How to protect your Ring from hackers (and Amazon partners)

The Ring doorbell spent much of 2019 getting buzzed by perceived security and privacy issues, from secret agreements with law enforcement agencies to cybersecurity practices that put its users at risk. Given that Ring, a subsidiary of Amazon.com, bills its devices as helping to build “safer neighborhoods,” its apparently lax approach to protecting customer data struck a number of people as more than ironic. Some alarmed consumers might have thrown their Ring away; others might have searched for—and found—ways we’ll outline that can make Ring interactions more private and secure.

The entry-level Ring doorbell sells for $99.99, with an optional subscription plan starting at $3 per month that automatically saves videos to the company’s servers. It’s designed to be a Wi-Fi-enabled, 180-degree security camera pointed perpetually at your doorstep and your neighbors. It sends your phone a notification when somebody rings the doorbell, or when it detects motion outside your front door. It also enables you to interact via phone with the person at your door. Integrated Ring products include floodlights, security cameras without doorbells, “smart” lighting, full-perimeter security systems, and commercial business security plans.

Along with the included Ring app, through which users can manage the growing array of Ring devices, Ring offers a Neighbors app to facilitate neighborhood communication focused on crime reporting via Ring video sharing. The app has been dinged as one of several that can perpetuate a misperception of growing crime, often falsely attributed to people of color. Statistics reveal that broadly, crime has been decreasing across the United States for decades.



READ MORE ON SECURING THE INTERNET OF THINGS

How conscious companies can thread IoT’s security and privacy needles
How to protect your smart TV from hackers
FBI’s router reboot call reminds us why to check for updates
Why hackers love your Wi-Fi (and how to protect it)
Time for a Department of the Internet of Things?
Shut the front door: The state of the smart lock


Ring footage often finds its way outside small neighborhood groups. Through partnerships with more than 400 law enforcement agencies across the country, according to a July 2019 investigation by Motherboard, Ring shares passive video footage, as it encourages consumers to install the Neighbors app and connect more Ring devices. Ring has asked law enforcement partners, Gizmodo reported in July, to hide their connections to the company from the communities they serve.

The Electronic Frontier Foundation found in January that Ring also shares user data (such as unique device IDs) with market research companies, including Facebook. Also in January, Ring itself revealed that it has fired four employees over the past four years for improperly accessing user video recordings.

Amazon has said that it requires a court order or Ring owner consent before sharing Ring video with law enforcement agencies. But the Fresno County Sheriff’s Office in California says it can demand via subpoena any video that Ring users have stored remotely, “as long as it’s been uploaded to the cloud,” Government Technology reported in August. Ring security breaches (including the publishing of at least 1,500 user log-in credentials on the Dark Web) can be attributed to weak password choices and even weaker default security practices, says Mark Loveless, senior security engineer at software development management company GitLab.

“It’s telling that every time a security researcher buys one of these products, they find flaws,” Loveless says. “We’re at the point where we advise people to use a secure password and try to patch [devices with security updates]. We’re lucky if people do that on their laptops, let alone a smart doorbell or smart television.”

Despite the security and privacy alarm bells Ring has been ringing, business for the connected doorbell products is booming. Recode reports that Ring sales were up 180 percent in December 2019 over those in December 2018. Research company IDC, meanwhile, predicts that home security devices are expected to grow 21 percent each year through 2023.

On February 3, Ring unveiled promised security and privacy improvements. Ring is now prompting new users to set up two-factor authentication to better prevent hackers from accessing Ring devices, though they can opt out. (Smart-thermostat maker Nest, a subsidiary of Alphabet, is meanwhile making two-factor authentication mandatory.) Ring also introduced updates to its Control Center that allow users to see who is currently accessing their Ring camera, to see which devices have been given permission to access the camera, and to add or disable services linked to their Ring devices.

“People forget these smart devices give a very intimate view into your home,”—Lesley Carhart, principal incident responder, Dragos.

Forcing, rather than merely prompting, consumers to use two-factor authentication is “the most crucial thing” companies can do to help keep Internet-connected smart devices safe from hackers, says Lesley Carhart, principal incident responder at industrial-cybersecurity company Dragos. “It creates an extra barrier for a hacker or criminal trying to access your videos account,” she says.

The simplest way to avoid cybersecurity and privacy problems related to the so-called connected home is to choose devices whose manufacturers integrate strong protective technologies, enforce basic security hygiene, and avoid partnerships with law enforcement agencies. That said, there are eight steps you can take to help ensure that your Ring isn’t putting you or your family at risk.

Step 1: Activate two-factor authentication in Ring’s app, if you haven’t already. In the Control Center, the first option is Two-Factor Authentication. If it says On, you can proceed to the next step. Otherwise, tap it, and enter your phone number. Ring will send you a one-time passcode in a text message that you then have to enter in addition to your password to access the app. (Carhart says sending a two-factor authentication code over SMS is less secure than using an authentication app but notes that a weaker form of two-factor authentication is better than none.)

Step 2: Make sure that you’re using a hard-to-guess password unique to Ring, preferably incorporating spaces and punctuation. A password manager can help compose, save, and autofill stronger passwords.

Step 3: Access the Shared Users option to see people who have access. Remove users you don’t recognize or who shouldn’t have access. Carhart says this step can be critical on a video surveillance device like the Ring, especially for people who could be targets for stalkers or domestic violence.

Step 4: Check out which devices can access your Ring by tapping on the Authorized Client Devices section of the Control Center. Remove any devices that you do not recognize.

Step 5: Access the Linked Accounts option to view other services that have access to Ring, such as a smart door lock or Amazon Alexa. As with the previous two steps, remove accounts that you don’t recognize or no longer want to have access to Ring.

Step 6: Segment your Wi-Fi network so that all Internet-connected devices—including Ring—are on a secondary network. That makes it harder for hackers to jump from connected devices to your phone or computer. “Consumer wireless isn’t very secure in general,” Carhart says. While not every router has this option, doing it “creates another barrier to entry”—an important step, according to security researchers who recently demonstrated the ability to hop from hacked smart light bulbs to other devices on a network.

Step 7: Stop sharing Ring videos in the Neighbors app or elsewhere to limit the ability of strangers to figure out where you live.

Step 8: To maintain your privacy, refuse requests by law enforcement agencies to share Ring videos. You can opt out of all requests by going to the Video Requests option, and tap Disable.

While there can be great convenience in using a Ring, consumers should be wary of the dangers of joining a nationwide, privately owned surveillance network, Carhart cautions.

“People forget these smart devices give a very intimate view into your home,” she says. “Make sure that the access reflects your decisions in that manner.”