Mozilla's Annual Buyer's Guide Rates Amazon and Google Security Cameras 'Very Creepy' (which.co.uk) 40
"Be Smart. Shop Safe," warns Mozilla's annual buyer's guide for secure connected products. Based on their conversations with developers and dozens of privacy experts, they've awarded smiley faces with different expressions to rate products from "Not Creepy" up to "Super Creepy".
"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."
Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:
- Have automatic security updates, so they're protected against the newest threats
- Use encryption, meaning bad actors can't just snoop on your data
- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible
- Require users to change the default password (if applicable), because that makes devices far harder to access
- Privacy policies -- ones that relate to the product specifically, and aren't just generic
Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?
There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.
To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.
"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.
But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."
"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."
Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:
- Have automatic security updates, so they're protected against the newest threats
- Use encryption, meaning bad actors can't just snoop on your data
- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible
- Require users to change the default password (if applicable), because that makes devices far harder to access
- Privacy policies -- ones that relate to the product specifically, and aren't just generic
Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?
There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.
To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.
"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.
But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."
Local surveillance camera (Score:5, Insightful)
I have been looking for a local surveillance camera for my house. By that I mean a wireless camera which does NOT connect to the Internet, is NOT managed through cloud or whatever maker specific app, does NOT send data to the Internet and has strong wireless security. I am yet to find one.
Re:Local surveillance camera (Score:5, Informative)
Try your own ethernet to stop any "strong wireless security" questions.
Camera, ethernet and some secure storage?
Re: (Score:2)
Wires are not an option, unless I want my courtyard to look like a B-movie giant spider web. Alternatively, the cost of burying them would be insane.
Re: (Score:1)
Re "giant spider web"... ethernet fits in most walls. With some range of camera to look out over a "'courtyard"...
Re "cost of burying" per ethernet camera is not that expensive.
Re:Local surveillance camera (Score:5, Informative)
You might as well use ethernet because you are going to need to power the thing with a wire anyway. So just use PoE for power and data.
Re: (Score:3)
Pretty much every IP camera I've seen can provide a RTSP stream for your recording system.
But I would anyway prefer a PoE-powered device over anything wireless.
Re: (Score:3)
Re:Local surveillance camera (Score:5, Informative)
I'm using a couple of different brands: Alhua, Foscam, Amcrest. When I buy them I look for a couple of things:
- Supports standards, i.e. I can just pull an RTSP stream off the camera, instead of it only having a web interface or (worse) only being accessible through an app or portal
- Can be set up through a web interface. No portals, no apps, and certainly no software I need to install on my PC
- Does not need an internet connection
- Either wired with PoE, or wireless operation.
The cams have their own WiFi network and are on a separate VLAN, which is blocked from everything in house and outside. The only thing they can access is a NUC running a BlueCherry server.
Oh, and when I am at home, the indoor cams are physically disconnected from power. So another requirement is that they don't go nuts when powered down for extended periods of time.
Re: Local surveillance camera (Score:2)
Every ONVIF compatible camera could work for you is you're willing to block it's internet access.
Re: (Score:2)
Every ONVIF compatible camera could work for you is you're willing to block it's internet access.
It is not willing, it is a MUST. ONVIF is evil - it is SOAP and most implementations on chinese cameras are written by an idiot in PHP. Example - some of my own tests: https://www.kot-begemot.co.uk/... [kot-begemot.co.uk]
Re: (Score:2)
I have been looking for a local surveillance camera for my house. By that I mean a wireless camera which does NOT connect to the Internet, is NOT managed through cloud or whatever maker specific app, does NOT send data to the Internet and has strong wireless security. I am yet to find one.
I have a CCTV system based around motion which uses stock raspberry Pi cameras, ELP modules and two different types of network cameras. It's been in use since ~ 2007 or thereabouts (the first version was using Via C5 mini-ITX and a webcams).
Just pick any camera you want from Amazon, put them on a firewalled segment and try it. If it does not want to work without access to the wider internet pack it and return it. There are a couple of better software suites than motion too nowdays.
I use Ctronics (which
Re: (Score:2)
Just pick any camera you want from Amazon, put them on a firewalled segment and try it. If it does not want to work without access to the wider internet pack it and return it.
Even if I lived in a country where Amazon does have a presence (which I don't), I am not willing to play "trial and error" with IP cameras. I need at least 5 cameras to cover my property: 1x top of the house (front), 1x top of the house (back), 1x garage door, 1x main courtyard door and 1x on a fence corner facing towards the garage and main door. Ethernet is possible for the cameras located on top of the house and for the garage door camera, but not the others, so the solution was to set up an isolated wir
Re: (Score:2)
There are plenty of wifi/ethernet cameras that don't need an internet connection to work. You can put them on a separate network that can't access the internet at all.
If you are really paranoid then get some of those fake CCTV cameras, rip the guts out and install a Raspberry Pi with camera module. It won't be as good as a proper CCTV camera but you can be sure it's not doing anything you don't want it to.
Re: (Score:2)
What about raspi with a camera? Cheap, small, low power, ballsy enough to run yolo and recognize objects. Even has PoE now, doesn't it? You don't have to use a Pi cam either, just plug in a USB one. Buying off the shelf is convenient, but you generally have to trade something more than money for that convenience.
The PRISM brands (Score:2)
Easy fix for Echo speakers (Score:5, Funny)
Plug the "smart speaker" into a smart switch [walmart.com] and schedule it to only be on when you don't mind Bezos listening in. You can also set up a routine to have it kill the power to itself (I recommend "Alexa, begone!")
Granted, you'll need to manually turn the power back on via the smartphone app when you want to use your smart speaker again, but it is what it is.
Re: (Score:2)
You know that in practice this is the same as chucking the Echo. But not before lending it to the people from the Hydraulic Press Channel or driving over it at high speed with your car.
Re: (Score:3)
You know that in practice this is the same as chucking the Echo. But not before lending it to the people from the Hydraulic Press Channel or driving over it at high speed with your car.
That will not remove all the private data from it as it is not on it - it is with Amazon. Just say no from the start.
My basic test for any "smart" gadget is "does it work on a firewalled segment with no cloud access?". If yes, it may be used. If no, it goes in a box and goes back for a refund.
Re: Easy fix for Echo speakers (Score:2)
Oh, I presumed it was a new device you just bought or got. But youâ(TM)re right of course.
Re: (Score:2)
This speak-er may at-tack at any mohment.
Vee must deeel vit it.
If you have a Ring camera, you already know this. (Score:3)
But you gave up on being a person.
And chose to be a drone entity of a larger swarm body, for convenience over individuality.
More like a limb of a kraken.
Surprisingly, I'm not even judging.
The cells in my body also chose to not be single-celled organisms.
For the same values of "chose". (Not 'having to' choose, is the point, after all.)
Maybe that form of life is more successful ... Teamwork certainly is.
Then again, it is single-celled organisms that number the most, by far, and that eradiciate the most human beings. ;)
Re: (Score:2)
And oddly people like you carry mobile phones with video and audio everywhere and are tracked 24x7, but as soon as someone shows you a security camera you freak out. Don't understand it myself. What is it about a $99 battery powered cheap camera that takes short video clips that freaks everyone out? It has a range of about 10 meters. There are an infinite number of other security cameras on the market with better range that record 24x7.
Re: (Score:2)
The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.
This I understand as a problem, all the stuff about them cooperating with law enforcement not so much.
"I went on vacation and ADT caught someone breaking into my house, helped the police catch them, and recover my stuff" happens all the time and it's not national news. If Ring does you hear about it because it's Amazon and they have to make it sound sketchy because controversy sells.
Creepy vs Nightmare Creepy (Score:5, Insightful)
Internet connected cameras in your home are obviously creepy, anyone who doesn't recognize streaming their living room or children's room's to public faced servers as creepy is dangerously high ignorant.
Always on listening home assistants many people think they're creepy, but most are willing to ignore that because they have mute buttons (if you trust a soft button) and most importantly you can unplug their power.
Nightmare creepy, IMO, are these listening devices being embedded into thermostats (Google in Nest and Amazon in ecobee), smoke alarms, hardwired wall switches, and other devices which can't be easily powered off? and if you were to do so you'd lose critical functionality like maintaining above freezing temperatures or fire detection.
That to me is "the line" -- if the listening/watching ability is being built into something that gets placed out of reach and into something that is effectively impossible to cut power to without material repercussion.
Re: (Score:2)
Re: (Score:2)
Mozilla has a smart cat litter tray on their list of very creepy items. Some company thinks it's worth spying on your cat's defecation habits, probably to sell you more DRM protected cat litter or some such BS.
Re: (Score:3)
Some company thinks it's worth spying on your cat's defecation habits
If a company were going to really spy on *my* cat's defecation habits, they'd have to install cameras in every corner of the house.
Re: Creepy vs Nightmare Creepy (Score:1)
Donâ(TM)t fotget smart TVs, the creepiest of them all
Lego security? (Score:2)
The review doesn't consider the Lego Star Wars boost Droid Commander toys as meeting minimum security because they don't know if it is encrypted. Why the heck would I encrypt a toy that uses bluetooth and isn't on at all times? Most toy RC trucks aren't encrypted either, but nobody wanta to commandeer a kids toy. I appreciate consistency in the review, but they really need a category for "N/A who cares" on some of these security requirements.
Re: (Score:2)
Likewise the Artie3000. My wife bought me one - as far as I can see, it doesn't use the Internet *at all*, and seems to use (although perhaps doesn't demand) passwords on the wifi. The programs you write get stored in internal memory, and it doesn't ask any personal information at all - so even if all my programs go astray, there's nothing of any real value there.
I'm not saying it's awesomely great, but as far as I can see, it's "good enough". It doesn't need to be Fort Knox, because it's not on all the tim
Sexual innuendo in a review? (Score:2)
These reviews aren't professional. They must be done by horny teenagers because they couldnt review the dimmer without making multiple inappropriate innuendos.
Re: (Score:3)
All part of the new journalism style. How many times a day do you see articles that start out saying "Blah blah: What you need to know". Or how about "Blah blah: Everything we know so far". Can't anyone write a normal story and let me decide on how to process the contents?
Interesting Results (Score:2)
What about... (Score:2)
...browsers that send your data to anyone that pays for it? What about mobile phones who track you 24x7 and do the same? Are those considered "creepy" or just "normal" now?
I disagree with Mozilla's list (Score:3)
- Have automatic security updates, so they're protected against the newest threats
This is a good one in theory, but in practice, I'm not so sure. Auto updates have been abused in the past. From the Nest Hub downloading its update that turns it into a brick, to Windows 7 users waking up to Windows 10 on their computer without truly informed consent, automatic updates should be *available*, but *optional*. Also, it should be entirely possible for end users to install their own software if they wish. Off-the-shelf routers that can be flashed with DD-WRT are becoming a bit of an endangered species, and for many routers, it's far more secure than the most recent first party firmware. Many Android handsets can be flashed with Lineage or another custom ROM which is newer than the latest OEM release.
Getting a bit more philosophical, there's a bigger issue with assuming perpetual software updates. At some point, they will stop, and "latest" doesn't always mean "best" or "most secure", either.
- Use encryption, meaning bad actors can't just snoop on your data
Well, yes...but fundamentally, encryption doesn't help if the data is being sent to the people who hold the second set of keys. Ring doorbells could adhere to this list perfectly, yet local law enforcement can get footage from them, without a warrant. Whether it's because Amazon gives them direct access, or because Amazon has an "ask nicely" department, 4096-bit SHA-512 encryption is pointless because 'someone sniffing the network traffic' is nowhere near the same level of practical threat as 'a police force that gets warrantless video and audio streams from citizens'.
- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible
That only works if the software itself is user-facing. Nest works with an appy-app and a Google account, and that's about it. Yes, every so often someone will buffer overflow one of these or something, but the fact that many of them are black boxes means it's even harder to analyze the software for vulnerabilities.
- Require users to change the default password (if applicable), because that makes devices far harder to access
This one is pretty fair, though I'd submit that some sort of fail2ban option goes hand in hand with this and isn't stipulated.
- Privacy policies -- ones that relate to the product specifically, and aren't just generic
Privacy policies have bigger issues with weasel language. There have been stories of Alexa recordings being used in court when the trigger word wasn't said. Amazon completely complied with their privacy policy because they heeded a subpoena (which is a reasonable exception), but recording audio when recording wasn't consented to in the first place is both compliant with the privacy policy, and a load of crap because it's compliant with the privacy policy.
Ring doesn't seem to have much of an opt-out clause where someone can express to Amazon that the footage captured cannot be disclosed to local PD without a specific warrant. Even if Nest isn't selling my thermostat timings to other companies (i.e. windows of time when I'm home vs. when I'm not), if it is used even indirectly to track or advertise to me, it's still troubling and undesirable while also being completely Privacy Policy compliant. I'm completely sidestepping companies that don't follow their privacy policy or end up leaking data in a breach.
This brings me to my final issue with these smart devices: their reliance on transmitting data to someone else in the first place. Devices should be capable of performing at least some task without internet access. Alexa speakers could understandably be unable to be a smart assistant without an internet connection, but they should have a mode where they can be generic Bluetooth speakers, or work over Wi-Fi like a Sonos. Ring doorbells should be able to run as
On automatic updates specifically (Score:3)
Doing updates in a pro-consumer way isn't that hard, it's just businesses choose to do things in ways that fuck over the consumer. Windows used to have a great update system, you could set it to notify but no
1984 (Score:1)