The past few weeks have not been good for Ring. There were numerous reports of people’s cameras being taken over by strangers, one person even claiming to be Santa Claus and taunting an 8-year-old, and another person yelling racist insults at a family. The latest news seemed even more dire: The accounts of more than 3,000 Ring users were compromised.
All of these stories, plus additional ones from Gizmodo, Buzzfeed, Vice, as well as Wirecutter’s rescinding its recommendation of Ring devices, have lent the impression that Ring’s security has more holes than the Titanic. But guess what? Nearly all of these breaches were caused by poor password security, and not on the part of Ring.
Is Ring completely absolved of blame? Not in the least. It should have done a better job at demanding users turn on two-factor authentication, and its lack of transparency with regards to its cooperation with police departments brings up all sorts of privacy concerns.
“I do believe that Ring products have poor security,” said Matthew Guariglia, a policy analyst focusing on surveillance and privacy at the Electronic Frontier Foundation.
“People bringing IoT devices into their house do necessarily take the risk that those devices could be compromised, and if they do, they can reveal incredibly personal information to bad actors,” Guariglia continued. “However, Ring seems to be particularly guilty here and their blaming of users without any responsibility is in bad faith.
At the very least, Ring should have been more proactive in responding to all these reports, rather than a few tepid comments. But to suggest that Ring’s devices are inherently unsafe is misleading, and borderline reckless.
Let’s take for example, this story from Vice, titled “We Tested Ring’s Security. It’s Awful,” and leads with the author being spied on by colleagues who supposedly hacked into his camera, and were watching his every move.
After this ominous beginning is one major caveat: “My colleagues were only able to access my Ring camera because they had the relevant email address and password.” If that’s the benchmark by which all security is governed, then we’re all doomed.
The one serious issue, from earlier this year, when BitDefender found that someone physically near a Ring camera could intercept a homeowner’s Wi-Fi username and password, but this was patched in September.
Interestingly, Blink, another security camera company owned by Amazon (and which is also connected to the Neighbors app), lacks two-factor authentication entirely. This is something that should be rectified immediately.
Ring’s Neighbors and Privacy
The biggest part of Ring that most publications have taken issue with is Ring’s Neighbors feature, which allows Ring camera owners to share video to the Ring app, and for other Ring app users to view that footage. (You don’t need a Ring camera to view such posts.) Within the app, you can set a geographical boundary and have the app alert you to various incidents: Crime, Safety, Suspicious, Unknown Visitor, and Lost Pet.
If you post a video or report an incident, a small blue circle about a tenth of a mile in diameter will appear on a map in the Neighbors app. Your actual location will be somewhere inside that circle. So, in theory, someone viewing the footage would be able to pinpoint your address by looking for common landmarks.
Gizmodo did just this, in fact. But, this isn’t a breach of Ring’s security. No one hacked into Ring’s system. Rather, they used publicly available information.
In the same story, Gizmodo also found that “examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision.” Gizmodo did not reveal how it was able to extract that information, out of respect for users’ privacy. This is more concerning, but again, is only an issue when a user decides to share a video to the Neighbors app. [Which is probably a lot of people]
One issue with the Neighbors app, like the NextDoor app, is its potential to be used to disproportionately target minorities. Ring’s Neighborhood Guidelines prohibit personal attacks, hate speech, racial profiling, and vigilantism, and offers a means by which users can flag questionable posts. Ring’s moderators then review the posts in question, and remove them if found to violate those guidelines. If you do see a post that is racist, be sure to report it.
The larger issue surrounding the Neighbors app is Ring’s partnership with law enforcement. Police departments who have partnered with Ring are able to see public posts from within their jurisdiction, and can request posts from other Ring camera owners.
For example, if your neighbor’s house is robbed, a police department can request to see Ring videos (if there are any) from other houses nearby. According to Ring, “exact locations of devices and user information are never provided to law enforcement without a user’s express permission or a valid and binding legal demand properly served on us.” However, if you agree to such a request, a police department will get your name and address.
So, even if a police department has partnered with Ring, it’s still up to each owner if he or she wants to share video with law enforcement.
The big caveat, though, is that once you decide to share video with your local police department, they can then hold onto the video indefinitely, and share it with other law enforcement agencies without your permission. That’s because the video is considered evidence in connection with a criminal case.
Our recommendations for Ring — and for Ring users
So, what can Ring do, and what can you do? Here are our recommendations for both the company and for those who own Ring home security cameras or video doorbells.
What Ring should do
- Immediately require two-factor authentication for all accounts, and implement other security measures such as what Google requires when a user logs in from an unknown device or IP address.
- Disclose what police departments and authorities have access to Ring’s Neighbors feed.
- Be more proactive in responding to all of these various reports, and better explain what the issues are.
“These most recent breaches could have been averted by some very simple security precautions that many of Ring’s competitors, and many other tech companies have had enabled for years,” said Guariglia.
What Ring users should do
- Turn on two-factor authentication in the Ring app, and change your password if yours is weak. Here’s our story on the worst passwords of 2019.
- Don’t share video or incident reports with the Neighbors app if you don’t want others to potentially know where you live.
- If you receive a request to share video with a law enforcement agency, don’t agree to the request if you don’t want them to know your exact location, or if you want that video potentially shared with other agencies.
For the reasons mentioned above, we’re not rescinding our recommendation of Ring’s products. However, if you do have a Ring camera, you should enable two-factor authentication as soon as possible. If you’re still uncomfortable with Ring’s security, there are plenty of other home security cameras and video doorbells which offer stronger security measures.
We think the Nest Hello, for example, is the best video doorbell—not only does it have more stringent protocols, but it has other features, like package detection, that make it a better buy. When it comes to the best home security cameras, Arlo’s are tops, and also offer two-factor authentication. Ring’s cameras aren’t inherently unsafe. You just need to know how to use them.