Dozens Sue Amazon's Ring After Camera Hack Leads To Threats and Racial Slurs (theguardian.com) 71
Dozens of people who say they were subjected to death threats, racial slurs, and blackmail after their in-home Ring smart cameras were hacked are suing the company over "horrific" invasions of privacy. From a report: A new class action lawsuit, which combines a number of cases filed in recent years, alleges that lax security measures at Ring, which is owned by Amazon, allowed hackers to take over their devices. Ring provides home security in the form of smart cameras that are often installed on doorbells or inside people's homes. The suit against Ring builds on previous cases, joining together complaints filed by more than 30 people in 15 families who say their devices were hacked and used to harass them. In response to these attacks, Ring "blamed the victims, and offered inadequate responses and spurious explanations," the suit alleges. The plaintiffs also claim the company has also failed to adequately update its security measures in the aftermath of such hacks.
You're surprised (Score:5, Informative)
Re:You're surprised (Score:5, Insightful)
When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?
You forgot the most important part:
The parents told WMC5 that they hadn't set up two-factor authentication for the device; failing to do so would make it easier for someone to change their password and take control of their account.
Like other IoT smart home camera hackers, this one used the weak password security on the parents' Ring account to access their dashboard and speak directly through the device.
This is not a case of blaming the victim. This is a case of blaming the vendor because the victim is too stupid to choose a decent password.
Oh, someone emptied my house because I did not lock my front door, better sue the lock company for not forcing me to lock the house every time I leave.
Re:You're surprised (Score:5, Insightful)
This is a case of blaming the vendor because the victim is too stupid to choose a decent password.
This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy. They have about as much ability to make sensible tech decisions as you do to, say, cut someone's hair, enter a burning building, write a novel, negotiate a trade deal or any one of a million things people have expertise in other than tech.
They're selling a system to non experts which is easy for non experts to fuck up. That's on them.
Oh, someone emptied my house because I did not lock my front door, better sue the lock company for not forcing me to lock the house every time I leave.
It's more like the lock company sent you the lock with two sets of installation screws. If you use the wrong screws the lock doesn't work, but you have no good way of telling which is which because you're not a metallurgist. Then you get the blame from smug people on the internet.
Re:You're surprised (Score:4, Funny)
Re: (Score:2)
This would be like someone forgetting to hit the lock button on their key fob six times in a row to make sure everyone within a half mile knows they're locking their car by having their car horn go off. At 2 in the morning.
Re: (Score:2)
Driving a 1965 VW bus and suing Volkswagen when bumping a shopping cart turns you into a quadriplegic.
Re: (Score:2)
And there was no requirement for a driving test and VW just let you go off?
Sounds like both gevernment and corperate incompetence, but for simple trade off of risk.
Nothing "bad" occured here. And these people would be the first to moan if the bar for having computing devices was raised.
Re:You're surprised (Score:4, Insightful)
Tesla claims it is the driver's responsibility to use autopilot safely. They are being sued on the basis that autopilot is "unreasonably dangerous". The court will eventually decide if their product is too easy to misuse or if it's the driver's fault for not meeting the somewhat demanding requirements (pay attention for extended periods of time with nothing to do).
Re: (Score:1)
This is a case of blaming the vendor because the victim is too stupid to choose a decent password.
This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy.
Thankfully, that's not how liability works - and it isn't how it should work. If you buy a product, it is up to you to use it correctly. If you use it incorrectly, any failures or damages are your responsibility. If you aren't smart enough to use it, then you should not have bought it or used it.
It's been 40 years since the PC went mass market; you should not be considered "tech savvy" if you know how to use or set a password. It is a basic feature of life for people of all ages. This is no more a matt
Yeah, but no. (Score:5, Interesting)
Well, the problem there in the practical sense is that a person may not be smart enough to know that. And considering that the tech is readily available to provide each and every unit with a preset, difficult-to-guess password and a preset highly unlikely 2FA complementing it, it's pretty clear that the company is, in fact, responsible for the equivalent of handing very sharp knives to clueless infants.
Re: (Score:2)
Except there are no infants involved in this - there people are adults.
There exists an astounding level of arrogance among some computer geeks and nerds, and this is an excellent example of it. These are adults that are fully competent to use open flames, buy houses, drive cars, make cares, operate businesses... but these sorts of attitudes treat them as infants too dumb to take care of themselves and instead demand that the Wise Nerd step in to protect them. This attitude wasn't cool in the 1800s, and it
Re: (Score:1)
I can't agree. (Score:5, Insightful)
The general public aren't tech experts or even tech savvy.
So is ring security so complicated that someone must be trained as a professional IT administrator to set it up? Because I would find that very hard to believe.
In today's world, nearly everybody owns cell phones, laptops, routers, etc. Nearly everybody must understand passwords, wireless networking, and other tech basics, just to manage their lives and hold a job. These things are no longer in the domain of experts with esoteric educations. This is squarely in the domain of the general public!
It does not make sense to hold manufacturers responsible for incompetent use of their products, especially if they have provided instructions and made the products reasonably easy to use given their function.
If you can't drive a car, that's on YOU, not the car manufacturer, for making the steering wheel round, and putting the brake lever down where your feet are.
Re: (Score:2)
No that's the point. They made it really easy to set up, guiding the user and hiding technical aspects from them. But they didn't make any effort to enforce strong passwords or 2FA, it just said "congrats your camera is working, we'll bill you monthly".
If they made it easy enough for anyone they should have provided them with proper security too.
Re: (Score:2)
And taking your point another step further, they had no motivation to enforce stronger security practices because it is "hard". They would have been worried users would opt-out by not finishing the install, returning their purchase, or not buying at all. Making it simple for [insert adverb of choice] people was a business choice made to ensure sales.
Re: (Score:2)
They're selling to the general public. The general public aren't tech experts or even tech savvy.
Try telling that to the general public or FLOSS fanatics who complain about people who use Windows PCs instead of Linux.
They're selling a system to non experts which is easy for non experts to fuck up.
No, they are selling systems expecting those that buy them to know how to user them properly. Kind of like how car dealers sell cars and trucks to people and expect them to know how to drive them properly. If you buy a $20,000 motorcycle and try to show off pulling out of the dealership, drop it and slide into a telephone pole. That is on you, not the manufacturer of the motorcycle.
Re: (Score:1)
Then the "general public" shouldn't be going around buying equipment that the "general public" is not qualified to use properly.
Re: (Score:2)
Ring had a choice. Sell a product that was easy to use and would sell to the widest range of consumer. Or a secure device that might turn people off.
They chose the former.
And yes, this is what regulation is meant for. At some point "smart" people realize the market has failed and decisions are being made for the wrong reasons. Otherwise we'd all still be driving death traps that pollute harming both the owner and everyone around them just like insecure devices do.
Re: (Score:2)
It's more like the lock company sent you the lock with two sets of installation screws. If you use the wrong screws the lock doesn't work,
If you don't know how to install a lock, you hire a locksmith.
This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy.
They were tech savvy enough to get the camera installed, up and running. One does not need to be tech savvy to understand that "P@assw0rd!" is not safe.
But of course, it's easier to blame someone else then to admit ones own stupidity.
Re: (Score:2)
It is more selling security, rather than a security device. When selling security, it is more about price, your quality of security will be down to your spend. Want real security, expect to spend millions, spend $100, seriously, how much security do you expect to get for $100, not much at all. Want real security, expect to pay real world money for it, thousands of dollars, want a cheap home made feel good device spend $100 and get one. If they were paying for Ring Protect https://au-en.ring.com/pages/p... [ring.com],
Re: You're surprised (Score:2)
Bullshit. There is no two-factor authentication.
It's just twice the one factor, as always.
It does not add any security, like actual 2FA would, and exists exclusively so they can get your phone number and onto your phone too, because that way it is easier to make more money off of somebody.
They would just end up with their phone more at risk of being hacked too.
A good password is safe enough for this.
2FA is onl for when somebody can get at your password. Then something's already very wrong
If a good password
Re:You're surprised (Score:4, Insightful)
When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?
When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?
As if open source software would have prevented the customers from picking bad passwords and having lax security.
Re: You're surprised (Score:3, Informative)
I think buying a spying device by a hostile actor and installing it into your home is the point where somebody's already beyond saving.
Imagine the level of wilful black-eyed ignorance and mental gymnastics or braonwashing one has to go through, to make a choice that bad.
It's like complaining that Hitler and Jack the Ripper are coming for you, after you opened up a gate to hell and a 1000 foot Satan stepped through to lead the way for Chulhu & The Gang to perform "Get Down With Us" on yo ass.
Re: (Score:1)
Re: (Score:2)
open source might have prevented bad passwords and lax security, because open source might have been more motivation to make it secure rather easier. It's a question of their motivations; open source might not have been profit based like Ring's was. Secure = hard = fewer sales
Re:You're surprised (Score:4, Informative)
In addition to that, the ONLY people that got "hacked" where those that reused already compromised passwords and ignored basic internet security.
Re: (Score:3)
Excuse me? (Score:3)
Yes, but those passwords were compromised in the first place due to Amazon's incompetence.
A user selecting a password of "letmein" or something equally as failure-prone is Amazon's fault? How do you arrive at that inane conclusion?
Re: (Score:3)
Re: (Score:2)
I didn't read TFA, but if they indeed stored people's passwords in plain text, then that should be treated at least as severely as gross negligence. They're hosting (b?)millions of VMs for people and the govmnt, they should know something about basic data security.
Re: (Score:3)
... and send this footage to a third party and then the you get pwn3d?
This is the problem.
Even if the device firmware was open source if it sends the data to, or can be controlled from, a server you do not control there will be issues.
Lol smart home (Score:1)
I'm not blaming the owners here because most people don't have the knowledge to make informed decisions. With that said... ...lolololol oh god these smart home things are source of laughs for us techies.
Remember the google outage last week or so? Yeah some people couldn't use their heating (in winter!) because of nest integration. I remember when Billy G back in the 90s made a smart home running on windows NT, and had to throw blankets over the TV because it wouldn't turn off. I remember having a good laugh
Re: (Score:1)
Re: (Score:2)
I remember when Billy G back in the 90s made a smart home running on windows NT, and had to throw blankets over the TV because it wouldn't turn off.
Underwriter's Labratories: Oh god, some moron threw a blanket over their TV. Thank god that's one of our test parameters to fend off idiots.
Re: (Score:2)
Re: (Score:2)
Nope. It should be called "Internet of Shit", given the state of security on these connected devices.
Re: (Score:2)
I remember when Billy G back in the 90s made a smart home running on windows NT, and had to throw blankets over the TV because it wouldn't turn off.
1990's.... so either CRT or projection tv ... sounds like covering it with blankets is a good way to set your house on fire.
Invasion of privacy? (Score:5, Informative)
Re: Invasion of privacy? (Score:4, Informative)
Thanks for presenting to us the sophistication and quality of arguments of the opposing side to his.
Re: (Score:2)
Merry Chirstmas! (Score:2)
Way to argue against your own case (Score:1)
"alleges that lax security measures at Ring, which is owned by Amazon, allowed hackers to take over their devices."
"joining together complaints filed by more than 30 people in 15 families who say their devices were hacked"
Amazon sold almost half a million (400k) Ring doorbell cameras this month alone, which isn't even over.
They have hundreds of millions of Ring customers.
30 / 100,000,000 = 0.0000003 (or 0.00003%, aka "One Three-Thousandth Of One Percent")
This means they have just argued that Amazon's "lax"
Stupid is as stupid does (Score:4, Insightful)
If you put an internet connected camera controlled by a third party into your home, what the hell do you expect is going to happen?
I guess some people think these things run on magic fairy dust or something, rather than being a proprietary closed black box that is not only wide open to attack, but also wide open to privacy abuse by Amazon.
One day, the truth is going to out about exactly what companies like Amazon really have access to.
Remember the story about Google collecting WiFi data via their Street View cars? - apparently an "accident".
The bottom line here is that via these tech companies, by using their products, you have added a virtual back door into your homes.
But hey, if you use a smartphone or a laptop with a camera and microphone ... you've done exactly the same thing.
You are not only open to being hacked, but also open to being observed by the tech companies themselves, at the request of law authorities.
The only saving grace you may have is that you are one of billions of people in the same boat... so they couldn't possibly be monitoring everyone, right? ... yep, they can.
Ha - think big data, think AI
I'll get my tinfoil hat...
Re: (Score:2)
Yes, I think I made that point in my comments to my own comment, admitting that I too am stupid. ... convenient.
It's a tricky situation we find ourselves in. Convenience is
Re: (Score:2)
... and guess what, I'm stupid too - or lazy.
Lazy - I'm aware that pretty much every interaction I have made on the internet over X amount of years is stored somewhere.
I'm profiled.
I may be a law abiding citizen, but some of my most personal data, I have willing given up under the guise of these third parties promising "it will be kept private", whilst at the same time, having open ended terms and conditions which they have the legal right to change at ANY time.
Me and 99.9% of people walked right into that
More tinfoil hat... (Score:3)
So, just imagine, if your previously relatively democratic country suddenly became authoritarian.
All those years of data collection of your interaction on the internet - heck, even 1 or 2 years - all there for that new authoritarian regime to sift through.
Every post you made, every negative comment you made - all there for the picking.
Think it can't happen?
Before the internet, many decades ago, intellectuals were rooted out of their homes by various authoritarian regimes around the globe.
This was *before* b
Even more tinfoil hat... (Score:2)
So, we've established, with tinfoil hats firmly on head and conspiracy theories right to the fore, that if you have been silly, years of your data are available - that you have been profiled.
Right, great, you are a potential target should you have done something to upset a new authoritarian regime - clearly, they can't target *everyone* - they will pick the larger fish, the influencers.
So, additional tin foil hat on, what of those people who have actively avoided being tracked?
The savvy ones who have been w
Re: (Score:2)
You can avoid being tracked if you know what you are doing.
Like I said, 99.9% of us are tracked - I freely admit my knowledge is not in that area - heck, I'm kinda dumb about it.
But not dumb enough to not be aware of the absolute possibility of "flying under the radar".
How the hell do you think white/black hat hackers ply their trade?
Armed with enough knowledge, you can remain untracked - I know this at least - I've read up a little on it.
I'm just not smart enough and/or have the propensity to investigate f
Re: (Score:2)
I think it is fairly obvious what is meant by "being tracked" - that your network data is slurped up and connected with other data on you - profiling.
Sure, this happens every time you visit a supermarket and pay with a card or a phone - that data on what you have purchased is stored. ... hacked.
There are numerous privacy rights many countries largely try to enforce, but most of them can be overridden with the right authority.
Data also has a habit of being
Terms and conditions have a habit of containing a cla
Re: (Score:2)
Damn it, I could go so much further explaining this, despite my complete lack of knowledge - just takes a little imagination, right? ... anywhere there are network devices ... piggyback on someone else's connection, without their knowledge.
How about those countless millions of either completely unsecured or badly secured iOT devices?
A printer on a home network.
A packet sniffer in a crowded
To state that you cannot avoid being tracked is a complete nonsense.
Sure, if you swim in that kinda circle, in the upper
Re: (Score:1)
streetview wifi actually was an accident and to my knowledge that info was never utilized or even removed from the drives it was stored on post-collection
Re: (Score:2)
Oh sure, which is why they hired Marius Milner, a well-known figure in the Wi-Fi hacking community.
https://www.wired.com/2012/05/... [wired.com]
Lesson of the day: (Score:2)
If you whore away somebody's privacy, taunt him in a p.c. way. Preferably with a botox perma-smile and happy-clappy music too.
Because they got zero problems with being de-facto a privacy prostitute and spy on others. It not being p.c. ... *that's* what they object to!
Well, the customers DID buy a Ring. (Score:3)
I mean, after buying this thing you'd have to be crazy to expect any privacy or security.
Especially when Things Gateway exists;
https://hacks.mozilla.org/2018... [mozilla.org]
It's a teachable moment (Score:2)
While I acknowledge the anguish that the compromised users have experienced, I must also point out that the likelihood that the compromised users chose a weak password, easily cracked through dictionary attacks or similar, is very high.
Perhaps this should be used as an object lesson to people who rely on IoT devices...use strong passwords, and when possible, two-factor authentication.
That's as far as I go.
So It Was Playing Rap Music? (Score:2)
Change the channel, geez.
Ring and invasions of privacy (Score:2)
What do they expect, you install a remote monitoring camera and connect it to the Internet and it gets hacked.
This is what you get! (Score:4, Funny)
Re: (Score:2)
Racial slurs? (Score:1)
So certain people were acting in a manner that's consistent with a slur and when told they're acting that way were upset? LOL.
People lying to themselves. Too dumb to know better.
Then we have people that the password was most likely password. It's EASY to find these by the way, if you know what you're looking for and how to do it. It's easy to find other unsecured video feeds. Some of the stuff that is out there is better than any porn channel. Very hard to find those. Much easier to find boring feeds.
That h
Don't worry (Score:2)
..they will send you a $5 coupon for your next Amazon Ring purchase.