Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy The Courts

Dozens Sue Amazon's Ring After Camera Hack Leads To Threats and Racial Slurs (theguardian.com) 71

Dozens of people who say they were subjected to death threats, racial slurs, and blackmail after their in-home Ring smart cameras were hacked are suing the company over "horrific" invasions of privacy. From a report: A new class action lawsuit, which combines a number of cases filed in recent years, alleges that lax security measures at Ring, which is owned by Amazon, allowed hackers to take over their devices. Ring provides home security in the form of smart cameras that are often installed on doorbells or inside people's homes. The suit against Ring builds on previous cases, joining together complaints filed by more than 30 people in 15 families who say their devices were hacked and used to harass them. In response to these attacks, Ring "blamed the victims, and offered inadequate responses and spurious explanations," the suit alleges. The plaintiffs also claim the company has also failed to adequately update its security measures in the aftermath of such hacks.
This discussion has been archived. No new comments can be posted.

Dozens Sue Amazon's Ring After Camera Hack Leads To Threats and Racial Slurs

Comments Filter:
  • You're surprised (Score:5, Informative)

    by Arthur, KBE ( 6444066 ) on Thursday December 24, 2020 @01:44PM (#60863154)
    When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?
    • by sabri ( 584428 ) on Thursday December 24, 2020 @01:49PM (#60863174)

      When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?

      You forgot the most important part:

      The parents told WMC5 that they hadn't set up two-factor authentication for the device; failing to do so would make it easier for someone to change their password and take control of their account.

      Like other IoT smart home camera hackers, this one used the weak password security on the parents' Ring account to access their dashboard and speak directly through the device.

      This is not a case of blaming the victim. This is a case of blaming the vendor because the victim is too stupid to choose a decent password.

      Oh, someone emptied my house because I did not lock my front door, better sue the lock company for not forcing me to lock the house every time I leave.

      • by serviscope_minor ( 664417 ) on Thursday December 24, 2020 @01:56PM (#60863192) Journal

        This is a case of blaming the vendor because the victim is too stupid to choose a decent password.

        This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy. They have about as much ability to make sensible tech decisions as you do to, say, cut someone's hair, enter a burning building, write a novel, negotiate a trade deal or any one of a million things people have expertise in other than tech.

        They're selling a system to non experts which is easy for non experts to fuck up. That's on them.

        Oh, someone emptied my house because I did not lock my front door, better sue the lock company for not forcing me to lock the house every time I leave.

        It's more like the lock company sent you the lock with two sets of installation screws. If you use the wrong screws the lock doesn't work, but you have no good way of telling which is which because you're not a metallurgist. Then you get the blame from smug people on the internet.

        • by Known Nutter ( 988758 ) on Thursday December 24, 2020 @02:10PM (#60863242)
          Can we get a car analogy? Everyone knows that's the most appropriate way to explain things.
          • This would be like someone forgetting to hit the lock button on their key fob six times in a row to make sure everyone within a half mile knows they're locking their car by having their car horn go off. At 2 in the morning.

          • Driving a 1965 VW bus and suing Volkswagen when bumping a shopping cart turns you into a quadriplegic.

            • And there was no requirement for a driving test and VW just let you go off?

              Sounds like both gevernment and corperate incompetence, but for simple trade off of risk.

              Nothing "bad" occured here. And these people would be the first to moan if the bar for having computing devices was raised.

          • by AmiMoJo ( 196126 ) on Thursday December 24, 2020 @07:04PM (#60864056) Homepage Journal

            Tesla claims it is the driver's responsibility to use autopilot safely. They are being sued on the basis that autopilot is "unreasonably dangerous". The court will eventually decide if their product is too easy to misuse or if it's the driver's fault for not meeting the somewhat demanding requirements (pay attention for extended periods of time with nothing to do).

        • This is a case of blaming the vendor because the victim is too stupid to choose a decent password.

          This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy.

          Thankfully, that's not how liability works - and it isn't how it should work. If you buy a product, it is up to you to use it correctly. If you use it incorrectly, any failures or damages are your responsibility. If you aren't smart enough to use it, then you should not have bought it or used it.

          It's been 40 years since the PC went mass market; you should not be considered "tech savvy" if you know how to use or set a password. It is a basic feature of life for people of all ages. This is no more a matt

          • Yeah, but no. (Score:5, Interesting)

            by fyngyrz ( 762201 ) on Thursday December 24, 2020 @02:32PM (#60863330) Homepage Journal

            If you aren't smart enough to use it, then you should not have bought it or used it.

            Well, the problem there in the practical sense is that a person may not be smart enough to know that. And considering that the tech is readily available to provide each and every unit with a preset, difficult-to-guess password and a preset highly unlikely 2FA complementing it, it's pretty clear that the company is, in fact, responsible for the equivalent of handing very sharp knives to clueless infants.

            • Except there are no infants involved in this - there people are adults.

              There exists an astounding level of arrogance among some computer geeks and nerds, and this is an excellent example of it. These are adults that are fully competent to use open flames, buy houses, drive cars, make cares, operate businesses... but these sorts of attitudes treat them as infants too dumb to take care of themselves and instead demand that the Wise Nerd step in to protect them. This attitude wasn't cool in the 1800s, and it

              • by bn-7bc ( 909819 )
                But why are those same adults repeatedly burned when in contact with these technologies, while other operate them without major isdues? Might the solution be something like an “IoT drivers license” , a vasic course taking a few hoers with a test at tge end, if you pass you get issued a license to own an olerate IoT devices. At putchaxe you have to show that license together with avalit gowerment id pass port/driving license etc) no licence no sale. This wold be mildly annoying to geeks but sto
        • I can't agree. (Score:5, Insightful)

          by Brain-Fu ( 1274756 ) on Thursday December 24, 2020 @02:47PM (#60863372) Homepage Journal

          The general public aren't tech experts or even tech savvy.

          So is ring security so complicated that someone must be trained as a professional IT administrator to set it up? Because I would find that very hard to believe.

          In today's world, nearly everybody owns cell phones, laptops, routers, etc. Nearly everybody must understand passwords, wireless networking, and other tech basics, just to manage their lives and hold a job. These things are no longer in the domain of experts with esoteric educations. This is squarely in the domain of the general public!

          It does not make sense to hold manufacturers responsible for incompetent use of their products, especially if they have provided instructions and made the products reasonably easy to use given their function.

          If you can't drive a car, that's on YOU, not the car manufacturer, for making the steering wheel round, and putting the brake lever down where your feet are.

          • by AmiMoJo ( 196126 )

            No that's the point. They made it really easy to set up, guiding the user and hiding technical aspects from them. But they didn't make any effort to enforce strong passwords or 2FA, it just said "congrats your camera is working, we'll bill you monthly".

            If they made it easy enough for anyone they should have provided them with proper security too.

            • And taking your point another step further, they had no motivation to enforce stronger security practices because it is "hard". They would have been worried users would opt-out by not finishing the install, returning their purchase, or not buying at all. Making it simple for [insert adverb of choice] people was a business choice made to ensure sales.

        • They're selling to the general public. The general public aren't tech experts or even tech savvy.

          Try telling that to the general public or FLOSS fanatics who complain about people who use Windows PCs instead of Linux.

          They're selling a system to non experts which is easy for non experts to fuck up.

          No, they are selling systems expecting those that buy them to know how to user them properly. Kind of like how car dealers sell cars and trucks to people and expect them to know how to drive them properly. If you buy a $20,000 motorcycle and try to show off pulling out of the dealership, drop it and slide into a telephone pole. That is on you, not the manufacturer of the motorcycle.

        • by Anonymous Coward

          This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy.

          Then the "general public" shouldn't be going around buying equipment that the "general public" is not qualified to use properly.

          They have about as much ability to make sensible tech decisions as you do to, say, cut someone's hair, enter a burning building, write a novel, negotiate a trade deal [...].

          ... and yet I can freely buy scissors, clippers, protective gear, various firefightin

          • Ring had a choice. Sell a product that was easy to use and would sell to the widest range of consumer. Or a secure device that might turn people off.

            They chose the former.

            And yes, this is what regulation is meant for. At some point "smart" people realize the market has failed and decisions are being made for the wrong reasons. Otherwise we'd all still be driving death traps that pollute harming both the owner and everyone around them just like insecure devices do.

        • by sabri ( 584428 )

          It's more like the lock company sent you the lock with two sets of installation screws. If you use the wrong screws the lock doesn't work,

          If you don't know how to install a lock, you hire a locksmith.

          This is the vendor's fault. They're selling to the general public. The general public aren't tech experts or even tech savvy.

          They were tech savvy enough to get the camera installed, up and running. One does not need to be tech savvy to understand that "P@assw0rd!" is not safe.

          But of course, it's easier to blame someone else then to admit ones own stupidity.

        • by rtb61 ( 674572 )

          It is more selling security, rather than a security device. When selling security, it is more about price, your quality of security will be down to your spend. Want real security, expect to spend millions, spend $100, seriously, how much security do you expect to get for $100, not much at all. Want real security, expect to pay real world money for it, thousands of dollars, want a cheap home made feel good device spend $100 and get one. If they were paying for Ring Protect https://au-en.ring.com/pages/p... [ring.com],

      • Bullshit. There is no two-factor authentication.
        It's just twice the one factor, as always.
        It does not add any security, like actual 2FA would, and exists exclusively so they can get your phone number and onto your phone too, because that way it is easier to make more money off of somebody.
        They would just end up with their phone more at risk of being hacked too.

        A good password is safe enough for this.
        2FA is onl for when somebody can get at your password. Then something's already very wrong
        If a good password

    • by DaveV1.0 ( 203135 ) on Thursday December 24, 2020 @02:00PM (#60863210) Journal

      When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?

      When you intentionally install a camera inside your house, with closed-source software, and send this footage to a third party and then the you get pwn3d?

      As if open source software would have prevented the customers from picking bad passwords and having lax security.

      • Re: You're surprised (Score:3, Informative)

        by BAReFO0t ( 6240524 )

        I think buying a spying device by a hostile actor and installing it into your home is the point where somebody's already beyond saving.

        Imagine the level of wilful black-eyed ignorance and mental gymnastics or braonwashing one has to go through, to make a choice that bad.

        It's like complaining that Hitler and Jack the Ripper are coming for you, after you opened up a gate to hell and a 1000 foot Satan stepped through to lead the way for Chulhu & The Gang to perform "Get Down With Us" on yo ass.

        • by bn-7bc ( 909819 )
          But the issue is that the general public doesn’t see this as a spying device from a hostile actor, the mostly see it as a cool gadget from a company they probably have done buisnes with before. At any rate a device that provides some sort of added convenience or cool factor a standard doorbell does not, ie the WANT it now, and since the sticker price is not to high and they don’t even need to wire it up, gurpess what haooes, you the get it and ignore the instructions about unique long oassword
      • open source might have prevented bad passwords and lax security, because open source might have been more motivation to make it secure rather easier. It's a question of their motivations; open source might not have been profit based like Ring's was. Secure = hard = fewer sales

    • Re:You're surprised (Score:4, Informative)

      by mea_culpa ( 145339 ) on Thursday December 24, 2020 @02:01PM (#60863216)

      In addition to that, the ONLY people that got "hacked" where those that reused already compromised passwords and ignored basic internet security.

      • Yes, but those passwords were compromised in the first place due to Amazon's incompetence.
        • Yes, but those passwords were compromised in the first place due to Amazon's incompetence.

          A user selecting a password of "letmein" or something equally as failure-prone is Amazon's fault? How do you arrive at that inane conclusion?

          • The article says the there was an Amazon data leak containing passwords, hence even strong passwords (presumably in clear text) were leaked. The article does NOT say the compromised passwords were weak passwords. It MIGHT be true but (A) there's no evidence that's the case (at least none given in that article) and (B) as I've said, ALL passwords (regardless of strength) were leaked.
            • I didn't read TFA, but if they indeed stored people's passwords in plain text, then that should be treated at least as severely as gross negligence. They're hosting (b?)millions of VMs for people and the govmnt, they should know something about basic data security.

    • ... and send this footage to a third party and then the you get pwn3d?

      This is the problem.

      Even if the device firmware was open source if it sends the data to, or can be controlled from, a server you do not control there will be issues.

  • I'm not blaming the owners here because most people don't have the knowledge to make informed decisions. With that said... ...lolololol oh god these smart home things are source of laughs for us techies.

    Remember the google outage last week or so? Yeah some people couldn't use their heating (in winter!) because of nest integration. I remember when Billy G back in the 90s made a smart home running on windows NT, and had to throw blankets over the TV because it wouldn't turn off. I remember having a good laugh

    • I remember when Billy G back in the 90s made a smart home running on windows NT, and had to throw blankets over the TV because it wouldn't turn off.

      Underwriter's Labratories: Oh god, some moron threw a blanket over their TV. Thank god that's one of our test parameters to fend off idiots.

    • That is why IoT should stand for Intranet of Things, when it comes to smart homes. Use Z-Wave or Zigbee instead of WiFi devices; it isolates them from the internet, and WiFi is a shitty protocol for IoT anyway. Use a central hub, no cloud (at most: a cloud based gateway in case you want remote access). It's fine as long as you see IoT as something of a hobby; my entire house is "smartified", and it runs very well with little maintenance... but it took a decade to get to that point. And while it affords
      • Nope. It should be called "Internet of Shit", given the state of security on these connected devices.

    • I remember when Billy G back in the 90s made a smart home running on windows NT, and had to throw blankets over the TV because it wouldn't turn off.

      1990's.... so either CRT or projection tv ... sounds like covering it with blankets is a good way to set your house on fire.

  • Invasion of privacy? (Score:5, Informative)

    by Murdoch5 ( 1563847 ) on Thursday December 24, 2020 @02:00PM (#60863208) Homepage
    You put a camera on your house which feeds data into an unknown black box on the internet and you want to complain about your right to privacy? If you cared about your right to privacy you wouldn't have used Ring in the first place.
  • Merry Christmas everyone! Ho Ho Ho!
  • by Anonymous Coward

    "alleges that lax security measures at Ring, which is owned by Amazon, allowed hackers to take over their devices."
    "joining together complaints filed by more than 30 people in 15 families who say their devices were hacked"

    Amazon sold almost half a million (400k) Ring doorbell cameras this month alone, which isn't even over.
    They have hundreds of millions of Ring customers.

    30 / 100,000,000 = 0.0000003 (or 0.00003%, aka "One Three-Thousandth Of One Percent")

    This means they have just argued that Amazon's "lax"

  • by bb_matt ( 5705262 ) on Thursday December 24, 2020 @02:24PM (#60863306)

    If you put an internet connected camera controlled by a third party into your home, what the hell do you expect is going to happen?

    I guess some people think these things run on magic fairy dust or something, rather than being a proprietary closed black box that is not only wide open to attack, but also wide open to privacy abuse by Amazon.

    One day, the truth is going to out about exactly what companies like Amazon really have access to.

    Remember the story about Google collecting WiFi data via their Street View cars? - apparently an "accident".

    The bottom line here is that via these tech companies, by using their products, you have added a virtual back door into your homes.

    But hey, if you use a smartphone or a laptop with a camera and microphone ... you've done exactly the same thing.

    You are not only open to being hacked, but also open to being observed by the tech companies themselves, at the request of law authorities.

    The only saving grace you may have is that you are one of billions of people in the same boat... so they couldn't possibly be monitoring everyone, right?
    Ha - think big data, think AI ... yep, they can.

    I'll get my tinfoil hat...

    • ... and guess what, I'm stupid too - or lazy.

      Lazy - I'm aware that pretty much every interaction I have made on the internet over X amount of years is stored somewhere.
      I'm profiled.
      I may be a law abiding citizen, but some of my most personal data, I have willing given up under the guise of these third parties promising "it will be kept private", whilst at the same time, having open ended terms and conditions which they have the legal right to change at ANY time.

      Me and 99.9% of people walked right into that

      • So, just imagine, if your previously relatively democratic country suddenly became authoritarian.

        All those years of data collection of your interaction on the internet - heck, even 1 or 2 years - all there for that new authoritarian regime to sift through.
        Every post you made, every negative comment you made - all there for the picking.

        Think it can't happen?
        Before the internet, many decades ago, intellectuals were rooted out of their homes by various authoritarian regimes around the globe.
        This was *before* b

        • So, we've established, with tinfoil hats firmly on head and conspiracy theories right to the fore, that if you have been silly, years of your data are available - that you have been profiled.

          Right, great, you are a potential target should you have done something to upset a new authoritarian regime - clearly, they can't target *everyone* - they will pick the larger fish, the influencers.

          So, additional tin foil hat on, what of those people who have actively avoided being tracked?
          The savvy ones who have been w

    • streetview wifi actually was an accident and to my knowledge that info was never utilized or even removed from the drives it was stored on post-collection

  • If you whore away somebody's privacy, taunt him in a p.c. way. Preferably with a botox perma-smile and happy-clappy music too.

    Because they got zero problems with being de-facto a privacy prostitute and spy on others. It not being p.c. ... *that's* what they object to!

  • by gurps_npc ( 621217 ) on Thursday December 24, 2020 @02:33PM (#60863332) Homepage

    I mean, after buying this thing you'd have to be crazy to expect any privacy or security.

    Especially when Things Gateway exists;
    https://hacks.mozilla.org/2018... [mozilla.org]

  • While I acknowledge the anguish that the compromised users have experienced, I must also point out that the likelihood that the compromised users chose a weak password, easily cracked through dictionary attacks or similar, is very high.

    Perhaps this should be used as an object lesson to people who rely on IoT devices...use strong passwords, and when possible, two-factor authentication.

    That's as far as I go.

  • Change the channel, geez.

  • "Dozens of people .. are suing the company over "horrific" invasions of privacy."

    What do they expect, you install a remote monitoring camera and connect it to the Internet and it gets hacked.
  • by Rick Schumann ( 4662797 ) on Thursday December 24, 2020 @06:46PM (#60864004) Journal
    This is what you get for installing internet-connected cameras and microphones all over inside your houses! What did you think was going to happen!?
  • So certain people were acting in a manner that's consistent with a slur and when told they're acting that way were upset? LOL.
    People lying to themselves. Too dumb to know better.

    Then we have people that the password was most likely password. It's EASY to find these by the way, if you know what you're looking for and how to do it. It's easy to find other unsecured video feeds. Some of the stuff that is out there is better than any porn channel. Very hard to find those. Much easier to find boring feeds.

    That h

  • ..they will send you a $5 coupon for your next Amazon Ring purchase.

Whoever dies with the most toys wins.

Working...