{"id":17131,"date":"2019-12-09T10:10:02","date_gmt":"2019-12-09T18:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/12\/09\/news-10867\/"},"modified":"2019-12-09T10:10:02","modified_gmt":"2019-12-09T18:10:02","slug":"news-10867","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/12\/09\/news-10867\/","title":{"rendered":"Please don’t buy this: smart doorbells"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Mon, 09 Dec 2019 17:15:56 +0000<\/strong><\/p>\n

Though Black Friday and Cyber Monday are over, the two shopping holidays were just precursors to the larger Christmas season\u2014a time of year when online packages pile high on doorsteps and front porches around the world. <\/p>\n

According to some companies<\/a>, it’s only logical to want to protect these packages from theft, and wouldn\u2019t it just so happen that these same companies have the perfect device to do that\u2014smart doorbells. <\/p>\n

Equipped with cameras and constantly connected to the Internet, smart doorbells provide users with 24-hour video feeds of the view from their front doors, capturing everything that happens when a user is away at work or sleeping in bed. <\/p>\n

Some devices, like the Eufy Video Doorbell, can allegedly differentiate between a person dropping off a package and, say, a very bold, very unchill goat marching up to the front door (it really happened<\/a>). Others, like Google\u2019s Nest Hello, proclaim to be able to \u201crecognize packages and familiar faces.\u201d Many more, including Arlo\u2019s Video Doorbell and Netatmo\u2019s Smart Video Doorbell, can deliver notifications to users whenever motion or sound are detected nearby. <\/p>\n

The selling point for smart doorbells is simple: total vigilance in the palms of your hands. But if you look closer, it turns out a privatized neighborhood surveillance network is a bad idea. <\/p>\n

To start, some of the more popular smart doorbell products have suffered severe cybersecurity vulnerabilities, while others lacked basic functionality upon launch. Worse, the data privacy practices at one major smart doorbell maker resulted in wanton employee access to users\u2019 neighborhood videos. Finally, partnerships between hundreds of police departments and one smart doorbell maker have created a world in which police can make broad, multi-home requests for user videos without needing to show evidence of a crime. <\/p>\n

The path to allegedly improved physical security shouldn\u2019t involve faulty cybersecurity or invasions of privacy. <\/p>\n

Here are some of the concerns that cybersecurity researchers, lawmakers, and online privacy advocates have found with smart doorbells. <\/p>\n

Congress fires off several questions on privacy<\/strong><\/h3>\n

On November 20, relying on public reports from earlier in the year, five US Senators sent a letter to Amazon CEO Jeff Bezos, demanding answers about a smart doorbell company<\/a> that Bezos\u2019 own online retail giant swallowed up for $839 million\u2014Ring. <\/p>\n

According to an investigation by The Intercept<\/a> cited by the senators, beginning in 2016, Ring \u201cprovided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon\u2019s S3 cloud storage service that contained every video created by every Ring camera around the world.\u201d<\/p>\n

The Intercept\u2019s source also said that \u201cat the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership\u2019s \u2018sense that encryption would make the company less valuable,\u2019 owing to the expense of implementing encryption and lost revenue opportunities due to restricted access.\u201d<\/p>\n

Not only that, but, according to the Intercept, Ring also \u201cunnecessarily\u201d provided company executives and engineers with access to \u201cround-the-clock live feeds\u201d of some customers\u2019 cameras. For Ring employees who had this type of access, all they needed to actually view videos, The Intercept reported, was a customer\u2019s email address. <\/p>\n

The senators, in their letter, were incensed. <\/p>\n

\u201cAmericans who make the choice to install Ring products in and outside their homes do so under the assumption that they are\u2014as your website proclaims\u2014\u2018making the neighborhood safer,\u2019\u201d the senators wrote<\/a>. \u201cAs such, the American people have a right to know who else is looking at the data they provide to Ring, and if that data is secure from hackers.\u201d <\/p>\n

The lawmakers\u2019 questions came hot on the heels of Senator Ed Markey\u2019s own efforts in September into untangling Ring\u2019s data privacy practices for children<\/a>. How, for instance, does the company ensure that children\u2019s likenesses won\u2019t be recorded and stored indefinitely by Ring devices, the senator asked. <\/p>\n

According to The Washington Post, when Amazon responded to Sen. Markey\u2019s questions, the answers potentially came up short: <\/p>\n

\u201cWhen asked by Markey how the company ensured that its cameras would not record children, [Amazon Vice President of Public Policy Brian Huseman] wrote that no such oversight system existed: Its customers \u2018own and control their video recordings,\u2019 and \u2018similar to any security camera, Ring has no way to know or verify that a child has come within range of a device.\u2019\u201d<\/p>\n

But Sen. Markey\u2019s original request did not just focus on data privacy protections for children. The Senator also wanted clear answers on an internal effort that Amazon had provided scant information on until this year\u2014its partnerships with hundreds of police departments across the country. <\/p>\n

Police partnerships<\/strong><\/h3>\n

In August, The Washington Post reported that Ring had forged video-sharing relationships with more than 400 police forces in the US<\/a>. Today, that number has grown to at least 677\u2014an increase of roughly 50 percent in just four months. <\/p>\n

The video-sharing partnerships are simple. <\/p>\n

By partnering with Ring, local police forces gain the privilege of requesting up to 12 hours of video spanning a 45-day period from all Ring devices that are included within half a square mile of a suspected crime scene. Police officers request video directly from Ring owners, and do not need to show evidence of a crime or obtain a warrant before asking for this data. <\/p>\n

Once the video is in their hands, police can, according to Ring, keep it for however long they wish and share it with whomever they choose<\/a>. The requested videos can sometimes include video that takes place inside a customer\u2019s home, not just outside their front door. <\/p>\n

At first blush, this might appear like a one-sided relationship, with police officers gaining access to countless hours of local surveillance for little in return. But Ring has another incentive, far away from its much-trumpeted mission \u201cto reduce crime in neighborhoods.\u201d Ring\u2019s motivations are financial. <\/p>\n

According to Gizmodo, for police departments that partner up with Ring to gain access to customer video, Ring gains near-unprecedented control in how those police officers talk about the company\u2019s products<\/a>. The company, Gizmodo reported, \u201cpre-writes almost all of the messages shared by police across social media, and attempts to legally obligate police to give the company final say on all statements about its products, even those shared with the press.\u201d<\/p>\n

Less than one week after Gizmodo\u2019s report, Motherboard obtained documents that included standardized responses for police officers to use on social media when answering questions about Ring. The responses, written by Ring, at times directly promote the company’s products<\/a>. <\/p>\n

Further, in the California city of El Monte, police officers offered Ring smart doorbells as an incentive<\/a> for individuals to share information about any crimes they may have witnessed. <\/p>\n

The partnerships have inflamed multiple privacy rights advocates. <\/p>\n

\u201cLaw enforcement is supposed to answer to elected officials and the public, not to public relations operatives from a profit-obsessed multinational corporation that has no ties to the community they claim they’re protecting,” said Evan Greer, deputy director of Fight for the Future, when talking to Vice. <\/p>\n

Matthew Guariglia, policy analyst with Electronic Frontier Foundation, echoed Greer\u2019s points<\/a>:<\/p>\n

\u201cThis arrangement makes salespeople out of what should be impartial and trusted protectors of our civic society.\u201d<\/p>\n

Cybersecurity concerns<\/h3>\n

When smart doorbells aren\u2019t potentially invading privacy, they might also be lacking the necessary cybersecurity defenses to work as promised. <\/p>\n

Last month, a group of cybersecurity researchers from Bitdefender announced that they\u2019d discovered a vulnerability in Ring devices that could have let threat actors swipe a Ring user\u2019s WiFi username and password<\/a>. <\/p>\n

The vulnerability, which Ring fixed when it was notified privately about it in the summer, relied on the setup process between a Ring doorbell and a Ring owner\u2019s Wi-Fi network. To properly set up the device, the Ring doorbell needs to send a user\u2019s Wi-Fi network login information to the doorbell. But in that communication, Bitdefender researchers said Ring had been sending the information over an unencrypted network. <\/p>\n

Unfortunately, this vulnerability was not the first of its kind. In 2016, a company that tests for security vulnerabilities found a flaw in Ring devices<\/a> that could have allowed threat actors to steal WiFi passwords. <\/p>\n

Further, this year, another smart doorbell maker suffered so many basic functionality issues that it stopped selling its own device just 17 days after its public launch<\/a>. The smart doorbell, the August View, went back on sale six months<\/a> later.<\/p>\n

Please don’t buy<\/h3>\n

We understand the appeal of these devices. For many users, a smart doorbell is the key piece of technology that, they believe, can help prevent theft in their community, or equip their children with a safe way to check on suspicious home visitors. These devices are, for many, a way to calmer peace of mind. <\/p>\n

But the cybersecurity flaws, invasions of privacy, and attempts to make public servants into sales representatives go too far. The very devices purchased for security and safety belie their purpose. <\/p>\n

Therefor, this holiday season, we kindly suggest that you please stay away from smart doorbells. Deadbolts will never leak your private info. <\/p>\n

The post Please don’t buy this: smart doorbells<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Mon, 09 Dec 2019 17:15:56 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
This holiday season, please reconsider buying smart doorbells to protect your online shipments. The cybersecurity and privacy risks are too severe.<\/p>\n

Categories: <\/p>\n