Amazon Ring Employees Able to Access Customer Video

California-based Ring LLC endangered its customers’ privacy by allowing any employee or contractor to see consumers’ private footage and failing to implement basic privacy and security controls, enabling hackers to gain control of consumers’ accounts, cameras, and videos.

Ring LLC, which Amazon purchased in February 2018, produces internet-connected, video-enabled home security cameras, doorbells, and related accessories and services

Reports say every Amazon Ring employee had access to every customer video, even if it wasn’t necessary for their duties. 

Additionally, before July 2017, the staff members may take any of those recordings, keep them, and share them as they pleased with staff members from a third-party contractor in Ukraine.

That’s what the FTC claimed in a recent case, for which Amazon may have to pay a $5.8 million penalty.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

“The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

Ring Fails To Set Up Basic Procedures For Staff Monitoring And Detection

According to the complaint, for instance, one employee, over several months, looked at thousands of video records belonging to female users of Ring cameras that surveilled personal locations in their houses, such as their bathrooms or bedrooms.

The employee wasn’t stopped until another employee noticed the misbehavior. Even when Ring set restrictions on who may see customers’ videos, the firm couldn’t identify how many additional workers inappropriately accessed private films because Ring failed to adopt basic steps to monitor and detect employees’ video access.

According to the FTC, a Ring employee allegedly saw hundreds of recordings from at least 81 different female users. 

The employee watched the videos for at least an hour every day for hundreds of days between June and August 2017. Their supervisor said it was “normal” for an engineer to view so many accounts after another employee raised the issue with them.

“Only after the supervisor noticed that the male employee was only viewing videos of “pretty girls” did the supervisor escalate the report of misconduct. Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment”, based on an FTC complaint.

In January 2018, a male employee looked for a female coworker using her email address and exploited his access privileges to watch her videos.

Engineers (including employees and independent contractors) were only permitted access to customer films if there was a business requirement in February 2018, when employee access permissions were further restricted.

Ring modified its access policies again in February 2019 so that most of its workers and contractors could only view a customer’s private video with that customer’s permission.

The FTC provides further examples of access abuse and surveillance. Because there were no detection procedures, Ring allegedly has no idea how much-unauthorized access occurred.

Customers were unaware that so many staff might view their video. According to the FTC, Ring’s Terms of Service and Privacy Policy did not state that its employees and contractors would be able to examine all video recordings to develop and improve its products before December 2017.

Ring just explained the business’s permission to use recordings made in conjunction with its (then-named Doorbot’s) cloud service for product development in the middle of prolonged, legalese-filled terms.

Ring Fails To Use MFA And Protect Against Threats

The FTC claims Ring failed to implement multi-factor authentication (MFA) until May 2019, far after many rivals had done so, and it also ignored employee and outside security researcher warnings to protect users from threats like credential stuffing and brute force attacks.

The FTC claims that more than 55,000 users had their Ring devices compromised between January 2019 and March 2020.

Cybercriminals have occasionally exploited two-way chat to terrorize Ring consumers, as though from a horror film: Several women in bed heard hackers curse at them, several children were called racist slurs, and much more.

The DOJ Filed a Complaint

The Department of Justice filed the complaint and settlement proposal on behalf of the FTC.

Amazon was accused of violating the Children’s Online Privacy Protection Act (COPPA) rule by retaining Alexa voice and geolocation data linked with young users for years while prohibiting parents from exercising their right to request the deletion of their children’s data.

In a blog post, the FTC stated that because children’s speech patterns are different from adults, they may have been particularly beneficial to Amazon:

“Children’s speech patterns are markedly different from adults, so Alexa’s voice recordings gave Amazon a valuable data set for training the Alexa algorithm and further Amazon’s commercial interest in developing new products.”

Along with the $25 million settlement, Amazon will be prohibited from exploiting geolocation and speech data collected from children to develop or enhance data products.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus



Source: gbhackers.com