Update [May 14, 2018]: Ring reached out with the following statement: “Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security. We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users. Our team is taking additional steps to further improve the password change experience.” The original article is as follows.
The mobile app meant to control Ring’s smart doorbells has a security flaw that lets people spy on homeowners if they were ever allowed to log into it, The Information reports. Miami-based Jesus Echezarreta found out in January that his ex-boyfriend was spying on him through his doorbell bought from the company that Amazon acquired for $1 billion earlier this spring. While Mr. Echezarreta changed his Ring password, doing so hasn’t kicked off his former partner from the service as he was still allowed to access the camera feed of the Ring-made doorbell.
The Santa Monica, California-based firm was notified of the incident by Mr. Echezarreta four months ago and tweaked its platform so as to log out all clients following a password change, yet the transition doesn’t happen instantly. Ring Chief Executive Officer Jamie Siminoff said that an immediate switch would make the app slower but that the original equipment manufacturer already lowered the response time to an hour. A limited investigation performed by The Information didn’t corroborate those claims and at least some users still aren’t able to kick off all connected clients from their Ring doorbell profile even several hours after changing their passwords.
Mr. Echezarreta’s case underlines the more general security concerns raised in the Internet of Things segment, with his smart doorbell being used as a spying tool against him. An internal probe also revealed someone has been ringing his doorbell remotely in the middle of the night, with the company ultimately giving him a new device and the episode ending with no significant consequences for his well-being. Amazon recently suggested it’s thinking about integrating Ring’s offerings into its Amazon Key ecosystem allowing for in-house delivery even when the owners aren’t home. The development is not the first occasion on which a significant security flaw was discovered in regards to one of Ring’s products; in 2015, the firm had to patch a software vulnerability that allowed hackers to access one’s Wi-Fi by compromising their doorbell, whereas a possibly faulty doorbell from the former startup was found to have been sending audio data to China last year, though the company claimed that threat was effectively non-existent as the packets in question only contained milliseconds of audio, hence being unintelligible.