The rapidly-growing smart home market has a serious security problem, and Ring’s line of products has been one of the foremost examples. The Amazon-owned company provides doorbell and in-home security cameras that are internet-connected to allow owners remote access to the video feeds. Some of its products will now be getting end-to-end encryption for the first time, two years after Amazon acquired the company and six years after the company’s flagship doorbell camera product first launched.
During that time the company has struggled with a variety of security issues related to unauthorized access to user feeds, as well as questionable partnerships with law enforcement agencies that have raised concerns about extrajudicial surveillance.
Ring end-to-end encryption launches in response to criticisms
Ring has a troubling history of security and privacy issues, the most high-profile of these coming after Amazon’s acquisition of the company. A string of security breaches in 2019 saw hackers taking over the accounts of users, in some cases speaking to them through the system. While Ring systems are password-protected, investigations by security experts found that there is no system to identify multiple suspicious login attempts. This made it trivial for attackers to “brute force” systems by guessing passwords or by working from information gleaned from other data breaches. A flaw was also discovered that leaked WiFi information locally, including usernames and passwords, though it does not appear that it was ever used in an attack.
Ring has since patched these vulnerabilities, but end-to-end encryption provides a much stronger failsafe against any similar issues that might develop in the future. A blog post from the company indicates that stored video is already encrypted on Ring’s cloud system, but will now also be encrypted in transit to authorized user devices.
However, the feature is not available to all users just yet; it’s in a “technical preview” mode that is slated to roll out completely over the next several months. The feature should appear in the “Control Center” of the Ring App once it becomes available. However, Ring points out that some of its features that rely on decrypted video will not function while end-to-end encryption is enabled, “Motion Verification” and “People-Only Mode” among them. This would appear to make it impossible to make use of end-to-end encryption in the modes that attempt to verify motion is being caused by a human being before sending a notification to the user.
The feature is also apparently not coming to all of the company’s devices, at least not initially. End-to-end encryption will be available in the “Pro” and “Elite” models of the Video Doorbell product, but not the most basic wireless doorbell model. In addition to a price difference of about $50 per unit, the Pro model must be hardwired to function. Product lines that are no longer supported, like the first generation of video doorbells, are also not supported. The “peephole cam” and non-wired versions of the Stick-Up Cam and Spotlight Cam are also not eligible for end-to-end encryption. And users must have a fairly recent version of iOS (12.0 or newer) or Android (8.0 or newer) for the feature to be available.
End-to-end encryption may not address trust issues
While end-to-end encryption helps to protect users from unauthorized access to videos by hackers, it doesn’t necessarily do much to address two other trust issues that have been hanging over the company: its internal access to user videos, and exactly what it shares with law enforcement agencies.
Ring’s policy has long been that employees are not supposed to access customer videos without express permission. Complaints and investigations dating back to 2016 have asserted that this is not the case. It is unclear if the end-to-end encryption feature will completely prevent this possibility, if the device in question even has the ability.
Amazon’s partnerships with law enforcement agencies also became an issue in 2019. The company offered police agencies access to Neighbors, a complementary app that allows users to upload video of potentially suspicious activity with various levels of public sharing. Critics pointed out that law enforcement is usually compelled to obtain a warrant to set up or access video recording devices on private property, something that Ring created a shortcut for. A particular concern was the potential for Amazon to link its Rekognition facial recognition database, also used by police agencies until a one-year moratorium was issued in 2020, to the footage reviewed by law enforcement. Even with end-to-end encryption in place, footage uploaded to Neighbors will first have to be de-encrypted in order to share.