Ring's new security measures don't go far enough, senator says

Four employees over the last four years have improperly accessed footage from people's video doorbells, the company disclosed in a letter to senators.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Ring responded to several security questions that senators raised about the video doorbell company on Monday.

Tyler Lizenby/CNET

Ring responded earlier this week to lawmakers' questions about measures it's taking to secure its video doorbells . But those answers didn't seem to inspire much confidence, at least for one US senator who offered feedback Wednesday.

At issue was how Ring protects its devices from hackers, following weeks of mounting concerns. One incident even brought the top executive of the Amazon-owned company to tears. In December, a hacker took control of a Ring security camera and used it to yell obscenities at an 8-year-old girl in her home in Mississippi. Ring CEO Jamie Siminoff told CNET last week that a video of the hack "made me cry."

Five senators sent their questions in a letter on Nov. 20, before a rash of hacks against Ring devices. The devices didn't require security features, such as two-factor authentication, and failed to notify users about new login sessions, according to a Motherboard report. Ring recently updated its account security to warn users about new login sessions.

Democratic Sens. Ron Wyden, Edward Markey, Chris Van Hollen, Chris Coons and Gary Peters had asked Amazon CEO Jeff Bezos to explain how Ring tested its products for security, whether the footage collected by Ring was encrypted and how much access Ring's staff had to people's video feeds.

Ring sent its response to senators on Monday, the same day it rolled out at CES  in Las Vegas new privacy and security measures for its video doorbells -- including requiring two-factor authentication for new products. In its letter, Ring also said it started notifying people when new devices access their account and when their passwords have been taken in breaches on other websites. 

One of the senators still has lingering concerns.

"Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers," Wyden said in a statement Wednesday. "Amazon needs to go further -- by protecting all Ring devices with two-factor authentication."

Ring said Wednesday that privacy, security and user control are of paramount concern with its products and services.

"We take the protection of customer data very seriously and are always looking for ways to improve our security measures," Ring said in a statement.

In an earlier interview, Siminoff told CNET that Ring was only requiring two-factor authentication for new devices because the company worried that mandating it for all video doorbells would cause mass logouts.

The company faces a federal lawsuit and a class action lawsuit for allegedly failing to protect its users.   

It's not just device security that has people asking questions, Ring also faces privacy concerns over its hundreds of police partnerships, which have created what critics say are surveillance networks in residential neighborhoods.

Ring's letter also revealed new details about privacy issues at the company. In it, Brian Huseman, Amazon's vice president of public policy, wrote that there had been four complaints in the last four years about its employees abusing access to Ring video data. 

"Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions," Huseman said.
Ring said it had fired the employees involved in this data abuse, but didn't disclose what kind of information they had taken. 

Ring also disclosed that its research and design team, which is based in Ukraine, has three employees who can access customer videos that are not publicly posted. The company said that's so they can maintain Ring's Amazon Web Services infrastructure. 

Huseman added that Ring monitors all access to video footage on its servers.

"It is also disturbing to learn that Ring's encryption of user videos lags behind other companies, who ensure that only users have the encryption keys to access their data," Wyden said Wednesday.  

The video doorbell company has seen multiple security vulnerabilities reported for its devices. In November, a Ring app was found to have been leaking people's Wi-Fi login information for several months. 

In December, Gizmodo found that Ring's Neighbors app was leaking precise location data anytime people posted to its neighborhood watch feature. The company also suffered multiple data leaks, as hackers posted thousands of people's Ring login information online.

You can read the full letter to the senators here: 

Originally published Jan. 8, 12:42 p.m. PT.
Updates 12:51 p.m. PT:
 Adds more details from Ring's letter; 2:54 p.m. PT: Adds response from Ring.

Watch this: Amazon beefs up Ring privacy with Home Mode feature

16 smart doorbells to watch over your front stoop

See all photos