Ring’s newly announced robot drone – a connected device that flies around homes taking security footage – is causing privacy experts’ concerns to take off.
Amazon on Thursday unveiled the Always Home Cam as part of its Ring division, which will cost $249.99 and starts shipping next year. The autonomous indoor security camera can fly around in the home on paths that are pre-approved by users, allowing them to check to see if they left a window open or forgot to turn the stove off – or to check to make sure robbers aren’t breaking in.
However, the new device has also sparked a firestorm of privacy concerns on Twitter about how Ring – whose connected doorbells have already created plenty of privacy controversies – will collect, use and share the collected data.
“For privacy advocates, the concept of an untethered IoT [Internet of Things] device surveilling the house is disturbing,” Rick Holland, CISO and vice president of strategy at Digital Shadows, told Theatpost. “Coupled with Ring’s controversial privacy practices, the adoption of the drone could be low. However, those that have already embraced the concept of in-house security cameras are likely to be excited. The prospect of having a single drone monitor your house instead of multiple individual cameras could be alluring.”
Privacy Concerns
Ring for its part said that it has built privacy features into the physical design of the Always Home Cam. When the drone is docked in its charging base, the camera is physically blocked. The device has also been designed to hum at a certain volume, so it’s clear that the camera is in motion and recording, said Ring.
But Emma Bickerstaffe, senior research analyst at the Information Security Forum, told Threatpost that Ring needs to better address how it’s securing and using the sensitive personal data that’s being collected. If sold to advertisers, for instance, this type of data could allow companies to track individuals’ daily life, habits and preferences, and use this information for commercial gain, she said.
“Smart home devices, such as Ring, collect an inordinate amount of sensitive personal data in real time – this is typically transmitted to a cloud service for processing,” she said. “A critical question is, who has access to the data collected by the device, and whether it is processed and stored in a lawful manner that protects personal data from unauthorized use.”
For users who do opt for the security drone, the proper configuration will be critical to minimize security and privacy risks as much as possible, Holland urged.
“Consumers must enable multi-factor authentication (MFA) and automatic software updates to ensure that any vulnerabilities are quickly resolved,” he said.
Ring Privacy Efforts
During its Thursday product launch, Ring highlighted several privacy and security steps it is taking. For one, it said it aims to make end-to-end encryption easier for connected-home device users to control, saying that later this year, users will be able turn on end-to-end encryption for video from their Control Center.
“Privacy, security and user control are foundational to us at Ring,” said the company in a press statement. “Launching today in the Control Center, Video Encryption Controls let you learn more about how we currently encrypt and protect your videos.”
The changes come after media reports shed light on serious security holes in the Ring connected doorbells. For instance, Ring owners aren’t notified of suspicious login alerts when devices are accessed on various IP addresses — and there are seemingly no limitations for incorrect login attempts. Ring has addressed these issues by mandating two-factor authentication (2FA) security measures.
Ring is also allowing doorbell users to completely disable its “Neighbors” service, a controversial feature that allows Ring owners to share video footage captured from their cameras with law enforcement. The app has raised worries about racial bias, surveillance and privacy.
Smart-Home Privacy Problems
IoT devices – many of which have security measures described as a “ticking time bomb” by researchers – are dramatically increasing in homes, which could potentially open the literal door to private and sensitive user data.
Researchers have previously discovered several deep-rooted issues that exist around connected devices: Earlier in 2020, researchers found that at the most basic level, 98 percent of all IoT device traffic is unencrypted, exposing personal and confidential data on the network.
Several smart home devices have been found to have specific security holes. In August, researchers disclosed vulnerabilities in Amazon’s Alexa virtual assistant platform that could have allowed attackers to access users’ personal information, like home addresses – simply by persuading them to click on a malicious link. Also in August, researchers urged connected-device manufacturers to ensure they have applied patches addressing a flaw in a module used by millions of IoT devices.
These security fears are exacerbated now that much of the world is working from home due to the pandemic, Bickerstaffe said. Cybercriminals are looking to smart home devices as a way to access and compromise valuable business information on the same network.
With this in mind, “close attention should be paid to the security controls adopted by Ring,” Bickerstaffe told Threatpost. “Cybercriminals are already maximizing the opportunity to exploit vulnerabilities in smart home devices as a stepping stone to target the network on which these devices are installed.”