Consumer Reports has no financial relationship with advertisers on this site.
Ring says it’s developing a new privacy and security “dashboard” aimed at making it easier for consumers to keep their Ring accounts secure. The announcement comes just a few weeks after the company revealed that thousands of Ring doorbell and security cameras could be vulnerable to hackers.
The company warned that usernames and passwords for many accounts could have been acquired by criminals, who could then access Ring smartphone apps and view live camera feeds, phone numbers, and other information.
In one highly publicized incident, hackers managed to access the Ring account of a Mississippi family in December, taking control of a security camera to harass an 8-year-old girl while she was alone in her bedroom.
The new privacy dashboard will let Ring consumers manage their connected mobile, desktop, and tablet devices to ensure that hackers and other unauthorized users do not have access to their Ring accounts or devices.
The new dashboard will be part of the Ring mobile app for Android and iOS and is expected to be released later this month.
Ring, which was bought by Amazon in 2018, will soon also enable two-factor authentication (2FA) by default for new accounts as well as new devices for existing accounts.
Two-factor is a security mechanism that typically requires users to input a secondary, temporary password when logging into a device or service. That means that if someone else tries to use your username and password, they’ll be blocked from accessing your account unless they have that additional piece of information.
In Ring’s case, this is a code delivered by text message to the user’s smartphone. Consumers can opt out if they don’t want to enable 2FA, but doing so may lessen the security of their account. Consumer Reports recommends that people use 2FA whenever it’s available, especially for email, financial, shopping, and other critical accounts.
Ring says that in the recent incidents, it found no evidence that hackers had managed to break into Ring servers. Instead, Ring says, hackers used account credentials compromised in data breaches from other companies. The technique is known as “credential stuffing,” and it’s one of the primary reasons that security experts warn consumers to never reuse passwords and to consider employing password managers.
More Fixes Could Be Coming
Privacy advocates say they welcome the changes but encourage Ring and other security camera and video doorbell companies to do more to protect consumers.
“We're glad to see Ring make these changes that allow consumers more transparency and control over their data, in addition to pushing new users and users of new cameras to put two-factor authentication in place,” says Katie McInnis, a policy counsel at Consumer Reports. “However, in order to more fully protect consumers, Ring should also take other heightened security measures."
Consumer Reports is urging all video doorbell makers to take a number of specific steps, McInnis says. For instance, the companies should ensure that user passwords haven’t been exposed in previous data breaches, a step already taken by password managers. Additionally, companies should adopt measures to guard against hackers entering large numbers of usernames and passwords to try accessing customer accounts.
A Ring spokesperson says that the company already takes such steps. "We now cross-reference account credentials from external breaches drawn from records out of the dark web to our Ring database and proactively send an email to all that are a match for both username and password," the spokesperson said in an email. She did not specify when that practice began, but said the company had previously monitored accounts for suspicious activity.
Ring said in December that 3672 account credentials had been compromised; according to the spokesperson the list came from multiple non-Ring, third-party data breaches.
Ring CEO Siminoff said the company was “always evaluating” additional security measures while weighing them against customer convenience. “If you don’t continue to look at security and adjust it, then you’re not doing security properly,” he added.
“Everything that they’re doing with this dashboard is a good step, but it’s very much just that—a step,” said Hannah Quay-de la Vallee, senior technologist at the Center for Democracy & Technology, a digital rights advocacy group. “I hope it’s part of a larger process about improving consumers’ ability to manage this stuff.”
Ring also said it would make it easier for consumers to opt out of having local police request their security camera footage.
As news outlets including Vice Motherboard and Gizmodo have reported, Ring has partnered with police departments across the U.S. to make it easier for police to request Ring footage to help solve crimes. Privacy advocates and other civil liberties groups have suggested that these partnerships encourage a culture of fear at a time when serious crime, including violent crime and property crime, is at historically low levels.
“The fact is that even if Ring fixed all of its security flaws, these devices would still be dangerous,” said Evan Greer, deputy director of Fight for the Future, a digital rights advocacy group. “Crime has been steadily falling for decades. But Amazon wants you to be afraid. They want you to distrust and spy on your neighbors. These devices are corrosive for our society.”
The exposure of Ring account credentials is just the latest in a series of hacks and vulnerabilities that have affected security cameras and video doorbells, from multiple manufacturers.
In November, it was revealed that Ring video doorbells contained a vulnerability that exposed WiFi network names and passwords. Last May, a vulnerability was discovered that let individuals stay logged in to Ring accounts even after a password change. And last January, there were reports of Nest cameras, which are owned by Google, being hacked through credential stuffing.
Correction: An earlier version of this article quoted Ring CEO as discussing "digestible security;” the correct quote is "digestible transparency." In addition, the article has been updated with additional information on how Ring protects user accounts.
More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2020, Consumer Reports, Inc.