While the FTC only mentions consumer customers, Ring does offer commercial security solutions under its Ring for Business arm. In addition, the allegations in the FTC’s complaint further demonstrate the risks that many IT and security professionals say are inherent in IoT devices. 

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

California-based Ring LLC, which was purchased by Amazon (Nasdaq: AMZN) in February 2018. According to My TechDecisions’ sister-site CE Pro’s 2023 100 Brand Analysis, Ring is the No. 1 video doorbell product installed by integrators with 66% of leading integrators installing the solution.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment.”

— Samuel Levine, Director of FTC’s Bureau of Consumer Protection

In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

Ring’s Alleged Security Failures

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats—“credential stuffing” and “brute force” attacks—despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing—for example, by cycling through breached credentials or entering well-known passwords—hundreds or thousands of times to gain access to an account.

Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics—such as multifactor authentication—until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.

 “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

— SAMUEL LEVINE, FTC

As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.

In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.

The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.

A version of this article originally appeared on our sister site CE Pro. 

The post FTC Accuses Ring of Watching Private Videos, Poor Security Practices appeared first on My TechDecisions.

According to a blog post by the cyber experts, this vulnerability could be abused by attackers to compromise Dahua network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.

ONVIF is an open industry forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.

In order to communicate between products, ONVIF sends requests through XML SOAP messages via HTTP. One authentication mechanism ONVIF uses is WS-UsernameToken, which relies on the transmission of the username for a certified user, nonce (a random, unique number generated by a client), created (the UtcTime when the request is made) and a password to authenticate a request.

In its investigation, Nozomi Networks was able to forge a CreateUsers request to be added to an IPC-HDBW2231E-S-S2 dome network camera as an attacker-controlled administrator. It was then able to sniff an unencrypted ONVIF request authenticated with the WS-UsernameToken schema.

After creating the attacker-controlled administrator, researchers were able to use the account to access the Dahua device with full privileges, including watching live footage from the camera.

The firm says sniffing an unencrypted ONVIF request authenticated with the WS-UsernameToken schema is not an uncommon condition due to the following reasons:

1. WS-UsernameToken is still used by default by many popular ONVIF clients, such as ONVIF Device Manager, or DSE VMS.
2. By default, the IPC-HDBW2231E-S-S2 (like other Dahua devices) does not expose an HTTPS service, and all ONVIF interactions occur through unencrypted HTTP.

Nozomi Networks says in the real world, asset owners should not using the default WS credentials and use HTTPS for secure connections in order to prevent such an attack from occurring.

Upon notification of the vulnerability, Dahua released a patch at the end of June. When reached for comment, Dahua told SSI, “On 6-28-22 we released a security notice, which you can find here.  As of today (1 August) Dahua has released firmware patches that address these vulnerabilities.”

This article originally appeared on MyTechDecisions’ sister-site Security Sales & Integration. 

The post Vulnerability Discovered in Dahua’s ONVIF Implementation appeared first on My TechDecisions.

To find a solution, campus security officials enlisted the help of Unison Integrated Technology, a CCTV installation and maintenance company. Since the school works with contract security, they were searching for an easy-to-use solution.

“We contract out our security services, so it’s important for newly arrived officers to be able to use all of the system’s key features with minimal training,” said facilities manager Lewis Palin.

Total cost of ownership was also an important consideration since the school would need 150 new internal and external cameras that could integrate with existing cameras and infrastructure. Palin was also looking for minimal maintenance charges, no license fees and the ability to scale the system as the campus grows or requirements change.

Ultimately, Unison recommended IDIS’ DirectIP, a solution used by several nearby colleges, says the press release. The solution provides more than 160 cameras, including five 2MP Lightmaster IR PTZ models that deliver 36x zoom and sharp images in all lighting due to its 350 meter IR, wide dynamic range and digital image stabilization.

Related: Surveillance, Location Technology Can Help Campuses Track COVID-19

Unison also helped to install 55 full-HD IR vandal-resistant dome cameras to secure entrances and internal areas and 40 IR bullet cameras to give HD coverage of external areas.

All cameras use IDIS Smart Failover technology to ensure automatic protection against video data loss. The storage capability is assured by four 64-channel network video recorders with built-in failover and RAID 1, 5 and 10 support, plus three 32-channel recorders with IDIS Intelligent Codec.

“Unison got the entire job done in three weeks – with swift stock delivery from IDIS – working around us to deliver our new system exactly as promised,” said Palin. “We will definitely stick with IDIS technology as we expand our estate.”

For more information on the solution, visit www.idisglobal.com.

This post premiered on our sister site, Campus Safety.

The post Aging University Surveillance System Aided by IDIS appeared first on My TechDecisions.

At the time of writing, the United Nations is describing this as the greatest global test since World War II. When this current phase of the pandemic is behind us, there will be much re-examination of the big policy questions — about health provision and the importance of investing more seriously in science education and research, about the vulnerability of our supply chains, and about what each level of government is responsible for, and should be preparing for, during non-crisis times.

As any trusted risk manager will tell you, there should be positive takeaways from any disaster, if we learn the right lessons, and invest resources where they are needed. If we think strategically, in the long run, this terrible time may leave us with lessons well-learned and improve our overall preparedness to deal with even more deadly threats to come.

But right now, a lot of people are working very hard to deal with the current situation and mitigate immediate risks. And while the health risks rank uppermost on the list, users of video surveillance solutions are finding they have new, unexpected risks to contend with. They must implement new applications for their video surveillance cameras and VMS capabilities.

In the restaurant sector, for example, national and regional chains that were previously using remote surveillance to check cash register transactions for their fraud investigations are now using the same tools to keep their outlets secure during enforced closure to the public. Only needed staff should now be onsite to handle the take-out ordering operations so critical to remaining solvent and retaining customers.

Locking down facilities to the public and furloughed employees is critical during these times. So, rather than changing all the locks at their cafes, bars and restaurants — or securing them in a way that makes it obvious that unauthorized people can’t access the facility — alarm codes at each outlet can be updated instead. That way, if an alarm is triggered by someone not authorized to access the facility, remote video can be used to let management and/or security staff know of any suspicious activity.

Related: 12 Advanced Commercial Surveillance Cameras for Your Business or Org

Other use that remain open face the opposite problem. These organizations need to use video surveillance to keep their operations going and cope with overseeing more activity, not less.

With staffing pressure increasing on core services — in healthcare, first response, pharmacies, grocery stores and other essential service settings — the efficiencies that innovative video surveillance solutions for both perimeter protection and interior access control are providing have never been more critical.

Video systems put to the test

For many years now, video surveillance manufacturers have been thinking about “worst case scenarios” and helping customers to strike a delicate balance between streamlining their operations and, at the same time, reducing risks. Across the industry, vendors and systems integrators have competed to find new tools and technologies that let end users do more with less: securing their vulnerable assets, managing people more safely, improving situational awareness, and providing newfound business and organizational efficiencies.

And, as an industry, we’ve known that it’s important to plan for the worst, so we’ve tried to design and test solutions to make them more robust and easier to use in times of stress. It’s clear now that increased stress is what we are all facing.  In high-pressure work settings, video surveillance systems are being put to the test.

As the weeks pass, the mounting challenge for healthcare systems around the world will remain high to keep operations running, amid growing fears, patient admissions, and potentially fewer staff. At peak pressure, large numbers of front-line staff are being affected by the virus and/or self-isolating as the infection spreads. Maintaining a high level of security and ensuring that working environments remain safe is crucial.

Here are some ways that video systems will help:

When security managers and team leaders are in self-isolation, how can they keep leading their operations? Remote applications and client software can make it practical for them keep working, even when isolated. The latest mobile apps can give them everything they need to run their own satellite video control operations, wherever they are. These can give them VMS-level functionality that includes live view, playback, searching, bookmarking, PTZ control, mobile dewarping for 360° fisheye cameras, event notifications and more.

Team leaders at many sites have already become accustomed to using these applications. Now, they will be needed as never before. To further streamline command, control and information sharing, VMS can now be easily set up with simple rules to allow targeted notifications to be sent to individuals and groups, via SMS or email.

As wider operations also come under pressure, security staff may be called on to provide back-up help. In supermarkets, for example, officers may need to interact more with customers during times of peak demand to ensure that people are social distancing and don’t attempt to stockpile when rationing is introduced. Video capabilities can surely help mitigate those issues before they escalate.

Solutions making use of the latest deep learning advances can also take pressure off security teams while still improving surveillance outcomes. Deep learning analytics can provide accurate and reliable detection of events such as falls, loitering or trip-zone and line-crossing, and they can give automated alerts. So even if security officers are busy, their video systems will still be hard at work in the background to maintain essential monitoring functions and to alert them to incidents, when necessary.

Accurate detection with fewer false-positives means better and more targeted responses —  all helping to maintain security team effectiveness. And it’s not just security teams that can make good use of video surveillance during these difficult days. In healthcare settings, video surveillance systems have been used effectively by doctors, nurses, respiratory therapists, clinical staff, administrators and reception teams to enhance safety.

Video systems have allowed medical teams to monitor and review care delivery in a way that maintains efficient operations in their own wards and areas of responsibility. They’ve been used not just to maintain security but to review and improve clinical practice, which is so critically important during this pandemic.

The quality and reach of video surveillance coverage are now far better than those of just a few short years ago. Capabilities may be put to other very critical uses during these difficult days of COVID-19. These include the risks posed by crowd control failings, as they can be managed by staff on the ground watching footage of what’s happening and where with large gatherings, as well as video heat mapping that can give an overview to reveal pinch-points and recurring hotspots that hard-pressed front-line staff may overlook. These real-time video warnings can allow problems to be pre-empted.

Capable video surveillance solutions that are flexible can go a very long way in helping mitigate and assess the risks presented by COVID-19. While we may all feel somewhat helpless in mitigating the harm of this virus, we still can play a meaningful role in combating it. We can do this by providing all at risk with viable video surveillance solutions that can help reduce the impacts of this invisible enemy and work toward a better tomorrow for all.

Jason Burrows is West Coast Sales Director for Coppell, Texas-based IDIS America. This article originally ran in our sister publication Security Sales & Integration. It has been edited. 

The post Mitigate COVID-19 Risk on Campus with Video Surveillance appeared first on My TechDecisions.