This Amazon Doorbell Let a Man Spy on His Ex-Boyfriend [Update]

1 minute read
| News

Ring—which Amazon acquired in February—makes a smart doorbell that has a camera connected to Wi-Fi. And this Amazon doorbell has a security flaw that let a man harass his ex-boyfriend (via The Information).

[CES – Ring Alarm Home Security System Coming in 2018]

Don’t Ring the Amazon Doorbell

Although Ring claims to have fixed the security flaw back in January, there are still problems. The software behind the doorbell lets users stay logged in on the app, even if the password was changed.

That’s exactly what Jesus Echezarreta found out. After breaking up with his boyfriend, he changed the password on the Ring doorbell. But his ex was still logged in, and downloaded video footage from the camera, and remotely rang the doorbell during the night.

Image of an Amazon doorbell from Ring.

Don’t open the smart home pod doors

Mr. Echezarreta contacted the company in January, around the time when the Ring app was updated. But Jaime Siminoff, CEO of Ring, told The Information that there are still problems. Users are now logged out when a password is changed and are required to log back in. But the process doesn’t happen right away, and it could take up to an hour for a person to be logged out.

Cases like this are exactly why I stay away from so-called “smart” home devices. There is too much risk for my personal taste, and I really don’t mind getting off my butt to turn lights on or off (although I do see the usefulness of a security camera you can access with your phone).

Update

A Ring spokesperson reached out to us with a statement:

Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.

We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users.

Our team is taking additional steps to further improve the password change experience.

Which is pretty standard: Don’t share your login information with others. But that doesn’t help in Mr. Echezarreta’s situation. If you change a password, you should be automatically logged out of all instances of where you are logged in. But now Ring has changed its system so that will be the case going forward.

3
Leave a Reply

Please Login to comment
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
wab95cubefan Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
wab95
Member
wab95

cubefan: That’s very useful intel and insight. This corroborates what I’ve heard from security experts, or at least people with more training in security than I’ve had. Given your assessment, and the point that security has to be inbuilt from the conception and design of the product, and as most of these products are being built in countries that are hostile to user privacy and data security, this seems unlikely to occur, barring international agreement on security protocols and specs as a standard for market access. Equally valid is your point about secure gateways or gatekeepers, however that only underscores… Read more »

cubefan
Member
cubefan

I’ve been giving presentations on #IoT security, or lack of it for over two years. There are numerous examples of sloppy and lazy execution in code development for many ‘security’ and ‘smart home’ devices. The outcome of which is devices being used for DDoS attacks in their hundreds of thousands, where the result is material harm. Worse are organisations connecting their SCADA systems without adequate firewall protection, because taking control of power distribution or national infrastructure is possible. A truly secure gateway doesn’t exist – because home broadband routers aren’t up to the job – they too suffer from the… Read more »

wab95
Member
wab95

Cases like this are exactly why I stay away from so-called “smart” home devices. There is too much risk for my personal taste… Andrew: I’ve taken a similar position for basically the same reasons. I actually want to instal smart devices in my home for many practical purposes, including energy conservation (my wife is hardwired to leave lights on in her wake…I can tell the path she’s taken) and security (remotely managing locks and lights are obvious security enhancements). However, I’ve talked to enough people in the business to appreciate how vulnerable the devices remain, and that’s for the exploits… Read more »