Ring's Security Woes Cause Some Tech Review Sites To Rethink Glowing Endorsements

At least two tech review sites are discussing whether to rescind their positive recommendations of Ring's home surveillance cameras, a leading digital-rights organization announced this week. From a report: In the wake of reporting by Gizmodo and other outlets this year concerning Ring's troubled security and privacy practices, Fight for the Future has launched a campaign calling on tech review sites, such as Consumer Reports and PC Magazine, to suspend recommending Ring products. "Tech reviews and guides play an important role in people deciding which devices to buy," said Evan Greer, deputy director of Fight for the Future. [...] Last week, the tech review site Wirecutter announced it was suspending its recommendation of Ring products citing a report about a data leak by BuzzFeed's Caroline Haskins. This prompted Fight for the Future to contact other review sites and ask them to rescind their recommendations as well.

Finally

[mschaffer]

I am tired of too many review sites giving companies like Amazon a pass just because they are Amazon. It's ridiculous.

Re: Finally

[guruevi]

Feel free to recommend a brand that doesn't have major issues with their core apps and services. Most use a Chinese-based firmware update server and DDNS to begin with.

Ring's privacy and security is probably better than having a Busybox hanging directly on the Internet through a reverse proxy with anonymous cgi-bin access and plain text passwords which what most of these camera have.

Re:

[BizX (9148219783024)]

Ring's privacy and security is probably better than having a Busybox hanging directly on the Internet through a reverse proxy with anonymous cgi-bin access and plain text passwords which what most of these camera have.

Prove your anecdote, please.

Re: Finally

[rogoshen1]

The real problem with ring is subverting due process by setting up a third party surveillance network and handing the keys to the police.

Re:

[thomn8r]

The real problem with ring is subverting due process by setting up a third party surveillance network and handing the keys to the police.

I wish I had mod points

Re:

[AHuxley]

Police looking for criminals is "due process" for the people who have been a victim of crime.
Everyone gets to see who the criminal is and who is doing crime.
Who walked onto private property to take a package, enter a home...
Re "keys to the police"
Thats a private camera on private property... the owner can report a crime and show the police who did the crime.. just like with CCTV.

Re:

[rogoshen1]

Your signature is oddly ironic given the content of your post.

Re: Finally

[astrofurter]

The only way to stave off the surveillance state dystopia - a key component of cybernetic totalitarianism, that presents a bigger threat to human freedom than the Soviet Union or "tewwawism" ever did - is to ban all surveillance equipment facing public spaces. Whether the equipment is publicly or privately owned. Whether the public space is government owned or privately owned quasi-public spaces like cafes and shopping centers. Drastic threats to freedom call for drastic measures.

Even if it results an incr

Re:

[Randj Herdle]

Maybe it's true here on /., but not everyone regards a surveillance state as a dystopia. Depends on what it chooses to criminalize. I don't want to live somewhere where people have the right to bully and to steal. I just don't want to stifle the right to express dissent.

Re:

[AHuxley]

Re "ban all surveillance equipment facing public spaces."..

Why should criminals get privacy to do their crimes in?

Re "petty crime"
So a home entered and property stolen is "petty crime"...
A package stolen a poor person, working class person had to "save" their wage to buy is "pretty crime"...
Thats hours of work lost to a person on a low wage... to a perps who has to count every $ from the hours they get to work.

Thats not "petty crime", thats crime done by criminals... who could be seen and tracked w

Re: Finally

[astrofurter]

"Why should criminals get privacy to do their crimes in?"

The same reason undesirable people are still allowed to have freedom of speech. Because either EVERYONE has privacy, or NO ONE has privacy.

In the past, it took effort to invade a person's privacy. Today, in the age of ubiquitous network-connected surveillance cameras, absolutely no one has any privacy at all. Not the most virtuous saint, not the sneakiest crook, not the highest official, not the bum under the bridge. We have ALREADY LOST that form of

Re:

[AmiMoJo]

It's worse than that. When Amazon bought Ring we suddenly started getting all these articles are "porch pirates". It's just Amazon protecting its business model and diverting police resources to it, and making you pay for it.

Re:

[Aighearach]

If the whole product category has negative security implications, that doesn't imply any need to give anybody a pass for being equally bad.

It is just incredibly moronic to suggest that identifying problems with a technology can only be done while actually recommending a brand of that product.

No, the security-conscious recommendation is to not use these "smart cameras" and just use traditional CCTV setups that don't put all the security on somebody else's equipment. And golly, you can still use an "app."

Re:

[cusco]

While you and I might be competent to install, secure and manage a "traditional CCTV setup" that isn't the case for the vast majority of people on the planet. The thundering herds just want something that they can screw onto the wall which "just works", and the Ring-type products do the job for them.

For the most part the "security problems" that most of these outfits are complaining about are non-issues. You can find which houses have Ring doorbells? Big deal, I can do that just walking down the street a

Re:

[Aighearach]

While you and I might be competent to install, secure and manage a "traditional CCTV setup" that isn't the case for the vast majority of people on the planet.

Oh bull fucking shit. Bull fucking shit.

It is a VCR with too many plugs. Give me a fucking break. Idiots running convenience stores have been using them since they hit the market. Do they sometimes have to talk a younger person into plugging everything in? Yes. Is that a significant barrier? No, they can also just ask the weekend guy to do it.

Re:

[Randj Herdle]

While you and I might be competent to install, secure and manage a "traditional CCTV setup" that isn't the case for the vast majority of people on the planet.

The same is true for guns, but I don't see many here applying the same logic.

Re: Finally

[da-blehman]

I like Honeywell dvrs. Install those for clients a lot. Anything non cloud based is preferable.

Re:

[cusco]

Really? They must have gotten a whole lot better in the last few years. The last one that I installed was only exceeded by the GE DVRs for shoddy quality, garbage components and buggy software.

Re:

[Dahan]

I like Honeywell dvrs. Install those for clients a lot. Anything non cloud based is preferable.

Honeywell just re-badges Dahua equipment [ipvm.com], and Dahua has had some serious vulnerabilities too. (I actually use Dahua stuff myself; their cameras are pretty good. But I keep them on their own VLAN, away from the internet.)

Re:

[lactose99]

Would be entirely reasonable for the review sites to recommend none of the products on the market for this very reason, correct?

Re:

[account_deleted]

Comment removed based on user account deletion

Huh

[ArchieBunker]

Wasn't it proven that all the people who were "hacked" had simply re-used their passwords from other compromised companies?

Re:

[Gravis Zero]

It's more than that. There is nothing preventing a brute force/dictionary attack. You can try 100000 incorrect passwords and it'll keep giving you more guesses.

Not a hack...

[cypherljk]

Nothing to see here. It's not a hack if someone has your password. They are just logging in. #stoppasswordreuse

Really disingenuous

[bblb]

Really disingenuous to suggest that the devices are somehow flawed or less worth of recommendation based upon ignorant end users with poor password security habits. The actual instances of Ring devices being truly hacked is somewhere around zero, the issue is people using default or predictable passwords and bad actors guessing those passwords to gain access to their accounts. Folks need to start taking responsibility for their technological presence or accept the consequences as a result of their own choic

Re:

[Sumguy2436]

Really disingenuous

What do you expect from the parties involved (Buzzfeed and some other activist group)?

The usual suspects have been running a campaign against Ring because Amazon cooperates with law enforcement. There have been plenty of articles on /. from the usual "progressive" outlets.

This isn't about security. Just some activists using it as a red herring.

Re:

[will_die]

Those password entries have been because of brute force attacks and I believe most people would put brute force as a hacking or cracking method.
The other major issue looks to be that ring device are still storing and sending WiFi passwords in plain text.
Both of those vulnerabilities are things that should not exist any more and for a manufacturer not to fix those should place blame on them. even implementing a simple 3 wrong passwords causes a 30 second delay would help.

Re:

[cusco]

No, the Ring gets the password from the app on your phone, which is transmitted in clear text (I believe the newest versions of firmware hash this now). After that the doorbell/camera/whatever uses the normal methods to connect to your wifi router (if it didn't the router wouldn't talk to it). If someone is close enough to be pick up the communications between your phone and the Ring during the 30 seconds it takes to set the device up and willing to go to all the trouble to extract that string from the tr

Re:

[bblb]

Literally nothing you just said is accurate.

Re:

[awwshit]

You could, ya know, actually go outside and meet people in person. Instead you hide inside staring at camera views while feeling locked down and safe. You might want to talk with a professional about your unusual fear of other people. You don't need an app and recordings and a virtual place to be suspicious with your neighbors - you need professional help.

Re:

[cusco]

I rather wonder if some of the anti-Amazon/Ring hit pieces aren't sponsored by the likes of Walmart and Google. Security on Google's devices is at least as bad, if not worse, and considering its history I can't imagine that Apple's stuff is any more secure.

Deterrence?

[thomn8r]

Has the prescense of Ring or any other security camera system ever deterred or identified a Porch Pirate, other in the rare instances where a video has gone viral? (Like the one last year with the lady trick-or-treating/porch pirating with her kids)

Re:

[mister_hoberman_to_y]

I have several security cameras and get alerts on my phone when someone is at my door or poking around my back yard or cars. I don't really expect that the alerts and mediocre-quality videos are going to help solve a crime directly, especially as criminals wise up and start covering their faces.

But: the various small thefts we've had in our neighborhood while I've lived here tend to be plural in nature, in that someone has gone house-to-house looking for unlocked cars and garages, etc, and multiple homes ge

Ring and Amazon sued in federal court

[schwit1]

https://www.businessinsider.nl... [businessinsider.nl]

Home camera maker Ring and parent company Amazon have been sued in federal court in California over claims that they failed to protect users’ privacy and security.

The lawsuit alleges that, as a manufacturer of security products, Ring failed to meet its “most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack.”

It also argues that Ring and Amazon sought to avoid responsibility by blaming users for not implementing p