Please don’t buy this: smart doorbells

Credit to Author: David Ruiz| Date: Mon, 09 Dec 2019 17:15:56 +0000

Though Black Friday and Cyber Monday are over, the two shopping holidays were just precursors to the larger Christmas season—a time of year when online packages pile high on doorsteps and front porches around the world.

According to some companies, it’s only logical to want to protect these packages from theft, and wouldn’t it just so happen that these same companies have the perfect device to do that—smart doorbells.

Equipped with cameras and constantly connected to the Internet, smart doorbells provide users with 24-hour video feeds of the view from their front doors, capturing everything that happens when a user is away at work or sleeping in bed.

Some devices, like the Eufy Video Doorbell, can allegedly differentiate between a person dropping off a package and, say, a very bold, very unchill goat marching up to the front door (it really happened). Others, like Google’s Nest Hello, proclaim to be able to “recognize packages and familiar faces.” Many more, including Arlo’s Video Doorbell and Netatmo’s Smart Video Doorbell, can deliver notifications to users whenever motion or sound are detected nearby.

The selling point for smart doorbells is simple: total vigilance in the palms of your hands. But if you look closer, it turns out a privatized neighborhood surveillance network is a bad idea.

To start, some of the more popular smart doorbell products have suffered severe cybersecurity vulnerabilities, while others lacked basic functionality upon launch. Worse, the data privacy practices at one major smart doorbell maker resulted in wanton employee access to users’ neighborhood videos. Finally, partnerships between hundreds of police departments and one smart doorbell maker have created a world in which police can make broad, multi-home requests for user videos without needing to show evidence of a crime.

The path to allegedly improved physical security shouldn’t involve faulty cybersecurity or invasions of privacy.

Here are some of the concerns that cybersecurity researchers, lawmakers, and online privacy advocates have found with smart doorbells.

Congress fires off several questions on privacy

On November 20, relying on public reports from earlier in the year, five US Senators sent a letter to Amazon CEO Jeff Bezos, demanding answers about a smart doorbell company that Bezos’ own online retail giant swallowed up for $839 million—Ring.

According to an investigation by The Intercept cited by the senators, beginning in 2016, Ring “provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.”

The Intercept’s source also said that “at the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s ‘sense that encryption would make the company less valuable,’ owing to the expense of implementing encryption and lost revenue opportunities due to restricted access.”

Not only that, but, according to the Intercept, Ring also “unnecessarily” provided company executives and engineers with access to “round-the-clock live feeds” of some customers’ cameras. For Ring employees who had this type of access, all they needed to actually view videos, The Intercept reported, was a customer’s email address.

The senators, in their letter, were incensed.

“Americans who make the choice to install Ring products in and outside their homes do so under the assumption that they are—as your website proclaims—‘making the neighborhood safer,’” the senators wrote. “As such, the American people have a right to know who else is looking at the data they provide to Ring, and if that data is secure from hackers.”

The lawmakers’ questions came hot on the heels of Senator Ed Markey’s own efforts in September into untangling Ring’s data privacy practices for children. How, for instance, does the company ensure that children’s likenesses won’t be recorded and stored indefinitely by Ring devices, the senator asked.

According to The Washington Post, when Amazon responded to Sen. Markey’s questions, the answers potentially came up short:

“When asked by Markey how the company ensured that its cameras would not record children, [Amazon Vice President of Public Policy Brian Huseman] wrote that no such oversight system existed: Its customers ‘own and control their video recordings,’ and ‘similar to any security camera, Ring has no way to know or verify that a child has come within range of a device.’”

But Sen. Markey’s original request did not just focus on data privacy protections for children. The Senator also wanted clear answers on an internal effort that Amazon had provided scant information on until this year—its partnerships with hundreds of police departments across the country.

Police partnerships

In August, The Washington Post reported that Ring had forged video-sharing relationships with more than 400 police forces in the US. Today, that number has grown to at least 677—an increase of roughly 50 percent in just four months.

The video-sharing partnerships are simple.

By partnering with Ring, local police forces gain the privilege of requesting up to 12 hours of video spanning a 45-day period from all Ring devices that are included within half a square mile of a suspected crime scene. Police officers request video directly from Ring owners, and do not need to show evidence of a crime or obtain a warrant before asking for this data.

Once the video is in their hands, police can, according to Ring, keep it for however long they wish and share it with whomever they choose. The requested videos can sometimes include video that takes place inside a customer’s home, not just outside their front door.

At first blush, this might appear like a one-sided relationship, with police officers gaining access to countless hours of local surveillance for little in return. But Ring has another incentive, far away from its much-trumpeted mission “to reduce crime in neighborhoods.” Ring’s motivations are financial.

According to Gizmodo, for police departments that partner up with Ring to gain access to customer video, Ring gains near-unprecedented control in how those police officers talk about the company’s products. The company, Gizmodo reported, “pre-writes almost all of the messages shared by police across social media, and attempts to legally obligate police to give the company final say on all statements about its products, even those shared with the press.”

Less than one week after Gizmodo’s report, Motherboard obtained documents that included standardized responses for police officers to use on social media when answering questions about Ring. The responses, written by Ring, at times directly promote the company’s products.

Further, in the California city of El Monte, police officers offered Ring smart doorbells as an incentive for individuals to share information about any crimes they may have witnessed.

The partnerships have inflamed multiple privacy rights advocates.

“Law enforcement is supposed to answer to elected officials and the public, not to public relations operatives from a profit-obsessed multinational corporation that has no ties to the community they claim they’re protecting,” said Evan Greer, deputy director of Fight for the Future, when talking to Vice.

Matthew Guariglia, policy analyst with Electronic Frontier Foundation, echoed Greer’s points:

“This arrangement makes salespeople out of what should be impartial and trusted protectors of our civic society.”

Cybersecurity concerns

When smart doorbells aren’t potentially invading privacy, they might also be lacking the necessary cybersecurity defenses to work as promised.

Last month, a group of cybersecurity researchers from Bitdefender announced that they’d discovered a vulnerability in Ring devices that could have let threat actors swipe a Ring user’s WiFi username and password.

The vulnerability, which Ring fixed when it was notified privately about it in the summer, relied on the setup process between a Ring doorbell and a Ring owner’s Wi-Fi network. To properly set up the device, the Ring doorbell needs to send a user’s Wi-Fi network login information to the doorbell. But in that communication, Bitdefender researchers said Ring had been sending the information over an unencrypted network.

Unfortunately, this vulnerability was not the first of its kind. In 2016, a company that tests for security vulnerabilities found a flaw in Ring devices that could have allowed threat actors to steal WiFi passwords.

Further, this year, another smart doorbell maker suffered so many basic functionality issues that it stopped selling its own device just 17 days after its public launch. The smart doorbell, the August View, went back on sale six months later.

Please don’t buy

We understand the appeal of these devices. For many users, a smart doorbell is the key piece of technology that, they believe, can help prevent theft in their community, or equip their children with a safe way to check on suspicious home visitors. These devices are, for many, a way to calmer peace of mind.

But the cybersecurity flaws, invasions of privacy, and attempts to make public servants into sales representatives go too far. The very devices purchased for security and safety belie their purpose.

Therefor, this holiday season, we kindly suggest that you please stay away from smart doorbells. Deadbolts will never leak your private info.

The post Please don’t buy this: smart doorbells appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/