Amazon’s popular Ring security cameras have gaping security holes. Here’s how to protect yourself.
Has there ever been a tech product more polarizing than Ring?
The internet-connected doorbell gadget, which lets you watch live video of your front porch through a phone app or website, has gained a reputation as the webcam that spies on you and that has failed to protect your data. Yet people keep buying it in droves.
Ring, which is owned by Amazon and based in Santa Monica, Calif., has generated its share of headlines, including how the company fired four employees over the last four years for watching customers’ videos. Last month, security researchers also found that Ring’s apps contained hidden code, which had shared customer data with third-party marketers. And in December, hackers hijacked the Ring cameras of multiple families, using the devices’ speakers to verbally assault some of them.
This week, Ring announced new protocols to strengthen the security of its products, such as mandating two-factor verification, which requires you to punch in a temporary code before logging into your account to see your footage. A Ring spokeswoman said the company was focused on constantly enhancing its security.
Yet security experts said that Ring had been slow to react and that its solutions were weak.
“Ring has done precious little to address the broader threats to privacy that their devices enable,” said William Budington, a technologist for the Electronic Frontier Foundation, a digital rights nonprofit group, who helped discover the trackers embedded inside Ring’s apps.
Based on the gaping security holes in this home security product, I personally wouldn’t recommend buying a Ring device. Yet millions of the cameras, which range from about $100 to $500, have been sold, and tens of thousands of customers have left glowing reviews for Ring products on Amazon.
Ring cameras come in various forms, including models that can be mounted outdoors or installed on a door peephole, but the most popular version is the doorbell module. In addition to a camera, a Ring product includes a motion sensor, a microphone and a speaker so that visitors can communicate with you.
I tested a Ring peephole camera, which involved installing the device on my door and creating an account with an email address and a password, to come up with a guide to ensuring your surveillance camera does not turn into a device that surveils you.
Use a strong password
First, come up with a password that is difficult to crack. To make this simple, use a password manager, like 1Password or LastPass, which are apps that store all your passwords in a vault that is unlockable with a master password. These apps can also automatically create complex passwords for you.
If you prefer to manually create a password, try coming up with something long and complex. Consider mimicking this setup: Take the sentence “My name is Inigo Montoya. You killed my father. Prepare to die!”
And convert it into this: “Mni!m.YkMf.PtD!
Set up two-factor verification with a burner
Ring now requires people to turn on two-factor verification, which involves sharing your cellphone number so that your handset can be used as a second factor to prove you are you. This way, whenever you log into your Ring account, your cellphone will receive a text message with a temporary code, which must be entered before you can get access to your account.
In the Ring app, the settings to set up two-factor authentication are inside a menu labeled Control Center. Here, just enter a phone number to receive the codes.
One major caveat: Sharing your phone number with someone you don’t trust is another privacy risk. If hackers got your phone number, they could use it as a piece of information to break into other online accounts. Even worse, they could try to hijack your number by tricking your phone carrier into porting your digits onto a new SIM card — a practice called SIM swapping.
To keep your personal digits hidden from Ring, you can install an internet-calling app like Google Voice, which generates a second phone number that can be set up to automatically forward text messages to your normal phone number. This way, you can treat this as a burner number that you share with Ring for two-factor authentication.
Opt out of law enforcement requests
By default, the Ring app will send you notifications when law enforcement agencies are seeking video footage from you to aid them in investigations.
This feature may sound altruistic, but there is a problem with the approach. Notifications are a nuisance, especially when you are in the middle of doing something important, so you might accidentally agree to share footage just to make the notification go away.
The Electronic Frontier Foundation said there was a broader issue and called on Amazon to end its rapid expansion of law enforcement partnerships.
“Giving police direct access to request private footage endangers communities and facilitates near-constant surveillance by local police,” the digital rights group said in a blog post on Tuesday. “It also provides a way for police to access a widespread CCTV network without having to go through democratic processes or be subject to traditional oversight.”
On Wednesday, the House Oversight and Reform Committee issued a letter to Amazon, requesting information on Ring’s relationships with law enforcement and the data it collects.
Ring said in a statement that it worked with police agencies to help make neighborhoods safer by opening up communication between residents and the police. The company added that users got to choose whether they wanted to share information.
If you are privacy conscious, you should disable these requests. In the Control Center menu, tap “Video Requests” and toggle the switch to the off position.
Turn off the microphone
Does a security camera need to record sound? Thieves are the quiet type, and leaving on a microphone could let a hacker or corrupt employee eavesdrop on your conversations at home.
I suggest disabling the Ring microphones. In the app, select your camera, tap Device Settings, tap Video Settings and then Privacy Settings. Here, toggle on the switch for Disable Audio.
Install a tracker blocker on your phone
In response to how Ring’s apps were using invisible trackers to send data to third-party marketing and analytics firms, the company said it was “temporarily pausing the use of most third-party analytics services in the Ring apps and website” while it worked on tools for people to opt out of this type of data sharing.
The words “temporarily pausing” and “most” do not fill me with confidence.
Fortunately, there are apps designed to prevent trackers embedded inside apps and websites from sucking up your data. My favorite is Fyde, a free app for Android devices and iPhones.
Just download Fyde in the App Store or Google Play and follow the on-screen instructions. After activating Fyde’s protections, open the Ring app, and then return to Fyde and tap on the Activity tab to see which trackers are being blocked.
The Big Lesson
If that all sounds like a lot of effort just to use a security camera, that’s because the security concerns make Ring products impractical to own.
The broad lesson: A company’s data security practices should be a major consideration when shopping for a security product.
To help you assess that, the Mozilla Foundation, a nonprofit organization devoted to protecting a healthy internet, offers Privacy Not Included, a guide that evaluates tech products on their data security practices. It gave Ring a rating of two out of five, in part because of the company’s poor track record for managing vulnerabilities.
Other products do a better job at safeguarding your data, like Google’s Nest Hello Video Doorbell. Mozilla gave the Nest Hello a security rating of five, because it uses encryption and requires people to create strong passwords, among other practices. In other words, it’s a camera you can worry less about.
In a perfect world, you would not need to think about these issues in the first place.
“The onus shouldn’t be on the individual consumer to make sure all these things are secure and safe,” said Becca Ricks, a Mozilla researcher who worked on the guide. “Ultimately, it needs to be the responsibility of the company to make sure customer data is secure.”