Amazon Ring’s employees enjoyed access to customers’ private videos



Threats / Amazon Ring’s employees had unfiltered access to customers’ private videos

11 January 2019

| Author: Jay Jay


Ring, the small doorbell-maker that Amazon acquired last year, gave several employees unrestricted access to videos recorded by customers and customer videos were not encrypted as that would entail loss of revenue, The Intercept has revealed.

Ring, previously known as Bot Home Automation, was founded in 2012 and is a well-known seller of smart doorbells and cameras that offer consumers the ability to record videos of their homes and surroundings and detect burglars. The company was acquired by Amazon in early 2018 and continues to develop new home security products.

“Our mission to reduce crime in neighborhoods has been at the core of everything we do at Ring. Together with Amazon, we will accelerate our mission dramatically by connecting more neighbors globally and making our security devices and systems more affordable and accessible. The entire Ring team is excited to continue working hard to create products and services that bring real benefits to people’s lives and build safer communities for all our neighbours,” said Jamie Siminoff, CEO and Chief Inventor of Ring following its acquisition.

A number of products being offered by Amazon Ring now include Ring video doorbells, spotlight cams, floodlight cams, Blink XT indoor/outdoor camera, Blink indoor security camera, and Amazon Cloud Cam.

Ring employees enjoyed unrestricted access to customer videos

Even though the company’s mission is to help people secure their homes from external threats by recording videos of their homes and surroundings, the company may not be doing enough to secure the privacy of its very customers, a new report from The Intercept has revealed.

According to the report, the research and development team at Ring’s Ukrainian office had unfiltered and unrestricted access to an Amazon S3 cloud folder that stored every single video recorded by users of Ring’s products.

Not only were private videos of people available to Ring’s employees, but Ring also chose not to encrypt such videos as enabling encryption would make the company less valuable “owing to the expense of implementing encryption and lost revenue opportunities due to restricted access”, sources told The Intercept.

Certain engineers and executives at Ring’s U.S. office also had privileged access to the company’s technical support video portal that stored unfiltered, round-the-clock live feeds from some customer cameras and in order to access such videos, an employee only had to fill in a customer’s email address.

Sources contacted by The Intercept added that the failure of facial and object recognition software to detect burglars or hostile entities forced the company to provide employees access to customer videos so that the company could send accurate alerts to consumers about activities outside their homes.

Indoor policing by other humans a major privacy nightmare

“There are some major privacy concerns here. While users may consent to their images and data being processed in order for the service to identify real intruders from cats for example, the issue is where the processing is done,” said Adam Brown, manager of security solutions at Synopsys.

“Perhaps users believe processing is done on the camera and are therefore happy to have these devices inside their home; some may even be happy for that image data to be processed in a data centre somewhere, but for that data to be watched by human eyes is a totally different question.

“Privacy policies that the Ring spokesperson refers to offer some protection, however if they are not enforced with logical controls then any insider breach is a major privacy risk. Imagine you have this camera inside your house, and you find yourself in a compromising position and the camera sees that.

“The employee watching on the other side finds it hilarious and is upset by their ‘long monotonous work’ (as the job description states) and decides to share the camera’s video in some way on their exit from their job. Someone’s day or even life is ruined,” he added.

ALSO READ:

Misconfigured Swann security cameras result in major privacy breach

Lack of encryption leaves connected cameras highly vulnerable to cyber-attacks





Source link