Amazon Ring App Found To Be (Again) Exposing User Locations, Home Addresses

from the fool-me-once dept

While Amazon Ring and other doorbells certainly deliver a certain convenience, they've created no shortage of entirely new problems. Problems that could have been avoided with just a bit of foresight and ethical behavior. First comes the fact they're being integrated into our already accountability-optional law enforcement and intelligence apparatus. Then, like the rest of the "let's connect everything to the internet but do a shit job on basic security and privacy because it costs money" IOT sector, they can't be bothered to get the fundamentals right when it comes to consumer security.

The latest example involves Ring failing to adequately secure users information when they share to the Ring "Neighbors" portion of the Ring app. Journalists had already showcased how Ring's security standards were hot garbage. And while Amazon has taken some steps to address those concerns (like making two-factor authentication mandatory), this week it was revealed that Ring’s Neighbors app was exposing the precise locations and home addresses of users who had posted to the app:

"While users’ posts are public, the app doesn’t display names or precise locations — though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes."

Whoops-a-daisy!

The disclosure comes on the heels of a similar report from Gizmodo last year that found it wasn't too difficult to ferret out hidden data allowing journalists (and anybody else) to map the location of Ring users nationwide:

"Examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision, accurate enough to pinpoint roughly a square inch of ground."

Neat! Ring's already facing a class action lawsuit from users not particularly happy about receiving death threats and racist slurs after their Ring smart cameras were hacked.

Purportedly, Ring's Neighborhood functionality is generally supposed to help communities band together and discuss potential security threats. Kind of a neighborhood watch for the modern era. More often, however, the functionality results in people engaging in paranoid hyperventilation about minorities or homeless people getting a skosh too close to the azaleas.

If you're going to be earning additional billions from selling access to consumer residential cameras to intelligence and law enforcement every year, it seems like the very least you can do is invest a little bit more in taking consumer privacy and security seriously, even if "caring about consumers" and "selling their camera surveillance and location data to any nitwit with a nickel" operate somewhat discordantly.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doorbell, locations, privacy, ring
Companies: amazon, ring


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Anonymous Coward, 22 Jan 2021 @ 6:24am

    If you're going to be earning additional billions from selling access to consumer residential cameras to intelligence and law enforcement every year, it seems like the very least you can do is invest a little bit more in taking consumer privacy and security seriously,

    It seems to me that selling access to intelligence and law enforcement means that they do not take privacy seriously. Given the attitude of US cops, being seen at a demonstration would be enough for the camera being used to monitor visitors to your house.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2021 @ 7:01am

    and just like every other industry and company in the USA that is making a fortune from customer data, regardless of the risks to customers themselves, not a damn thing will be done to stop or change this! so much privacy and freedom have been lost, or more like, taken away from us in the last 20 years-ish. i'll bet the Founding Fathers etc are turning in their graves! all the revolutions etc just to keep independant of the English influence, governing and rules dictating what could and couldn't happen or be done and a couple of hundred years later we are implementing ourselves the very rules that were deplored. where's the sense?

    reply to this | link to this | view in chronology ]

  • identicon
    Crafty Coyote, 22 Jan 2021 @ 8:21am

    The best way to think about the Internet of Things (IoT) is by mixing it with Freud's theory of the instinctual part of the brain that is governed by self-interest and desire, or id. And when you mix this id + IoT... well, I rest my case.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2021 @ 8:43am

    and yet we still want self driving cars because they'll never malfunction or get hacked

    reply to this | link to this | view in chronology ]

  • icon
    Ed (profile), 22 Jan 2021 @ 8:51am

    Facts instead of hyperbole

    While it is pretty egregious that location data is still attached to video that is shared to the Neighbors app, participating and using that Neighbors app is entirely optional. I have three Ring cameras. I don't participate or use the Neighbors app because I found it to be a nuisance. It is filled with idiots who are paranoid and racist (that's not hyperbole). The cameras themselves, and the video, are encrypted and protected by 2FA and one-time-use security codes. Even Ring techs can't view video without getting a one-time-use code from me. Videos are also not just handed over to law enforcement. That would require a valid subpoena and me turning over passwords to my account. The years-ago incident of so-called "hacking" wasn't actually "hacking" of Ring but examples of malicious actors taking advantage of idiot users with account passwords like "password", or even their home wifi being totally open with no security or password.

    So, I'm not concerned about these BS things that gets reported because I know my setup is safe because I'm not an idiot. My cameras work very well and are secure.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2021 @ 9:00am

      Re: Facts instead of hyperbole

      Even Ring techs can't view video without getting a one-time-use code from me.

      What makes you believe this to be true? You have an awful lot of faith in a company already shown to be lax about security.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2021 @ 9:07am

      Re: Facts instead of hyperbole

      2FA only protects the remote login to your account, and not the videos that are stored online. Also, the one time use code is to enable someone else to login to your account, and has nothing to do with video encoding. Neither has a lot to do with preventing Amazon looking at, or enabling others to look at your videos.

      reply to this | link to this | view in chronology ]

      • icon
        Ed (profile), 23 Jan 2021 @ 8:31am

        Re: Re: Facts instead of hyperbole

        Videos are encrypted. The one-time-use code is NOT to log into the account, it is to view the video. Each video requires a different one-time code.

        reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 22 Jan 2021 @ 10:40am

      Re: Facts instead of hyperbole

      So what happens when someone asks the Court for a warrant to your account, without your say?
      Do you think a 3rd party will deny it? NOT recently, and NOT in texas,

      reply to this | link to this | view in chronology ]

      • icon
        Ed (profile), 23 Jan 2021 @ 8:32am

        Re: Re: Facts instead of hyperbole

        What happens when someone petitions the court for a warrant to access your phone records? To access your Apple phone? To access the inside of your home for a search?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Jan 2021 @ 7:07pm

      Re: Facts instead of hyperbole

      By Ring on January 13, 2021
      Last fall, we announced that Ring would be the first major smart home security provider to offer video End-to-End Encryption to customers. We’re excited to announce that starting today, video End-to-End Encryption is rolling out to all eligible Ring devices. The feature is launching as a technical preview, and customers can share feedback on the feature via the End-to-End Encryption page in Control Center within the Ring App.


      Starting today in a ‘technical preview’ - January 13, 2021.


      10-days in is a little early to declare E2E-encryption beta a success.


      Also, no mention of a secure erase feature previously stored recordings.


      The article was about location leaking metadata in their social sharing network. Think EXIF data not displayed in app, but not cleansed from the file/feed either.


      None of that has anything to do with the article we are commenting on. We are both superfluous & hyperbolic to the topic at hand.
      ;)

      reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 22 Jan 2021 @ 8:53am

    Ethical behavior?

    From the likes of Amazon, Google, Facebook, and their ilk? Not likely!

    People need to learn to just say "No!" to all this IOT junk. Much easier than buying it and then filing a lawsuit, although maybe not as profitable.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2021 @ 8:31pm

      Re: Ethical behavior?

      100% agree.
      And I mean this is great until everything we own becomes IOT crap. I can't live without a cell phone, but it absolutely is an IOT device.

      What really needs to happen is that these companies get a slap that makes them change their behavior. filing a lawsuit is very personally profitable, but isn't going to change their business dynamics to make them alter their behaviors to at least make their shoddy IOT products more secure.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2021 @ 8:29pm

    Why do people buy this crap?
    First is the smart speakers which always listen in, then the doorbells which give away your location and if you're home or not.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.