clock menu more-arrow no yes mobile

Filed under:

Amazon’s Ring blamed hacks on consumers reusing their passwords. A lawsuit says that’s not true.

Plaintiffs suing the company say they created unique passwords but were hacked anyway.

Image of an Amazon Ring doorbell camera mounted beside the handle of a house’s front door. Chip Somodevilla/Getty Images
Rani Molla is a senior correspondent at Vox and has been focusing her reporting on the future of work. She has covered business and technology for more than a decade — often in charts — including at Bloomberg and the Wall Street Journal.
Open Sourced logo

After a series of high-profile incidents in which hackers gained access to live footage of Ring security cameras inside people’s homes, the company blamed consumers for reusing old passwords. Two plaintiffs in a class action lawsuit accusing the company of negligence and invasion of privacy say that’s not the issue — instead, they say their passwords were unique and that the company didn’t implement basic security measures to protect users. A security expert enlisted by Recode found that Ring’s devices lack widely adopted safety precautions.

Tania Amador and her boyfriend, Todd Craig, said they used unique 14- and 16-character passwords for their Ring security cameras. That didn’t stop a hacker from breaking into their camera feed in December, blaring sirens and threatening them: “Pay this 50 bitcoin ransom or you will get terminated yourself!,” the hacker said, according to the complaint. The stranger also accessed their Ring doorbell and terrified them by saying, “I’m outside your front door.”

The lawsuit claims the hack happened December 9, a few days after another much-publicized hack in which a strange man used a Ring device to terrorize an 8-year-old girl in Mississippi. The parents of the little girl are also plaintiffs in the lawsuit.

About a week later, Ring sent an email to customers that attempted to reassure them by saying the issue was related to the use of old credentials for other accounts that had been previously compromised:

Screenshot of an email sent to Ring users on December 16, 2019.

“Ring is basically blaming this on the consumer, saying the way they got hacked was their login and password was leaked,” Hassan Zavareei, a lead attorney on the lawsuit, which may be combined with a similar class action suit, told Recode. “We know that is absolutely false,” he added.

“While we do not comment on ongoing litigation, it is important to note that there is no evidence that Ring’s systems or network were compromised,” Ring said in a statement to Recode. “But we have taken the issues seriously and plan to launch new user privacy controls.”

The existing precautions haven’t been enough to stop hacks.

Unique passwords of 14 to 16 characters are difficult, though not impossible, to crack, according to security experts. They’re susceptible to a number of different hacks, including brute-force attacks in which a hacker uses a program to run through an automated list of email address and password combos until they gain access.

“If we believe the users in this lawsuit, then there’s something we don’t know,” Brian Vecci, field CTO at data protection and analytics company Varonis, told Recode. “If hackers have the ability to do this — which would probably require a man-in-the-middle attack, compromised laptops, or a very powerful computer — then I would wager there’s way more than two users compromised.”

Michael Schenck, director of security services at cybersecurity firm Kaytuso, told Recode, “Long, complex passwords are great at protecting your information; however, the hackers of the world are getting a lot better at finding ways to break those things with their automated scripts.”

Ring devices don’t stop that from happening, nor do they warn customers if someone is trying to execute that kind of attack, according to Schenck, who tested it out for Recode. He created a new account for his Ring device and tried to log in with incorrect information 25 times in a row. He also used a program that made it look like someone was trying to access the device from different countries.

Schenck was not locked out of his Ring account, nor did he receive any alerts that these attempts were happening.

The result was similar to that of a Vice security test published in December.

“It is not best practice to allow repeated attempts without some kind of stop or, ‘Hey, wait five minutes before you try again,’ or something,” Schenck said, adding that companies much smaller than Ring challenge users after failed login attempts with security tests like CAPTCHA, to prove that they’re humans and not robots.

In response to the hacks, Ring is launching a privacy dashboard later this month that will allow users to see who is logged in to their account and log them out, as well as confirm any new logins before they gain access to Ring footage.

Ring has had a history of security issues, including a vulnerability that let people in close range of the device get access to users’ wifi credentials. However, experts told Recode that probably wouldn’t have given hackers access to the Ring accounts and devices.

Earlier this month, Ring announced that new devices would enable two-factor authentication by default, a process in which users have to supply a second piece of information, like a unique code from their phone, to get access to their accounts and video feeds. Recode and other publications had previously suggested mandatory two-factor authentication as an easy security fix.

This is a very effective method, but it only works if people choose to use it. Ring is not mandating that existing Ring customers activate two-factor authentication, claiming it would cause mass logouts, and users still have the option of disabling the process.

“There’s a balance in security and privacy: The more secure and private you try to keep data, the more impact you have on convenience and functionality,” Vecci said. “Ring is clearly erring on the side of convenience.”

As for the lawsuit, the next step is for Ring to respond, either by asking for the case to be dismissed or filing an answer, in which case the plaintiff’s lawyers would begin collecting more information from Amazon, like statistics on how many people actually own Ring devices and could therefore benefit from joining the class action.

Ring’s terms of service include a class action waiver and instead require arbitration, but Zavareei said that isn’t an issue.

“There’s terms and conditions, but you don’t have to click on them and agree,” Zavareei said. “They’re nonbinding and unlawful.”

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.