Amazon, Ring Face Class-Action Lawsuit Over Alleged Security Camera Hacks

Alabama resident John Orange has filed a class-action lawsuit accusing Amazon and Ring of failing to do enough to secure their security systems against hacks, including Orange's. Engadget reports: He alleged that a stranger compromised his Ring outdoor camera and spooked his kids as a "direct and proximate" result of the company's inability to protect its devices "against cyber-attack." He pointed to other incidents to support the argument for a class action, including a highly publicized event in December where a remote intruder harassed a Mississippi girl.

Orange also claimed that Ring's response was evidence of the company blaming customers. It told Orange that there was "no evidence" someone had hacked the firm's infrastructure, and that his incident may be the result of a breach at a "non-Ring service" where the perpetrators reused info to sign into Ring accounts. In other words, Ring couldn't help it if people reused passwords with sites and services it can't control. The suit formally levels accusations of breach of contract, invasion of privacy, negligence, unjust enrichment and violating California's Unfair Competition Law (through misleading representations of security). If it achieves class action status, it would ask Amazon and Ring to compensate victims and implement "improved security procedures and measures."

Yeah, such stupidity must be punished.

[BAReFO0t]

They could have simply thrown Amazon a few peanut$, or say they are affiliated with law enforcement, or probably somethingsomethingADSsomethingsomething, and they would have gotten all the keys to the kingdom.

What a bunch of ... hacks.

Hey Alexa

[sit1963nz]

"Hey Alexa, can you take a peek at my Ring"

Amazon has gone deep into space ... we can tell because Uranus has rings too.

morons will be morons

[andydread]

if you re-use the same credentials then you should be hacked. You can't blame service providers because you are a lazy moron and use the same credentials.

Re:

[Waffle Iron]

The fact is, good majority of the public are "lazy morons" by your definition. Amazon certainly knows that, and they should have taken appropriate steps to mitigate the issue. Just letting millions of "lazy morons" go ahead and pick stupid passwords obviously isn't good enough.

Even if Amazon's lawyers manage to deflect liability on this, it's going to be an endless stream of bad publicity until it gets fixed.

Re:

[Waffle Iron]

Wait, I thought that Jeff Bezos was some kind of liberal menace who owns a big mainstream media outlet. Are you saying that he's actually a paragon of core conservative values, such as our cherished heritage of having people shoot themselves in the foot because they're not computer experts?

Re:

[q_e_t]

It's not about hand-holding but about design that takes into account users. If a car had a steering wheel that worked in the opposite sense on Tuesdays would you rail against drivers or liberals or feel it was poor design?

Re:

[gTsiros]

i doubt that would legally fly though, what with regulations' tight control over vehicle behavior etc

Re:

[q_e_t]

Exactly!

Re:

[MerlTurkin]

Yup. Stupidity is hard to fix sometimes. Electronic Darwinism in action!

Re:

[MerlTurkin]

"There is more stupidity than hydrogen in the universe, and it has a longer shelf life" - Frank Zappa

Re:

[OcCbXntZLeOg]

You made me read that whole thing looking for where Google says you should blame service providers for password reuse and it wasn't there. Can you at least not lie when arguing on the internet?

Monetary award

[rtkluttz]

Please, for the love of God, make the monetary award so great that SAAS and hosted cloud services, especially for IoT goes away completely because the risk is too great.

Re:

[guruevi]

Yeah because nobody could ever need low cost, maintained services. This lawsuit needs to be stomped deep into the ground, people need to learn about proper password security.

Re:

[q_e_t]

No, what is needed is good design that takes into account unhelpful customer behaviour and steers them to do sensible things as far as it is reasonable to do so. SaaS, etc., very much have their place and I agree with your implication there.

Alexa, What's AT&T Mobility LLC v. Concepcion

[sqlrob]

I'll be surprised if it's granted class action, chances are the EULA says arbitration, and that's binding (for now anyway).

There's always someone

[maitai]

It's not rings fault if users are morons. Knocking on ring seems to be the new in thing. Surprised someone is trying to cash in on it?

Re:

[dcw3]

It is Rings fault when they clearly know that a large portion of the public (their consumers) are going to do this, and be put at risk because they were too lazy to take a few simple steps to prevent it.

Re:

[MerlTurkin]

If the consumer doesn't read the instructions or follows directions TOO BAD. It's THEIR OWN FAULT. Is it Remington's fault if you buy one of their guns, aim it at your face and pull the trigger?

Re:

[dcw3]

False equivalence.

People buy products every day w/o reading the instructions. And many Ring owners don't even do their own installations. Comparing these to guns is stupid, as is your caps lock. Take a breath and come up with a logical answer.

Re:

[Rick Zeman]

It is Rings fault when they clearly know that a large portion of the public (their consumers) are going to do this, and be put at risk because they were too lazy to take a few simple steps to prevent it.

I can't think of any consumer-level service outside of some banking that MANDATES 2FA. How is it Ring's fault that their users don't avail themselves of the security measures that are available? Is Ring to be punished because they're telling the users that its their fault...because it IS their fault?
(My Nest account has a uniquecomplex password and 2FA.)

Re:

[q_e_t]

It's Ring's fault if it doesn't assume that a significant proportion of its users haven't studied computer security, don't understand the requirements, and haven't read the 50 page EULA. The design of the product should be that the default actions are safe and an advanced user can go and screw it up if they want. This is pretty much how most other products work - e.g. you don't have your vacuum cleaner delivered with bare wires where the socket should be for you to attempt to wire up in some way or have you

It won't fly ...

[CaptainDork]

... because Ring will just share its install instructions that consumers ignore at their own peril.

Whats the fix?

[AHuxley]

A sticker inside the box:
Random 20 character user name.
A random 20 character password.
Secure out of the box. Keep the sticker safe...

Re:

[Rick Zeman]

A sticker inside the box:

Random 20 character user name.

A random 20 character password.

Secure out of the box. Keep the sticker safe...

It's so secure it would never get used. Security vs usability is a series of tradeoffs. Your suggestion is too extreme.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AHuxley]

The device would ship with a unique and long paw/username...
The user can change as they want later.
The setup would be a long unqiue username/ unique pw for that user.

Re:

[AHuxley]

Re "would never get used"...
The long and unique user name/password would be set in the factory so it would be "used" by default as shipped.
If the user then wanted to change, reset they could.
The "would never get used" would be used as that is what the service powered on with ...
Just like an ISP, some commoner brand products and service can do and are doing...
A strong an unique pw/users named shipped per device ...

Dumba** users should fail.

[Fuzi719]

I don't see the lawsuit going anywhere. Ring was never hacked. Idiot users used the same username/password from some other company's product, which was hacked. That's not Ring's fault and this is simply wallet-shopping to find the biggest payout. The suit should be dismissed with prejudice.