," warns Mozilla's annual buyer's guide for secure connected products. Based on their conversations with developers and dozens of privacy experts, they've awarded smiley faces with different expressions to rate products from "Not Creepy" up to "Super Creepy".

"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."

Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:

- Have automatic security updates, so they're protected against the newest threats

- Use encryption, meaning bad actors can't just snoop on your data

- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible

- Require users to change the default password (if applicable), because that makes devices far harder to access

- Privacy policies -- ones that relate to the product specifically, and aren't just generic

Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?

There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.

To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.

"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.

But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."
This discussion has been archived. No new comments can be posted.

Mozilla's Annual Buyer's Guide Rates Amazon and Google Security Cameras 'Very Creepy'

Comments Filter:
  • by war4peace ( 1628283 ) on Monday November 25, 2019 @03:40AM (#59450984)

    I have been looking for a local surveillance camera for my house. By that I mean a wireless camera which does NOT connect to the Internet, is NOT managed through cloud or whatever maker specific app, does NOT send data to the Internet and has strong wireless security. I am yet to find one.

    • by AHuxley ( 892839 ) on Monday November 25, 2019 @05:00AM (#59451082) Journal
      That would be CCTV? With a C for "closed"
      Try your own ethernet to stop any "strong wireless security" questions.
      Camera, ethernet and some secure storage?
      • Wires are not an option, unless I want my courtyard to look like a B-movie giant spider web. Alternatively, the cost of burying them would be insane.

        • by AHuxley ( 892839 )
          Re 'Wires are not an option' then the risk of some failed but sold as "strong wireless security" will stay a problem.
          Re "giant spider web"... ethernet fits in most walls. With some range of camera to look out over a "'courtyard"...
          Re "cost of burying" per ethernet camera is not that expensive.
      • by AmiMoJo ( 196126 ) on Monday November 25, 2019 @07:57AM (#59451440) Homepage Journal

        You might as well use ethernet because you are going to need to power the thing with a wire anyway. So just use PoE for power and data.

    • by LubosD ( 909058 )
      I don't see the problem. WPA3 isn't really a thing yet, so WPA2 is your only choice, and if you fear it may call home, block the device on your router.

      Pretty much every IP camera I've seen can provide a RTSP stream for your recording system.

      But I would anyway prefer a PoE-powered device over anything wireless.

    • by JaredOfEuropa ( 526365 ) on Monday November 25, 2019 @05:57AM (#59451186) Journal
      It's getting harder to find good ones that are affordable. An increasing number of cameras from brands like D-Link now *require* a connection to the Internet.

      I'm using a couple of different brands: Alhua, Foscam, Amcrest. When I buy them I look for a couple of things:
      - Supports standards, i.e. I can just pull an RTSP stream off the camera, instead of it only having a web interface or (worse) only being accessible through an app or portal
      - Can be set up through a web interface. No portals, no apps, and certainly no software I need to install on my PC
      - Does not need an internet connection
      - Either wired with PoE, or wireless operation.

      The cams have their own WiFi network and are on a separate VLAN, which is blocked from everything in house and outside. The only thing they can access is a NUC running a BlueCherry server.
      Oh, and when I am at home, the indoor cams are physically disconnected from power. So another requirement is that they don't go nuts when powered down for extended periods of time.
    • Every ONVIF compatible camera could work for you is you're willing to block it's internet access.

      • Every ONVIF compatible camera could work for you is you're willing to block it's internet access.

        It is not willing, it is a MUST. ONVIF is evil - it is SOAP and most implementations on chinese cameras are written by an idiot in PHP. Example - some of my own tests: https://www.kot-begemot.co.uk/... [kot-begemot.co.uk]

    • I have been looking for a local surveillance camera for my house. By that I mean a wireless camera which does NOT connect to the Internet, is NOT managed through cloud or whatever maker specific app, does NOT send data to the Internet and has strong wireless security. I am yet to find one.

      I have a CCTV system based around motion which uses stock raspberry Pi cameras, ELP modules and two different types of network cameras. It's been in use since ~ 2007 or thereabouts (the first version was using Via C5 mini-ITX and a webcams).

      Just pick any camera you want from Amazon, put them on a firewalled segment and try it. If it does not want to work without access to the wider internet pack it and return it. There are a couple of better software suites than motion too nowdays.

      I use Ctronics (which

      • Just pick any camera you want from Amazon, put them on a firewalled segment and try it. If it does not want to work without access to the wider internet pack it and return it.

        Even if I lived in a country where Amazon does have a presence (which I don't), I am not willing to play "trial and error" with IP cameras. I need at least 5 cameras to cover my property: 1x top of the house (front), 1x top of the house (back), 1x garage door, 1x main courtyard door and 1x on a fence corner facing towards the garage and main door. Ethernet is possible for the cameras located on top of the house and for the garage door camera, but not the others, so the solution was to set up an isolated wir

    • by AmiMoJo ( 196126 )

      There are plenty of wifi/ethernet cameras that don't need an internet connection to work. You can put them on a separate network that can't access the internet at all.

      If you are really paranoid then get some of those fake CCTV cameras, rip the guts out and install a Raspberry Pi with camera module. It won't be as good as a proper CCTV camera but you can be sure it's not doing anything you don't want it to.

    • What about raspi with a camera? Cheap, small, low power, ballsy enough to run yolo and recognize objects. Even has PoE now, doesn't it? You don't have to use a Pi cam either, just plug in a USB one. Buying off the shelf is convenient, but you generally have to trade something more than money for that convenience.

  • Enjoy the ads, live mic and that gov direct 1984 camera feeing.
  • by Powercntrl ( 458442 ) on Monday November 25, 2019 @05:07AM (#59451108) Homepage

    Plug the "smart speaker" into a smart switch [walmart.com] and schedule it to only be on when you don't mind Bezos listening in. You can also set up a routine to have it kill the power to itself (I recommend "Alexa, begone!")

    Granted, you'll need to manually turn the power back on via the smartphone app when you want to use your smart speaker again, but it is what it is.

    • by tsa ( 15680 )

      You know that in practice this is the same as chucking the Echo. But not before lending it to the people from the Hydraulic Press Channel or driving over it at high speed with your car.

      • You know that in practice this is the same as chucking the Echo. But not before lending it to the people from the Hydraulic Press Channel or driving over it at high speed with your car.

        That will not remove all the private data from it as it is not on it - it is with Amazon. Just say no from the start.

        My basic test for any "smart" gadget is "does it work on a firewalled segment with no cloud access?". If yes, it may be used. If no, it goes in a box and goes back for a refund.

      • by Miser ( 36591 )

        This speak-er may at-tack at any mohment.

        Vee must deeel vit it.

  • by BAReFO0t ( 6240524 ) on Monday November 25, 2019 @05:58AM (#59451188)

    But you gave up on being a person.

    And chose to be a drone entity of a larger swarm body, for convenience over individuality.
    More like a limb of a kraken.

    Surprisingly, I'm not even judging.
    The cells in my body also chose to not be single-celled organisms.
    For the same values of "chose". (Not 'having to' choose, is the point, after all.)

    Maybe that form of life is more successful ... Teamwork certainly is.

    Then again, it is single-celled organisms that number the most, by far, and that eradiciate the most human beings. ;)

    • And oddly people like you carry mobile phones with video and audio everywhere and are tracked 24x7, but as soon as someone shows you a security camera you freak out. Don't understand it myself. What is it about a $99 battery powered cheap camera that takes short video clips that freaks everyone out? It has a range of about 10 meters. There are an infinite number of other security cameras on the market with better range that record 24x7.

      • The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.

        This I understand as a problem, all the stuff about them cooperating with law enforcement not so much.

        "I went on vacation and ADT caught someone breaking into my house, helped the police catch them, and recover my stuff" happens all the time and it's not national news. If Ring does you hear about it because it's Amazon and they have to make it sound sketchy because controversy sells.

  • by ethanms ( 319039 ) on Monday November 25, 2019 @06:57AM (#59451274)

    Internet connected cameras in your home are obviously creepy, anyone who doesn't recognize streaming their living room or children's room's to public faced servers as creepy is dangerously high ignorant.

    Always on listening home assistants many people think they're creepy, but most are willing to ignore that because they have mute buttons (if you trust a soft button) and most importantly you can unplug their power.

    Nightmare creepy, IMO, are these listening devices being embedded into thermostats (Google in Nest and Amazon in ecobee), smoke alarms, hardwired wall switches, and other devices which can't be easily powered off? and if you were to do so you'd lose critical functionality like maintaining above freezing temperatures or fire detection.

    That to me is "the line" -- if the listening/watching ability is being built into something that gets placed out of reach and into something that is effectively impossible to cut power to without material repercussion.

    • I've talked to multiple people about those Nest thermostats and still don't get the point over a programmable one. I guess I don't fuss with mine enough once programmed to care about using my phone to adjust it. Otherwise, yes, I tend to agree. My wife has a kindle, and it has a 'whispernet' feature where it downloads books you buy over 3G for free. You don't set this up, or pay extra, so the cost of the connection must be negligible. I assume that devices will start including 3G or LTE modems without
    • by AmiMoJo ( 196126 )

      Mozilla has a smart cat litter tray on their list of very creepy items. Some company thinks it's worth spying on your cat's defecation habits, probably to sell you more DRM protected cat litter or some such BS.

      • Some company thinks it's worth spying on your cat's defecation habits

        If a company were going to really spy on *my* cat's defecation habits, they'd have to install cameras in every corner of the house.

    • Donâ(TM)t fotget smart TVs, the creepiest of them all

  • The review doesn't consider the Lego Star Wars boost Droid Commander toys as meeting minimum security because they don't know if it is encrypted. Why the heck would I encrypt a toy that uses bluetooth and isn't on at all times? Most toy RC trucks aren't encrypted either, but nobody wanta to commandeer a kids toy. I appreciate consistency in the review, but they really need a category for "N/A who cares" on some of these security requirements.

    • Likewise the Artie3000. My wife bought me one - as far as I can see, it doesn't use the Internet *at all*, and seems to use (although perhaps doesn't demand) passwords on the wifi. The programs you write get stored in internal memory, and it doesn't ask any personal information at all - so even if all my programs go astray, there's nothing of any real value there.

      I'm not saying it's awesomely great, but as far as I can see, it's "good enough". It doesn't need to be Fort Knox, because it's not on all the tim

  • These reviews aren't professional. They must be done by horny teenagers because they couldnt review the dimmer without making multiple inappropriate innuendos.

    • All part of the new journalism style. How many times a day do you see articles that start out saying "Blah blah: What you need to know". Or how about "Blah blah: Everything we know so far". Can't anyone write a normal story and let me decide on how to process the contents?

  • I find it interesting that devices can meet their requirements but still be considered creepy. They almost need to break these results out better (but that wouldn't generate clicks!) to good security practices vs business practices/potential for abuse. The concern in the wording seems to be that people may review what you've said to your device (Echo Show for example). Perhaps I'm too technical so I understand that, but I find the reviews seem to be a weird mix of technical info and FUD. Why come up wit
  • ...browsers that send your data to anyone that pays for it? What about mobile phones who track you 24x7 and do the same? Are those considered "creepy" or just "normal" now?

  • by Voyager529 ( 1363959 ) <voyager529@yahoo. c o m> on Monday November 25, 2019 @09:23AM (#59451758)

    - Have automatic security updates, so they're protected against the newest threats

    This is a good one in theory, but in practice, I'm not so sure. Auto updates have been abused in the past. From the Nest Hub downloading its update that turns it into a brick, to Windows 7 users waking up to Windows 10 on their computer without truly informed consent, automatic updates should be *available*, but *optional*. Also, it should be entirely possible for end users to install their own software if they wish. Off-the-shelf routers that can be flashed with DD-WRT are becoming a bit of an endangered species, and for many routers, it's far more secure than the most recent first party firmware. Many Android handsets can be flashed with Lineage or another custom ROM which is newer than the latest OEM release.

    Getting a bit more philosophical, there's a bigger issue with assuming perpetual software updates. At some point, they will stop, and "latest" doesn't always mean "best" or "most secure", either.

    - Use encryption, meaning bad actors can't just snoop on your data

    Well, yes...but fundamentally, encryption doesn't help if the data is being sent to the people who hold the second set of keys. Ring doorbells could adhere to this list perfectly, yet local law enforcement can get footage from them, without a warrant. Whether it's because Amazon gives them direct access, or because Amazon has an "ask nicely" department, 4096-bit SHA-512 encryption is pointless because 'someone sniffing the network traffic' is nowhere near the same level of practical threat as 'a police force that gets warrantless video and audio streams from citizens'.

    - Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible

    That only works if the software itself is user-facing. Nest works with an appy-app and a Google account, and that's about it. Yes, every so often someone will buffer overflow one of these or something, but the fact that many of them are black boxes means it's even harder to analyze the software for vulnerabilities.

    - Require users to change the default password (if applicable), because that makes devices far harder to access

    This one is pretty fair, though I'd submit that some sort of fail2ban option goes hand in hand with this and isn't stipulated.

    - Privacy policies -- ones that relate to the product specifically, and aren't just generic

    Privacy policies have bigger issues with weasel language. There have been stories of Alexa recordings being used in court when the trigger word wasn't said. Amazon completely complied with their privacy policy because they heeded a subpoena (which is a reasonable exception), but recording audio when recording wasn't consented to in the first place is both compliant with the privacy policy, and a load of crap because it's compliant with the privacy policy.

    Ring doesn't seem to have much of an opt-out clause where someone can express to Amazon that the footage captured cannot be disclosed to local PD without a specific warrant. Even if Nest isn't selling my thermostat timings to other companies (i.e. windows of time when I'm home vs. when I'm not), if it is used even indirectly to track or advertise to me, it's still troubling and undesirable while also being completely Privacy Policy compliant. I'm completely sidestepping companies that don't follow their privacy policy or end up leaking data in a breach.

    This brings me to my final issue with these smart devices: their reliance on transmitting data to someone else in the first place. Devices should be capable of performing at least some task without internet access. Alexa speakers could understandably be unable to be a smart assistant without an internet connection, but they should have a mode where they can be generic Bluetooth speakers, or work over Wi-Fi like a Sonos. Ring doorbells should be able to run as

    • I'd like to add one to your list of malicious updates: the PS3 update that removed the Other OS feature (that was advertised on the box). They lost a class action over that recently, I'm sure the $2 check will make the loss of a major feature on a $600 device purchased ten years ago sting a bit less.

      Doing updates in a pro-consumer way isn't that hard, it's just businesses choose to do things in ways that fuck over the consumer. Windows used to have a great update system, you could set it to notify but no
  • Now it is 1984, knock-knock-knockin' at your front door... Close your eyes can't happen here, Big Bro on white horse is near...

You know you've landed gear-up when it takes full power to taxi.

Working...