Ring, the camera-equipped smart doorbell company, has given consumers a lot of very good reasons not to buy its products over the last two weeks. Though Ring has generally earned scrutiny for quietly converting neighborhoods into DIY surveillance states, it’s the devices’ security flaws that have bedeviled the Amazon subsidiary in recent days.
The ugliest of these mishaps hit the company this week when BuzzFeed reported that the log-in emails, passwords, time zones, and other device info belonging to 3,672 Ring owners had been leaked online to a text storage site. Nefarious actors would have been able to use this info to view live camera feeds and stored footage from up to the last 60 days. They could also have logged into customers’ accounts and accessed phone numbers, payment info, and home addresses. According to BuzzFeed, it’s unclear how exactly this sensitive data ended up online, but the inclusion of Ring-specific info like time zones and camera names suggests that they may have come from a company database.
Ring claims that there was no “data breach” or “unauthorized intrusion” into its systems. A spokesperson for the company further suggested, “It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.” In such a scenario, a hacker would have taken emails and passwords from another company’s breach and tried to see whether people were using the same login information for their Ring accounts. Yet Ring has offered little proof that this is the case, and has not identified which data breach the info would have come from. The company says it has reached out to the affected users and advised them to change their passwords and enable two-factor authentication, though four people told BuzzFeed that they had not received notifications.
Mere hours after BuzzFeed published its piece on Thursday morning, TechCrunch reported that a second cache of 1,562 emails and passwords for Ring doorbell accounts had been uploaded to the dark web. This info could also have given infiltrators access to camera footage, payment data, and home addresses. It’s not clear how this data was exposed, or whether there is any overlap between the two password caches, but Ring again claimed to TechCrunch that there was no breach.
Though it is yet unclear what exactly happened to let all this data into the wild, even uncertainty is a problem when it comes to cybersecurity. And so on Thursday, the New York Times’ influential product-review site Wirecutter announced that it is “suspending our recommendation of Ring products & updating affected guides as soon as possible.” The site had originally named the Ring Alarm as its pick for the “best no-contract security system” and the Ring Video Doorbell 2 as the runner-up for the “best smart doorbell camera” of 2019. (My Slate colleague Shannon Palus, who used to work for Wirecutter, explained that it is “extremely” rare for the outlet to suspend recommendations like this, and that reviews are usually flagged only when the release of a newer model is imminent.)
While the most damaging Ring news piled up on Thursday, there were a number of troubling stories last week as well. Last Tuesday, a number of media outlets reported that a man had infiltrated a Ring camera that was placed in an 8-year-old’s bedroom in Mississippi and used the device’s calling function to yell racial slurs at her. Around the same time, a couple in Texas told local a news station that a hacker had threatened them via their Ring doorbell and demanded that they pay a ransom in Bitcoin. A few days later, a family in Washington revealed that yet another hacker accessed the Ring camera in their living room to talk to their two dogs.
Given this rash of security failures, it seems that there are a number of obvious measures Ring could take to make the smart doorbells safer. (The company has thus far only advised customers to change their passwords and has not committed to making its devices more secure.) Motherboard recently published an investigation revealing several security flaws in Ring’s products; for example, the company does not notify users when unknown IP addresses located in other countries are trying to access their cameras, and there are no limits on the number of login attempts. Other online services have also taken to checking users’ passwords against those exposed in breaches, though Ring does not appear to do this either.
Will Ring and Amazon fix these issues? Lots of embarrassing press coverage is one motivator, but losing that Wirecutter endorsement—and the sales it generates—may be an even bigger one.