Where Amazon's Ring Went Wrong

Cybersecurity for IoT

You know that you've done something truly wrong when your cybersecurity scandal makes this year's mega-breaches (affecting everyone from Facebook to Equifax) seem quaint.                  

But this is exactly the situation Amazon finds itself in after customers of its home security company, Ring, began to report horrible abuses of its 'smart' security cameras.

One Florida family was forced to listen while a stranger shouted racial slurs at them through their camera, alerted them to the fact that they had been spied on for an indefinite period of time. Another parent reported that a hacker had gained access to the camera installed in their 8-year-old daughter's room and taunted the young girl until she burst into tears. Unfortunately, these cases are by no means unique.

Ring's response? In a recent blog post, Ring made clear that they take no responsibility for the incidents, stating: "[W]e want to inform you that we have investigated this incident and have no evidence of an unauthorized intrusion or compromise of Ring's systems or network." Instead, Ring defends itself by pointing out that it's the end user who is ultimately responsible for any risks that result from their use, and strongly recommend enabling Two Factor Authentication and creating unique and strong passwords.

Well, are they right? Yes and no. While it's true that many if not all of the reported breaches would have been avoided if, say, 2FA had been enabled, as a provider of security equipment, Ring has a responsibility to forecast how its product will actually be used and take the steps necessary to ensure that that usage is safe and secure.

Here are three ways that Ring could have easily avoided what instead turned into a disastrous month for its customers, brand, and (dare I say) bottom line.

1. Two-Factor Authentication (2FA)
As mentioned above, Ring doesn't require users to set up 2FA. Simply forcing users to enter a code sent via SMS would cut out the vast majority of the reported breaches. As 2FA becomes increasingly commonplace (even amongst relatively innocuous applications like MailChimp), IoT developers would do well to implement it across the board. We should never allow user experience to override user safety.

2. Suspicious IP Address
Alert users when a login attempt is made from an unusual IP address. Gmail has been doing this for years, and while it's a bit annoying to get these emails every time you go on a business trip, it sure beats the alternative. Another option is to combine 2FA and IP alerts by requiring users to input an SMS code only when logging in from an unusual location.

3. Limit Unsuccessful Login Attempts
We've all been temporarily locked out of our Netflix accounts after unsuccessfully trying to enter our password after a few too many drinks. It seems only reasonable then that a security camera should be at least as protective as an entertainment app. As of the time of this writing, Ring allows users to input false credentials as many times as they want. This is of course very important to hackers who automate scripts to run through a database of, say, millions of compromised credentials as they fish for a hit.

In conclusion, it's important to note that even implementing just one of these solutions would vastly decrease the cybersecurity risk of Ring customers. Implementing all three would eliminate that risk nearly entirely. Unfortunately, the current IoT producers often prioritize functionality over security, and leave the latter to the user to worry about. Let Ring serve as an example of what can go wrong when security is sprayed on top of a device, rather than baked in to its design.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.