Amazon Ring: Neighbors Leaking Data On Neighbors

For a while now a series of stories have been circulating about Amazon’s Ring doorbell, an Internet-connected camera and entry system that lets users monitor and even interact with visitors and delivery people at their doors. The adverts feature improbable encounters with would-be crooks foiled by the IoT-equipped homeowner, but the stories reveal a much darker side. From reports of unhindered access by law enforcement to privately-held devices through mass releases of compromised Ring account details to attackers gaining access to children via compromised cameras, it’s fair to say that there’s much to be concerned about.

One cause for concern has been the location data exposed by the associated Amazon Neighbors crowd-sourced local crime paranoia app, and for those of us who don’t live and breathe information security there is an easy-to-understand Twitter breakdown of its vulnerabilities from [Elliot Alderson] that starts with the app itself and proceeds from there into compromising Ring accounts by finding their passwords. We find that supposedly anonymized information in the app sits atop an API response with full details, that there’s no defense against brute-forcing a Ring password, and that a tasty list of API and staging URLs is there for all to see embedded within the app. Given all that information, there’s little wonder that the system has proven to be so vulnerable.

As traditional appliance makers have struggled with bringing Internet connectivity into their products there have been a few stories of woeful security baked into millions of homes. A defense could be made that a company with roots outside the Internet can be forgiven for such a gaffe, but in the case of Amazon whose history has followed that of mass Web adoption and whose infrastructure lies behind so much of the services we trust, this level of lax security is unforgivable. Hackaday readers will be aware of the security issues behind so-called “smart” devices, but to the vast majority of customers they are simply technological wonders that are finally delivering a Jetsons-style future. If some good comes of these Ring stories it might be that those consumers finally begin to wake up to IoT security, and use their new-found knowledge to demand better.

Header image: Ring [CC BY-SA 4.0]

31 thoughts on “Amazon Ring: Neighbors Leaking Data On Neighbors

      1. Unethical perhaps for you, thus you are much encouraged to never own one. The rest of us who do not live in lalaland have an entirely different idea about what matters most and – for the most part – it involves to protect our families and property against those who truly have no morals and make a crime a way of life.

        No matter the technology there will always be perils but – in case you have not noticed – because we got to where we are, clearly; by technology we perish or through it we thrive, your choice.

        We are too far down the rabbit hole to circle back and return to yesteryear. The ratio of morality to progress have seldom been proportional or marched hand-in-hand. Ignoring that fact with statements like yours only prove what little understanding of the world you live in you currently posses.

  1. A while back, I bought a Ring. It seemed like a good idea at the time. Got it all installed and entered the setup phase, direct wifi from my smart phone, and got it all set up despite the somewhat less than adequate instructions, and it worked, for about 5 minutes.

    We had house wifi, picture and notification, and then suddenly, as we played with it, no more picture, no more doorbell, no more nothing. Attempted to follow less than adequate troubleshooting instructions, but found that I could not even connect direct wifi from my smart phone, getting the spinner and then nothing.

    Called tech support number and the obviously inadequately trained call taker, even after I explained the symptoms and results, insisted on going through a menu including was the power on and did I have the smart phone in the right mode, neither of which, being missing, would have allowed me to even start setup, much less reach any level of connectivity.

    After exhausting her menu, she read (quite obviously) an evaluation that said that my power supply was inadequate and I would have to install a new transformer. Even after I explained to her that this retired telecom technical support engineer knew how to check whether I was getting proper power to the device, she insisted that low voltage and low amperage were the problem, but she didn’t know the difference between the two, and when I told her what my measurements were she could not seem to recognize that they values that I read her were better than what she read to me.

    When I asked for Tier Two technical support, she didn’t know what that meant, and then would not refer me up the chain unless and until I replaced the “defective” transformer.

    I took the stupid thing back to the store, and having seen this article, am now glad I did.

    1. Yup, that’s my rule, as soon as they quote the help file back at you which plainly didn’t help in the first place otherwise why would you be calling, dump the product back to the store. Warn everyone never to buy from that company.

    2. RTFM, it’s not Ring’s fault. In the manual it says to check the transformer, not all doorbells are the same spanning homes over 100+ years and to assume Ring or anyone else can provide compatibility for every doorbell is a huge stretch.

    3. Mother received one as a gift. I don’t like the “cloud” setup. I have not installed the unit, so its not set up yet.

      On the transformer, the unit has a rechargeable battery that is supposed to last “for months” before needing a 5 to 10 recharge cycle. Disconnect the transformer, so it runs on it’s battery. What does tech-support say then?

      Peace and blessings,
      Johnny

  2. The hackability… just about a given, when you rush something to market. I think it’s called ‘first-mover advantage’. I usually wait for stories like this, and a company’s response in the form of a v 2.0 product, before jumping in.

    Of more concern to me is the accompanying apps like Neighbours where Ring and videocamera owners share videos of “suspicious” people. This has led to claims of racial profiling and being a possible enabler of vigilantism.

    I also wouldn’t voluntarily want to contribute to creating a surveillance society. Of course, the police are loving Ring.

    1. Here’s the thing… They don’t have to make a v2 product to fix this. All of the talk of vulnerabilities that I’ve seen have been on the client-server side. Nobody’s said anything at all negative about the camera-to-cloud communications. They don’t have to rev the hardware AT ALL to make all of these problems go away.

      That doesn’t imply that there are potential security issues with the cameras, but that’s really no different from any other IoT device, and securing them simply starts with putting them behind a good firewall.

    2. Yes i guess the police would love it as it helps them to keep people like you and me safer. I suppose you can sit back and do nothing and then complain when they are unable to apprehend someone who offends against you and yours.

    1. Manufacturers are getting better at stopping the reflashing of devices, especially if they get money or data from the accompanying app. If you’re after camera/doorbell functionality, best to start with an open device (eg an ESP32-CAM). You could roll your own, or there’s probably already an open-source project for something similar.

  3. Someone in our subdivision posted video of a vehicle that sideswiped a parked car by his home and did not stop. Although the license plate could not be deciphered, the perp did turn himself in — but maybe would have done so without the video; who knows?

  4. ” it might be that those consumers finally begin to wake up to IoT security, and use their new-found knowledge to demand better.”

    I’d love to be so rosily optimistic – but given Facebook’s continuing popularity and Google’s growing dominance of the Web, I don’t think consumers will ever wake up to any kind of security beyond locking their doors and enabling their car alarms. People would rather just not know; turning a blind eye is easier and more convenient.

  5. Not to mention…these cameras can see the houses across the street, and depending on the lens used (or replaced or added), inside of the houses across the street. I can see concerns with that.

    1. With the original lens in our Ring 2 all I see across the street at night is pinpoints of light from the neighbours’ porch lights. If I really wanted to spy on them, I doubt whether I would start with a Ring setup.

Leave a Reply to Alan Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.