Endpoint Security , Governance & Risk Management , Privacy
Ring Settles FTC Allegations of Poor Cybersecurity, Privacy
Amazon-Owned Ring Will Pay $5.8 Million to Settle FTC InvestigationAmazon agreed to pay $5.8 million to settle a Federal Trade Commission investigation into allegedly poor cybersecurity practices by its Ring home surveillance device subsidiary.
See Also: How Enterprise Browsers Enhance Security and Efficiency
The company, which has sold more than 1 million indoor networked cameras embedded with two-way communications, is also poised to come under two decades' worth of outside reviews of a mandated data and security program.
The settlement, which requires approval from a federal judge, comes after reports of hackers accessing consumers' devices, bullying young children, threatening physical harm and racially or sexual harassing users.
“The FTC’s order makes clear that putting profit over privacy doesn’t pay," said Sam Levine, director of the FTC’s Bureau of Consumer Protection.
A federal complaint filed in the U.S. District Court for the District of Columbia blames Ring for the attacks, which were credential stuffing or brute force attacks. Credential stuffing involves hackers attempting to reuse already-leaked logon combinations, and brute force automates password guessing.
Ring said the FTC "mischaracterizes our security practices" and that the company disagrees with the agency's allegations. "Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry," company spokeswoman Emma Daniels said in an email.
The FTC said that between January 2019 and March 2020, hackers accessed the devices of more than 55,000 Ring home camera customers through credential stuffing or brute force attacks. Hackers gained "access to hundreds of thousands of videos of the personal spaces of consumers' homes, including their bedrooms and their children's bedrooms."
Steps the FTC says the company should have taken, but didn't at the time, include blocking rapidly repeated logon attempts into the same account with different passwords and blocking logon attempts into multiple accounts from the IP address. Ring could have also monitored for logon attempts from suspicious IP addresses and notified users of concurrent logon sessions.
The complaint quotes an internal document from 2019 lamenting that "Ring permitted 'thousands of requests [for account access] per second' from a single IP address (i.e., a single user), rather than an appropriate 'half dozen per day.'"
Ring also let users set very simple, easily guessable passwords, boosting the likelihood of brute force attacks, the FTC said.
The company enabled multifactor authentication in May 2019 - a measure the agency says was too little, too late and lacked robust encouragement for consumer adoption. "Only a tiny fraction of customers - less than 2% - adopted this optional security feature in 2019," the FTC said.
In 2020, the company mandated multifactor authentication for customers.
The complaint also alleges the company took years to ensure the privacy of home-recorded videos. A Ring employee in the summer of 2017 viewed thousands of videos recordings belonging to at least 81 unique female users, searching for cameras with names such as "Master Bedroom."
The incident provoked Ring into narrowing who could access videos, but not until February 2019 did it change its policies so that most Ring employees and contractors had to first obtain customer consent before accessing private videos.
Ring said that it has "strong policies and controls in place that restrict employee access to customers' stored videos, and employees are unable to view, access, or control livestreams."
Among the elements of the security program Ring must implement for the next 20 years are yearly penetration testing of access controls and an annual verification that employees are restricted from accessing video recordings. Ring must also let a third party assess the security program within a year and, thereafter, every two years.