In a long letter to five U.S. senators (opens in new tab), Amazon detailed Ring's security policies while admitting that four "team members" had been terminated over the previous four years for improperly viewing customers' video feeds.
"Recent media reports have inaccurately portrayed Ring's security practices, and we hope our letter today will correct some of those inaccuracies," the letter states.
The letter was signed by Amazon Vice President of Public Policy Brian Huseman, dated Jan. 6, and send to Sens. Christopher A. Coons of Delaware, Edward J. Markey of Massachusetts, Gary C. Peters of Michigan, Chris Van Hollen of Maryland and Ron Wyden of Oregon. The senators, all Democrats, sent Amazon a list of questions about Ring cameras last month.
Amazon says Ring's security is good...
The Amazon letter goes on to state that "Ring routinely conducts assessments, penetration testing, and source code reviews" and that "Ring is not aware of any breach of a customer's personally identifiable information that would require reporting to government agencies."
That sounds legitimate. From what we've seen of Ring's security and privacy practices, they're nowhere near as bad as you might think, given all the recent TV-news hype about Ring camera "hacks."
All those Ring camera break-ins so far appear to be the result of Ring customers reusing passwords from other accounts, or using very weak passwords. There doesn't seem to be anything wrong with Ring's software, website or internal network that's being exploited in actual hacks. Attackers appear to be simply logging into Ring's web interface with legitimate user credentials, as a regular user would.
"We also continue to see stolen credentials and passwords (from other applications and sites) that have led to some bad actors gaining access to Ring devices," the Amazon letter says. "Our security team investigated these incidents and found no evidence of an unauthorized intrusion or compromise of Ring's systems or network."
...but it's making it better anyway
To that end, Ring earlier this week announced a new Control Center for Ring mobile apps that will give users instant overviews of how many computer and smartphones have accessed their Ring products, as well as provide another mechanism to set up two-factor authentication (2FA) to protect Ring accounts whose passwords have been compromised.
Ring founder Jamie Siminoff told The Verge (opens in new tab) in an interview this week that in the near future, new Ring accounts will have 2FA turned on by default, although customers will be able to opt out of 2FA during the setup process. At the moment, Ring offers 2FA as an opt-in option, and the company didn't do much to publicize 2FA availability to customers until reports of Ring "hacks" started showing up on the evening news.
The Amazon letter said that Ring had taken some new steps on its own end to protect customer accounts. It now "proactively monitors whether any of our customers' credentials might have been compromised in third-party data breaches" and "takes proactive steps to notify customers" when it finds something. (You can check your own credentials at haveibeenpwned.com (opens in new tab).) It added that "Ring notifies account owners when any new device accesses their account."
These are all things that Google has been doing for its own account holders for years, so it's good to see that Amazon is catching up.
Yup, Amazon did have some creeps on staff
As for the four employees caught viewing users' camera feeds, Amazon said that "each of the individuals involved in these incidents was authorized to view video data," but that "the attempted access to that data exceeded what was necessary for their job functions."
"In each instance," Amazon said, "once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual."
It's not clear how many of these four incidents took place before Amazon bought Ring in February 2018. The Amazon letter only states that the incidents were "over the past four years."
That kind of activity is, sadly, not unusual among companies that make devices that listen to or watch what happens inside private homes. In the past year, Apple, Google, Microsoft and, yup, Amazon (via its Alexa voice-assistant service) admitted that human employees had listened or viewed customer private recordings, often in the process of training voice-recognition technology.