While the FTC only mentions consumer customers, Ring does offer commercial security solutions under its Ring for Business arm. In addition, the allegations in the FTC’s complaint further demonstrate the risks that many IT and security professionals say are inherent in IoT devices. 

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

California-based Ring LLC, which was purchased by Amazon (Nasdaq: AMZN) in February 2018. According to My TechDecisions’ sister-site CE Pro’s 2023 100 Brand Analysis, Ring is the No. 1 video doorbell product installed by integrators with 66% of leading integrators installing the solution.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment.”

— Samuel Levine, Director of FTC’s Bureau of Consumer Protection

In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

Ring’s Alleged Security Failures

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats—“credential stuffing” and “brute force” attacks—despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing—for example, by cycling through breached credentials or entering well-known passwords—hundreds or thousands of times to gain access to an account.

Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics—such as multifactor authentication—until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.

 “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

— SAMUEL LEVINE, FTC

As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.

In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.

The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.

A version of this article originally appeared on our sister site CE Pro. 

The post FTC Accuses Ring of Watching Private Videos, Poor Security Practices appeared first on My TechDecisions.

The rule could lead to a ban on all future authorizations for sale and use in the U.S. of any new and potentially all previously authorized products manufactured by a growing number of Chinese companies.

Why? They have been designated as threats to national security and placed on the so-called “Covered List” (a.k.a. Blacklist), which is published by the commission’s Public Safety and Homeland Security Bureau. This includes the world’s largest manufacturers of video surveillance cameras.

These companies have been added to the Blacklist for various reasons including being suspected of installing “back doors” on video chips that could allow them to “hack” into feeds from millions of security cameras.

Read: Patch These Heavily Exploited Vulnerabilities Now

This vote is in concert with the National Defense Authorization Act (NDAA), which is a set of federal laws that receives unwavering bipartisan support due to its focus on national security and protecting the lives and livelihoods of the American people. It is updated each year by Congress to address new threats and outline the annual budget for the U.S. Department of Defense.

Video surveillance cameras became part of the NDAA with the John S. McCain National Defense Authorization Act for Fiscal Year 2019. Section 889, “Prohibition on certain telecommunications and video surveillance services or equipment,” spells out some fairly wide-reaching implications.

(a) PROHIBITION ON USE OR PROCUREMENT

—(1) The head of an executive agency may not— (A) procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system; or (B) enter into a contract (or extend or renew a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

—(2) Nothing in paragraph (1) shall be construed to— (A) prohibit the head of an executive agency from procuring with an entity to provide a service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or (B) cover telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.

Essentially, this means federal agencies cannot purchase or use any equipment, system, or service that uses even components or technology that is part of a system from any of the companies on the Blacklist.

This also applies to any federally funded entity such as schools or city buildings that has received federal grant funding. The net gets even wider with the statement that they are prohibited from contracting with any entity, such as a company, that uses any technology from a banned manufacturer.

The prohibition may apply to anyone from not only a major defense contractor and manufacturer designing battleships, but also all the companies, partners and suppliers they work with along the entire supply chain.

The full act can be read here.

Far-Reaching Implications

While the NDAA does not specifically spell out why the manufacturers are on the Blacklist, it is clear from congressional testimony that they have reason to believe the Chinese government could use the technology produced by the manufacturers for any number of nefarious purposes from cyber security espionage to intelligence gathering.

For example, if a video feed from a military installation were to be viewed by a foreign government, they would have access to not only troop numbers and positions, but also specific amounts and types of weapons, food and other supplies, which could be devastating in a conflict.

Blackmail and the personal health and safety of individuals is also a concern. Imagine if a bad actor could employ facial recognition on “hacked” video feeds from surveillance cameras all over town. They could easily track a government official or business leader from place to place, regardless of whether they were at the office or enjoying personal time.

This would enable them to establish patterns and collect data and images that could be used outright or taken out of context to blackmail or otherwise compromise the individual.

Individuals and organizations outside of the federal government who are not strictly under the NDAA regulations are being impacted.

This threat is being taken seriously by global companies with highly sophisticated security systems … all the way down to mom n’ pop sandwich shops with a single surveillance camera trained on their cash register and front door.

Company leaders and even homeowners need to have confidence that their conversations, strategies, plans, blueprints, processes and intellectual property in sight of surveillance cameras can be protected from the prying eyes of unauthorized individuals and bad actors.

As such, they are proactively seeking providers who have secure, NDAA-compliant video surveillance cameras and systems. Several security camera providers are recognizing this issue and are not honoring warranties or exchanges on the millions of cameras manufactured by banned companies that are currently installed across America.

Even though the law does not (yet) require companies and consumers to swap out their current surveillance equipment with cameras that are NDAA-compliant, they are waking up to the fact that the threat is significant.

The concern among government officials is high enough that it may one day be illegal to even power on a non-NDAA-compliant surveillance system on American soil.

The post Your Video Surveillance Camera Feed May be a National Security Risk appeared first on My TechDecisions.