How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in

Reed Albergotti, The Washington Post

 Published 

Tara Thomas thought her daughter was just having nightmares. “There’s a monster in my room,” the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realized her daughter’s nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their Novato, California, home. Hackers, whose voices could be heard faintly in the background, were playing the recording, using the intercom feature in the software. “I’m really sad I doubted my daughter,” she said.

SHOCKING FIND: Opossum lived in 7-year-old’s room for 3 days before anyone noticed

Though it would be nearly impossible to find out who was behind it, a hack like this one doesn’t require much effort, for two reasons: Software designed to help people break into websites and devices has gotten so easy to use that it’s practically child’s play, and many companies, including Nest, have effectively chosen to let some hackers slip through the cracks rather than impose an array of inconvenient countermeasures that could will detract from their users’ experience and ultimately alienate their customers.

The result is that anyone in the world with an internet connection and rudimentary skills has the ability to virtually break into homes through devices designed to keep physical intruders out.

As hacks such as the one the Thomases suffered become public, tech companies are deciding between user convenience and potential damage to their brands. Nest could make it more difficult for hackers to break into Nest cameras, for instance, by making the log-in process more cumbersome. But doing so would introduce what Silicon Valley calls “friction” – anything that can slow down or stand in the way of someone using a product.

At the same time, tech companies pay a reputational price for each high-profile incident. Nest, which is part of Google, has been featured on local news stations throughout the country for hacks similar to what the Thomases experienced. And Nest’s recognizable brand name may have made it a bigger target. While Nest’s learning thermostats are dominant in the market, its connected security cameras trail the market leader, Arlo, according to Jack Narcotta, an analyst at the market research firm Strategy Analytics. Arlo, which spun out of Netgear, has around 30 percent of the market, he said. Nest is in the top five, he said.

Nik Sathe, vice president of software engineering for Google Home and Nest, said Nest has tried to weigh protecting its less security-savvy customers while taking care not to unduly inconvenience legitimate users to keep out the bad ones. “It’s a balance,” he said. Whatever security Nest uses, Sathe said, needs to avoid “bad outcomes in terms of user experience.”

Google spokeswoman Nicol Addison said Thomas could have avoided being hacked by implementing two-factor authentication, where in addition to a password, the user must enter a six-digit code sent via text message. Thomas said she had activated two-factor authentication; Addison said it had never been activated on the account.

JOHN CORNYN CHALLENGED: A Texas Democrat has launched a campaign 

The method used to spy on the Thomases is one of the oldest tricks on the Internet. Hackers essentially look for email addresses and passwords that have been dumped online after being stolen from one website or service and then check to see whether the same credentials work on another site. Like the vast majority of Internet users, the family used similar passwords on more than one account. While their Nest account had not been hacked, their password had essentially become public knowledge, thanks to countless other data breaches.

In recent years, this practice, which the security industry calls “credential stuffing”, has gotten incredibly easy. One factor is the sheer number of stolen passwords being dumped online publicly. It’s difficult to find someone who hasn’t been victimized. (You can check for yourself here.)

A new breed of credential-stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. Netflix and Spotify both said in statements that they were aware of credential stuffing and employ measures to guard against it. Netflix, for instance, monitors websites with stolen passwords and notifies users when it detects suspicious activity. Neither Netflix nor Spotify offer two-factor authentication.

But the potential for harm is higher for the 20 billion Internet-connected things expected to be online by next year, according to the research firm Gartner. Securing these devices has public safety implications. Hacked devices can be used in large-scale cyberattacks such as the “Dyn Hack” that mobilized millions of compromised “Internet of things” devices to take down Twitter, Spotify and others in 2016.

In January, Japanese lawmakers passed an amendment to allow the government to essentially do what hackers do and scour the Internet for stolen passwords and test them to see whether they have been reused on other platforms. The hope is that the government can force tech companies to fix the problem.

PRO TIP: Stop using these same dumb passwords everyone is using 

Security experts worry the problem has gotten so big that there could be attacks similar to the 2016 Dyn hack, this time as a result of a rise in credential stuffing.

“They almost make it foolproof,” said Anthony Ferrante, the global head of cybersecurity at FTI Consulting and a former member of the National Security Council. He said the new tools have made it even more important to stop reusing passwords.

Tech companies have been aware of the threat of credential stuffing for years, but the way they think about it has evolved as it has become a bigger problem. There was once a sense that users should take responsibility for their security by refraining from using the same password on multiple websites. But as gigantic dumps of passwords have gotten more frequent, technology companies have found that it is not just a few inattentive customers who reuse the same passwords for different accounts – it’s the majority of people online.

Credential stuffing is “at the root of probably 90 percent of the things we see happening,” said Emmanuel Schalit, chief executive of Dashlane, a password manager that allows people to store unique, random passwords in one place. Only about 1 percent of Internet users, he said, use some kind of password manager.

“We saw this coming in late 2017, early 2018 when we saw these big credential dumps start to happen,” Google’s Sathe said. In response, Nest says it implemented some security measures around that time.

It did its own research into stolen passwords available on the Web and cross-referenced them with its records, using an encryption technique that ensured Nest could not actually see the passwords. In emails sent to customers, including the Thomases, it notified customers when they were vulnerable. It also tried to block log-in attempts that veered from the way legitimate users log into accounts. For instance, if a computer from the same Internet-protocol address attempted to log into 10 Nest accounts, the algorithm would block that address from logging into any more accounts.

But Nest’s defenses were not good enough to stop several high-profile incidents throughout last year in which hackers used credential stuffing to break into Nest cameras for kicks. Hackers told a family in a San Francisco suburb, using the family’s Nest Cam, that there was an imminent missile attack from North Korea. Someone hurled racial epithets at a family in Illinois through a Nest Cam. There were also reports of hackers changing the temperature on Nest thermostats. And while only a handful of hacks became public, other users may not even be aware their cameras are compromised.

The company was forced to respond. “Nest was not breached,” it said in a January statement. “These recent reports are based on customers using compromised passwords,” it said, urging its customers use two-factor authentication. Nest started forcing some users to change their passwords.

This was big step for Nest, because it created the kind of friction that technology companies usually try to avoid. “As we saw the threat evolve, we put more explicit measures in place,” Sathe said. Nest says only a small percentage of its millions of customers are vulnerable to this type of attack.

According to at least one expert, though, Nest users are still exposed. Hank Fordham, a security researcher, sat in his Calgary, Alberta, home recently and opened up a credential-stuffing software program known as Snipr. Instantly, Fordham said, he found thousands of Nest accounts that he could access. Had he wanted to, he would have been able to view cameras and change thermostat settings with relative ease.

While other similar programs have been around for years, Snipr, which costs $20 to download, is easier to use. Snipr provides the code required to check whether hundreds of the most popular platforms, from League of Legends to Netflix, are accessible with a bunch of usernames and passwords – and those have become abundantly available all over the Internet.

Fordham, who had been monitoring the software and testing it for malware, noticed that after Snipr added functionality for Nest accounts last May, news reports of attacks started coming out. “I think the credential-stuffing community was made aware of it, and that was the dam breaking,” he said.

Nest said the company had never heard of Snipr, though it is generally aware of credential-stuffing software. It said it cannot be sure whether any one program drives more credential stuffing toward Nest products.

What surprises Fordham and other security researchers about the vulnerability of Nest accounts is the fact that Nest’s parent company, Google, is widely known for having the best methods for stopping credential-stuffing attacks. Google’s vast user base gives it data that it can use to determine whether someone trying to log into an account is a human or a robot.

The reason Nest has not employed all of Google’s know-how on security goes back to Nest’s roots, according to Nest and people with knowledge of its history. Founded in 2010 by longtime Apple executive Tony Fadell, Nest promised at the time that it would not collect data on users for marketing purposes.

In 2013, Nest was acquired by Google, which has the opposite business model. Google’s products are free or inexpensive and, in exchange, it profits from the personal information it collects about its users. The people familiar with Nest’s history said the different terms of service and technical challenges have prevented Nest from using all of Google’s security products. Google declined to discuss whether any of its security features were withheld because of incompatibility with Nest’s policies.

Under Alphabet, Google’s parent company, Nest employed its own security team. While Google shared knowledge about security with its sister company, Nest developed its own software. In some ways, Nest’s practices appear to lag well behind Google’s. For instance, Nest still uses SMS messages for two-factor authentication. Using SMS is generally not recommended by security experts, because text messages can be easily hijacked by hackers. Google allows people to use authentication apps, including one it developed in-house, instead of text messages. And Nest does not use ReCaptcha, which Google acquired in 2009 and which can separate humans from automated software, like what credential stuffers use to identify vulnerable accounts.

Sathe said Nest employed plenty of advanced techniques to stop credential stuffing, such as machine learning algorithms that “score” log-ins based on how suspicious they are and block them accordingly. “We have many layers of security in conjunction with what the industry would consider best practices,” he said.

When asked why Nest does not use ReCaptcha, Sathe cited difficulty in implementing it on mobile apps, and user convenience. “Captchas do create a speed bump for the users,” he said.

The person behind Snipr, who goes by the name “Pragma” and communicates via an encrypted chat, put the blame on the company. “I can tell you right now, Nest can easily secure all of this,” he said when asked about whether his software had enabled people to listen in and harass people via Nest cams. “This is like stupidly bad security, like, extremely bad.” He also said he would remove the capability to log into Nest accounts, which he said he added last May when one of his customers asked for it, if the company asked. Pragma would not identify himself, for fear of getting in “some kind of serious trouble.”

That’s when Fordham, the Calgary security researcher, became concerned. He noticed the addition of Nest on the dashboard and took it upon himself to start warning people who were vulnerable. He logged into their Nest cams and spoke to them, imploring them to change their passwords. One of those interactions ended up being recorded by the person on the other end of the camera. A local news station broadcast the video.

Fordham said he is miffed that it is still so easy to log into Nest accounts. He noted that Dunkin’ Donuts, after seeing its users fall victim to credential-stuffing attacks aimed at taking their rewards points, implemented measures, including captchas, that have helped solve the problem. “It’s a little alarming that a company owned by Google hasn’t done the same thing as Dunkin’ Donuts,” Fordham said.

A spokeswoman for Dunkin’ declined to comment.

According to people familiar with the matter, Google is in the process of converting Nest user accounts so that they utilize Google’s security methods via Google’s log-in, in part to deal with the problem. Addison said that Nest user data will not be subject to tracking by Google. She later said that she misspoke but would not clarify what that meant.

Knowing that the hack could have been stopped with a unique password or two-factor authentication has not made Thomas, whose daughter’s camera was hacked, feel any better. “I continuously get emails saying it wasn’t their fault,” she said.

She unplugged the camera and another one she used to have in her son’s bedroom, and she doesn’t plan to turn them on again: “That was the solution.”

Posted in Main | Leave a comment

Resolving Smart Home Device Problems: Growing Opportunity for Support Services

There is a growing opportunity open for security integrators to address the support needs of connected consumers and their smart home devices.

Resolving Smart Home Device Problems: Growing Opportunity for Support Services 

 

As the connected home ecosystem continues to grow and the technical complexity of broadband households increases, the technical support needs of consumers change. Currently consumers own an average of 10.5 connected devices, including an average of 1.4 smart home devices.

Smart thermostat and smart security cameras lead the smart home market in reported adoption, with 11% of US broadband households owning a smart thermostat and 10% owning a smart camera.

With these connected devices come technical issues, and consumers take a range of actions after experiencing problems. These actions include seeking to resolve the problem, either on their own or with professional help, as well as returning or replacing the device.

Self-Help versus Professional Support

Among self-help support options, consumers are slightly less likely to use self-help applications on their devices than other support resources. This is likely driven by lower availability of the self-help applications compared to other self-help resources.

Among professional support resources, consumers are least likely to email a device manufacturer or contact an independent support provider. Compared to other resources, email is a less popular means of support, especially for computing device owners.

Ultimately, the decision to use self-help versus professional support resources will depend on competence and convenience.

  • Competence – Consumer familiarity with devices in the market helps to drive perceived competence.
  • Convenience – Seeking professional support, via phone, in-store services, or even a truck roll, can be inconvenient regardless of the channel. Consumers can be frustrated by long wait times to connect to remote support services through the phone or chatbots. Also inconvenient are trekking to a store for in-store support and scheduling a time for a tech to provide support at home.

The most extreme option, from an industry perspective, is to return or replace the device, but this is generally the least likely option, although consumers are slightly more likely to return smart home devices than computing or entertainment products.

Consumers are more familiar with the latter, more mature category of products and more likely to consider them essential. One in five consumers who found the smart home device setup process “very” difficult returned their device, so product returns are a threat to industry growth for the smart home.

As the smart home industry increases market penetration rates, minimizing product returns will be critical, and doing so will require increasing consumer perceptions of product familiarity and convenience when setting up, using, and troubleshooting these devices.

Premium Support

Just over one-half of smart home device problems resolved by a professional technician are resolved for free. This represents a slight increase over the past year and corresponds with a significant decrease in the percentage of consumers covering the cost of services using one-time fees.

The falloff in one-time fee payments also corresponds with a slight increase in the percentage paying for services with an existing support and warranty service.

Traditionally, companies offering premium support services for smart home devices, such as HelloTech and Amazon Home Services, did so for one-time fees. However, existing subscription support service providers — including Best Buy (Geek Squad) and Verizon — have expanded their device coverage to include smart home devices.

Support Subscriptions

While adoption of premium technical support services experienced slight growth in 2016, adoption has remained fairly constant over the past few years. Approximately 20% of broadband households report having a technical support subscription. The primary factors influencing adoption in the US market are as follows:

Top 4 Barriers

  1. Increasing device reliability – Just over 40% of consumers who do not have a technical support subscription report that they have not subscribed to a service because their devices usually perform well. If consumers perceive that they will not need support, it is highly unlikely that they will pay monthly or yearly for a support subscription.
  2. Consumer ability and desire to resolve technical problems – More than half of the technical problems consumers encountered with their devices over the past year were resolved without professional help. Among consumers who do not have technical support subscriptions, approximately one quarter report that they do not have a service because they do not need help resolving technical problems.
  3. Lower-cost technology – Given that the cost of consumer technology is declining, some consumers may choose to replace a problematic device, rather than acquire a subscription service to resolve its problems.
  4. Consumer preference to pay when they have a problem – When given the option to pay for technical support services per incident or use a monthly or annual fee, the majority of consumers (70%) prefer to pay for each incident. More than 40% of consumers who do not have a technical subscription report that they do not have one because they prefer to pay for technical support services only when they encounter a problem.

Top 5 Drivers

  1. Increasing technical complexity in the home – As consumers attempt to enable complex use cases within the smart home, interoperability issues can emerge, prompting the desire/need for support subscriptions.
  2. Connectivity issues – Maintaining reliable WiFi connectivity throughout the home is complex, and monitoring is required to prevent service interruptions.
  3. Device innovation and emerging devices – Consumers’ lack of familiarity with new products drives enablement support needs, including assistance with product setup and use.
  4. More devices in the home – Consumers with more devices in the home experience more technical problems on average, making them more likely to acquire a support subscription.
  5. Increased security concerns – Nearly two-thirds of broadband households report concerns about security and privacy when using their connected devices. Protecting consumers from ongoing threats requires ongoing monitoring – a model best served by a subscription service.

The market for support subscriptions remains fairly fragmented. A number of consumer technology brands, including security software companies and independent companies like HelloTech, all capturing a small share.

With the increasingly competitive market for consumer technology products and services, providing robust technical support services is a competitive differentiator. There is a growing opportunity open to all players to address the support needs of connected consumers, and the smart home industry in particular is making investments in technical support resources.

  • Ayla Networks, a proven smart home platform offering Cloud services to smart home device manufacturers, recently partnered with PlumChoice to offer enhanced technical support services to its device manufacturer partners.
  • Puls Technologies, a San Francisco-based company providing smart home support, recently received $50 million in funding, an indication of an anticipated need for support services in the industry.

The consumer decision process regarding support solutions in the face of device problems depends on their perceptions of the devices and the convenience of the available options. As the number of services increase, consumers will have multiple options to choose from, so convenience being a key factor in determining their success. Support services with intuitive self-help solutions, which can be scaled up to more robust and engaging services when necessary, will find a receptive customer base among today’s smart home households.

Posted in Main | Leave a comment

Lowe’s to Shut Down Iris Smart Home Platform After Failure to Sell Off the Business

Lowe’s will shut down the Iris smart home platform on March 31, but allow customers to be reimbursed for certain devices.

Lowe’s to Shut Down Iris Smart Home Platform After Failure to Sell Off the Business 

MOORESVILLE, N.C. – Well, you can’t say they didn’t give it the ol’ college try. After failing to find a new owner for its Iris smart home business last fall, Lowe’s has announced it will shut the platform on March 31, according to an email sent to subscribers last Thursday.

Customers with eligible products that exclusively work on the Iris platform are able to redeem them for a prepaid VISA gift card. So if a device works with Iris in addition to another hub, such as SmartThings, you’re out of luck. Customers also no longer have to pay for the service and can use it until their account is deactivated.

Considering there’s nothing worse than investing money in a platform only for it to shut down and leave users with useless devices, this isn’t a terrible deal.

A Lowe’s spokesperson told Digital Trends, “After carefully evaluating a range of options, the decision was made to shut down the Iris platform once it was determined that none of the alternatives would allow Iris to continue to deliver the experience our customers have come to expect of us. Lowe’s remains committed to carrying the breadth and depth of smart home products and brands to meet our customers’ needs now and in the future.”

Posted in Main | Leave a comment

“5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack

www.mercurynews.com

 

ORINDA — Laura Lyons was preparing food in her kitchen Sunday when the lazy afternoon took a turn for the absurd. A loud squawking — similar to the beginning of an emergency broadcast alert — blasted from the living room, the Orinda mother said, followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio.

“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”

Lyons and her husband stood slack-jawed in the living room, terrified but also confused because the television continued airing the NFC Championship football game. As their scared 8-year-old son crawled underneath the rug, the couple realized the apocalyptic warning came from their Nest security camera atop their living room television.

After many panicked minutes and phone calls to 911 and to Nest, the couple learned they likely were the victims of a hacker. And that panic turned to anger when they found out that Nest knew that there had been a number of such incidents — none involving nuclear strike scenarios — but failed to alert customers. Lyons said a Nest supervisor told them Sunday they likely were the victims of a “third party hack” that gained access to their camera and its speakers. The company did not return a request for comment Monday.

The Lyons are not alone.

Reports from across the country indicate a growing problem of hackers accessing the WiFi-enabled cameras from Nest and other similar companies. In December, a Houston couple rushed to their infant’s room when a hacker began screaming over the family’s Nest camera baby monitor that he was going to kidnap their child. The same month, a benevolent Canadian hacker began speaking to a Nest camera user in Arizona, warning him that his system was ripe for hacking and how to protect it.

 

Adwait Nadkarni, an assistant professor of computer science at the College of William & Mary, was a lead investigator in a December study on the vulnerability of Nest and similiar technology.

“Our recent study of the Nest platform shows that it is reasonably secure, in comparison with other similar platforms,” Nadkarni said. “In such cases, the problem most often lies in how the devices are configured and used in the smart home, especially in terms of setting the account password.”

Nadkarni said there have been other hack attacks, but he had not heard of a nuclear hoax.

For the Orinda family, the incident began around 2 p.m. Sunday and froze Lyons in her tracks. She initially anticipated an Amber Alert warning, but the detailed nuclear war message claimed to be from Civil Defense and provided details down to the fact President Trump had been taken to a secure facility.

As the frightening message repeated a second time, Lyons’ young son asked, “Mommy, is there a missile coming?”

As she tried to calm her son, Lyons’ mind raced.

“My first thought was which car are we going to get into now because the Bay Area would be such an obvious target,” Lyons said. “I was thinking we can stop at our friends in Napa. I was disappointed I didn’t have much cash on me. I was going right down the rabbit hole.”

Lyons switched to CNN and other news stations but found no discussion of a nuclear threat. She called 911 and the dispatcher told her she had heard of no other calls.

Lyons didn’t even realize the pair of surveillance cameras the family installed a couple years ago for home security had speakers. The couple began to get more and more suspicious and eventually Googled “Nest and hack” but found nothing about a nuclear attack. Nest is owned by Google.

Posted in Main | Leave a comment

For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching Too

theintercept.com

The “smart home” of the 21st century isn’t just supposed to be a monument to convenience, we’re told, but also to protection, a Tony Stark-like bubble of vigilant algorithms and internet-connected sensors working ceaselessly to watch over us. But for some who’ve welcomed in Amazon’s Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring’s dismal privacy practices.

Ring has a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging to any person: a live, high-definition feed from around — and perhaps inside — their house. The company has marketed its line of miniature cameras, designed to be mounted as doorbells, in garages, and on bookshelves, not only as a means of keeping tabs on your home while you’re away, but of creating a sort of privatized neighborhood watch, a constellation of overlapping camera feeds that will help police detect and apprehend burglars (and worse) as they approach. “Our mission to reduce crime in neighborhoods has been at the core of everything we do at Ring,” founder and CEO Jamie Siminoff wrote last spring to commemorate the company’s reported $1 billion acquisition payday from Amazon, a company with its own recent history of troubling facial recognition practices. The marketing is working; Ring is a consumer hit and a press darling.

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring’s security lapses, reported on these practices last month.

At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable,” owing to the expense of implementing encryption and lost revenue opportunities due to restricted access. The Ukraine team was also provided with a corresponding database that linked each specific video file to corresponding specific Ring customers.

“If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.””At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home. Although the source said they never personally witnessed any egregious abuses, they told The Intercept “if [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.” The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates. Although the engineers in question were aware that they were being surveilled by their co-workers in real time, the source questioned whether their companions were similarly informed.

Ring’s decision to grant this access to its Ukraine team was spurred in part by the weaknesses of its in-house facial and object recognition software. Neighbors, the company’s disarming name for its distributed residential surveillance platform, is now a marquee feature for Ring’s cameras, billed as a “proactive” neighborhood watch. This real-time crime-fighting requires more than raw video — it requires the ability to make sense, quickly and at a vast scale, of what’s actually happening in these household video streams. Is that a dog or your husband? Is that a burglar or a tree? Ring’s software has for years struggled with these fundamentals of object recognition. According to the most recent Information report, “Users routinely complained to customer support about receiving alerts when nothing noteworthy was happening at their front door; instead, the system seemed to be detecting a car driving by on the street or a leaf falling from a tree in the front yard.”

Computer vision has made incredible strides in recent years, but creating software that can categorize objects from scratch is often expensive and time-consuming. To jump-start the process, Ring used its Ukrainian “data operators” as a crutch for its lackluster artificial intelligence efforts, manually tagging and labeling objects in a given video as part of a “training” process to teach software with the hope that it might be able to detect such things on its own in the near future. This process is still apparently underway years later: Ring Labs, the name of the Ukrainian operation, is still employing people as data operators, according to LinkedIn, and posting job listings for vacant video-tagging gigs: “You must be able to recognize and tag all moving objects in the video correctly with high accuracy,” reads one job ad. “Be ready for rapid changes in tasks in the same way as be ready for long monotonous work.”

ring-redacted-1547070465Image: Ring

A never-before-published image from an internal Ring document pulls back the veil of the company’s lofty security ambitions: Behind all the computer sophistication was a team of people drawing boxes around strangers, day in and day out, as they struggled to grant some semblance of human judgment to an algorithm. (The Intercept redacted a face from the image.)

A second source, with direct knowledge of Ring’s video-tagging efforts, said that the video annotation team watches footage not only from the popular outdoor and doorbell camera models, but from household interiors. The source said that Ring employees at times showed each other videos they were annotating and described some of the things they had witnessed, including people kissing, firing guns, and stealing.

Ring spokesperson Yassi Shahmiri would not answer any questions about the company’s past data policies and how they might be different today, electing instead to provide the following statement:

We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.

We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.

It’s not clear that the current standards for which Ring videos are accessed in Ukraine, as described in Ring’s statement, have always been in place, nor is there any indication of how (or if) they’re enforced. The Information quoted former employees saying the standards have not always been in place, and indicated that efforts to more tightly control video were put in place by Amazon only this past May after Amazon visited the Ukraine office. Even then, The Information added, staffers in Ukraine worked around the controls.

Furthermore, Ring’s overview of its Neighbors system provides zero mention of image or facial recognition, and no warning that those who use the feature are opting in to have their homes watched by individuals in a Ukrainian R&D lab. Mentions of Ring’s facial recognition practices are buried in its privacy policy, which said merely that “you may choose to use additional functionality in your Ring product that, through video data from your device, can recognize facial characteristics of familiar visitors.” Neither Ring’s terms of service nor its privacy policy mention any manual video annotation being conducted by humans, nor does either document mention of the possibility that Ring staffers could access this video at all. Even with suitably strong policies in place, the question of whether Ring owners should trust a company that ever considered the above permissible will remain an open one.

Posted in Main | Leave a comment

Family traumatized after home monitoring system hacked by stranger

fox4kc.com
LONG ISLAND, N.Y. — A mother in Long Island says a stranger hacked her family’s Nest camera and tried having a conversation with her five-year-old son, according to WPIX.

Nest ads will show you beautiful images of mother nature captured on their outdoor cameras, life’s silly moments and even those moments when your child is up to no good.  But for this Long Island mother, the Nest cam she and her husband set up around their home to act as a nanny cam became a full-on nightmare.

“My son came running out of the playroom and found me in the kitchen and said ‘it’s not daddy talking to me. It’s not daddy.’”

Nearly every day, after school, this mother, who asked PIX11 to hide her identity, said her 5-year-old son chats with her husband through the Nest cam, a home monitoring system users can connect through their cell phones.  This time, however, it was a complete stranger on the other end.

“He asked my son if he took the school bus home and he was asking him about the toys he was playing with and when my son said ‘mommy, mommy,’ he told him to shut up,” she recalled.

When she walked into her child’s playroom, the ominous voice addressed her directly.

Now she is frightened and wonders how long a complete stranger was watching her family. Since this frightening violation, this mother called police, who, while sympathetic, said there was little they could do.

As for Nest?  She was simply told to change her password and switch to a two-factor verification when logging on, but for this mom it’s not enough. She wants to speak out to warn others about this potential danger lurking in their home.

A Nest spokesperson responded to our request for comment and issued this statement:

“We have seen instances where a small number of Nest customers have re-used passwords that were previously exposed through breaches on other websites, and made public. None of these breaches involved Nest. This exposes these customers to other people using the credentials to log into their Nest account. We are proactively alerting affected customers to reset their passwords and set up two-factor authentication, which adds another layer of account security. Customers can reach out to Nest customer support with questions or report anything suspicious to security@nest.com.”

Posted in Main | Leave a comment

Convicted Texas Door Knocker Gets 1-Year Jail Term, Fined $4K

In his Alarm Exchange newsletter, Ken Kirschenbaum examines the case of an alarm salesman who lost an appeal to overturn his conviction for shady sales practices.

   Jump to Comments
Convicted Texas Door Knocker Gets 1-Year Jail Term, Fined $4KAn alarm company salesman in Texas lost is appeal to overturn a 1-year jail term for duping an elderly woman into purchasing a bogus monitoring contract.

Beware to those door-knocking alarm salespeople who misrepresent themselves and prey upon unsuspecting or otherwise vulnerable customers. Your deceptive misdeeds do not always go unpunished.

Consider the case of a convicted alarm company salesman in Texas who has been slapped with a 1-year jail term and fined $4,000 for duping an elderly woman into purchasing a bogus monitoring contract.

In an installment of his Alarm Exchange newsletter, industry attorney Ken Kirschenbaum outlined details about the case in which the salesman appealed his original conviction on factual and technical grounds only to have an appellate court affirm the trial court’s decision.

The story of the salesman’s transgressions is, of course, all too familiar in the alarm industry. But as Kirschenbaum writes, while door-to-door sales tactics can be effective in stimulating sales it is the blatant deceptive business practices that are wholly unacceptable.

“In my opinion, it’s too bad that the company’s sale manager and even company president and owner [weren’t also prosecuted],” states Kirschenbaum, who pens SSI‘s “Legal Briefing” column. “They are the real culprits, probably training the door knocker and letting him loose, not to mention reaping the rewards of his illicit sales tactics and conduct.”

The following are quoted portions from the appellate court decision as presented in the Alarm Exchange newsletter:

The complainant was about 80-years-old at the time of the offense. She had a home security alarm system monitored by Central Security Group. There was a sign in the front of her yard with the name of the company on it.

Appellant was a door-to-door sales representative for Capital Connect, a different home security alarm monitoring company. On the day of the offense, appellant rang the complainant’s doorbell. When the complainant answered, appellant pointed to the sign in the yard and said, “I’m here to update your security.”

He said that he would put a light on her sign and make it more visible from the street. He did not say what company he worked for. He was not wearing a uniform, nametag, or anything to identify what company he worked for.

Believing that appellant worked for Central, the complainant invited appellant into her home. Appellant told her that installation of new features, such as wireless monitoring, would be “free.” Ultimately, the complainant signed a five-year alarm monitoring agreement with Capital at a higher monthly cost than her previous service with Central.

The complainant testified that, before she signed the new contract, she “kept telling him that I can’t do anything without my daughter’s approval” because the daughter “tends to all of my business.” The complainant testified that she realized appellant did not work for Central when he “presented the papers” to her. One of the documents the complainant signed was an “alarm upgrade agreement.”

The complainant initialed next to the statement: “I understand that Capital Connect has not bought, taken over or is in any way partnered with my current alarm monitoring company.”

The complainant also spoke on the phone with a representative from Capital while appellant was in her home, and a recording of the call was admitted as an exhibit at trial. When the representative asked the complainant who she was paying to monitor her alarm system, the complainant said, “Central.”

The representative asked whether the complainant was having a new alarm system installed because the prior company was going out of business, had been taken over, or was no longer able to perform monitoring services. The complainant responded, “No, I’m just changing it up.”

Later, they had the following exchange:

Representative: Do you understand that by accepting this offer you will be changing alarm companies?

Complainant: That I will what?

Representative: You will be changing alarm companies.

Complainant: I’m not understanding you.

Representative: Capital Connect is a separate company from Central and so I’m just verifying —

Complainant: Yes.

Representative: — that you understand that. Ok. Great. And you understand that moving forward that you will no longer be with Central and that your monitoring and billing will be performed by [Monitronics]?

Complainant: Right.

A few days later, the complainant canceled the new contract with Capital.

The State also introduced evidence regarding two additional instances when appellant had misled customers about who he worked for. The first witness testified that he was 80-years-old at the time of trial. In July 2016, the witness was returning home at about 8 p.m. when appellant walked up to the witness in the driveway.

Appellant had multiple “ID tags” or lanyards around his neck. The tags had the names of several companies, including Honeywell, Stanley and ADT. Appellant told the witness, “I’d like to talk to you about your alarm system, your burglar alarm. I see you have Stanley.”

For about 30 minutes while they were conversing, the witness thought appellant worked for Stanley — the witness’s then-current alarm monitoring company. The witness testified that appellant “probably misrepresented the fact that he was a Stanley operative.”

The witness testified that by the time he signed up for the new alarm system, he knew he was dealing with Capital.

The second witness testified that in June 2016, appellant came to the witness’s door. The witness testified that appellant “said that he wanted to talk to me about upgrading my security system, that he had seen the sign outside saying that I had ADT Security.”

Because appellant referred to the sign in the witness’s yard, the witness “assumed [appellant] was working for ADT.” While they were inside the house, the witness told his wife that appellant was “with ADT Security.”

Appellant did not correct the witness at that time. Appellant was inside the witness’s house for about 30 minutes before the witness realized that appellant did not work for ADT. The witness testified that the “first clue” that appellant did not work for ADT was the fact that the paperwork had “Capital Connect” written on it. The witness testified that he understood by the time he signed the contract that he was getting a Capital system.

The State, however, contends that the statute criminalizes conduct both leading up to and during the completion of a business transaction. Thus, the State contends that a “deceptive business practice can be committed in all aspects of the transaction and is not excused merely by a signature on a contract stating appropriate terms.”

Kirschenbaum agrees with the State, stating “The relevant inquiry does not focus on what the complainant knew at the time she signed the contract; instead, it focuses on what appellant did — what he represented — during the course of business.

Kirschenbaum goes on to say the representation must be made “in the course of business,” which includes “selling … serviceor property.” The statute does not criminalize conduct of a defendant only when the defendant is successful in perpetrating a fraud. Rather, the statute criminalizes the act of “representing” — an act that can occur before a completed transaction.

Kirschenbaum continues:

In this case, a rational juror could have understood the statutory word “representing” to include appellant’s conduct and statement immediately after he initiated contact with the elderly complainant at her front door — pointing to the Central sign and stating, “I’m here to update your security.”

A rational inference from this statement and conduct is that appellant was describing a Central Security Group alarm system, although he was not. Indeed, the complainant testified that appellant did not refer to a different company’s alarm system until appellant “presented the papers” to her after gaining entry to her home and discussing alarm system features with her.

Under the evidence in this case, a rational juror could have found that appellant represented that a commodity or service was of a particular style, grade or model when it was of another.

The State presented evidence regarding two uncharged extraneous offenses, which showed that appellant employed the same or similar tactic on other people. He pointed to their alarm system signs, for companies other than Capital, and misled the customers into believing that he worked for those companies.

In one instance, he wore multiple lanyards of different companies, and in the other instance, he failed to correct the customer’s statement that appellant worked for a company other than Capital. In both instances, the customers did not learn the true style, grade, or model of the alarm systems that appellant was peddling until nearly 30 minutes into the conversations.

Posted in Main | Leave a comment

Security Alarm Systems in Clearwater, Fla., Must Now Be Registered With Police

Amendments to the city’s security alarm system ordinance reflect the adoption of a new digital accounting system, along with modification to a fee payment schedule.

   Jump to Comments
Security Alarm Systems in Clearwater, Fla., Must Now Be Registered With PoliceThe Clearwater Police Department hired a web developer to create a new alarm registration system to manage online registry, oversee the issuance of citations and receive payments.

CLEARWATER, Fla. — Residents and business owners here are now required to register their security alarm systems with the police department, following revisions to a city ordinance.

Clearwater Police Chief Dan Slaughter appeared before the Clearwater City Council on March 12 to seek approval for the amendments to the ordinance. The city now requires that all residents and business owners who have a security alarm system to register with the police department, tbnweekly.com reports. For the past two decades, the police department had handled all permits and registrations manually.

“But now with the 20,000-plus customers we have in the city of Clearwater, the time has come for us to digitize and bring it up to date with current standards and current common practices,” Slaughter told council members.

The police department hired a Web developer to create a new system for the city to meet these needs, Slaughter said. The system will allow the department to manage the online registry and oversee the issuance of citations and to receive payments.

Changes to the ordinance reflect the adoption of the new digital system, the discontinuance of stickers which were given alarm system owners, and modification to the fee payment schedule, the website report. Citation payments are now required to be made within 30 days rather than 15 and the implementation of an escalating fee schedule.

“Where in the past we gave one free alarm per year, and then after that it was a $50 fine, now there will be an escalating scale,” Slaughter said, referring to when an officer responds to an alarm and it is later determined to be a false alarm.

According to Slaughter, there will be no fine for the first violation, but second through fifth violations will be $50 apiece, and six or more alarms would cost $100 per incident.

Should an alarm system owner not register their system with the police department and officers should respond to a break in at their home or business, they would be issued a $50 citation. However, that citation could be waived should the owner choose to register with the police department, the website reports.

Those owners who already have a valid permit and registration will be entered into the system by department personnel and need not reapply, unless changes to their systems have been made, Slaughter said.

Posted in Main | Leave a comment

Trump Authorizes PASS Act, Exempts Security Systems From DoE Energy Restrictions

President Trump signed the Power and Security Systems (PASS) Act that exempts security systems from having to abide by DoE’s no-load energy restrictions.

   Jump to Comments
Trump Authorizes PASS Act, Exempts Security Systems From DoE Energy RestrictionsPresident Donald Trump (pictured signing previous legislation) has signed into law legislation that allows security equipment to bypass the U.S. Department of Energy requirements to carry “no-load” in an energy efficiency mode.

WASHINGTON — President Donald Trump signed into law the Power and Security Systems (PASS) Act, P.L. 115-78, culminating a yearlong effort led by the Security Industry Association (SIA) to preserve an important provision in federal energy efficiency requirements critical to the operation of security and fire alarm systems.

“The PASS Act provides much-needed certainty to manufacturers, installers and service providers who are among thousands of Americans that work in the security industry,” SIA Director of Government Relations Jake Parker says. “But ultimately it benefits the millions of American consumers that depend on such security and life safety systems.”

Drafted with assistance from SIA and in collaboration with the energy efficiency community, the PASS Act extends a policy exempting security and life safety external power supplies (EPS) from having to meet a “no-load mode” energy efficiency standard, since they must always be connected and in active mode by design and no efficiency gains would result.

The new law makes the exemption essentially permanent by removing the July 1 expiration date on the exemption and providing the U.S. Department of Energy with authority to retain the common-sense policy in any future updates to energy efficiency standards governing external power supplies.

SIA led a coalition of industry groups in working with Congress to secure the exemption in 2011, which included a “sunset provision” — a common way of ensuring a new policy set forth in legislation is reviewed by Congress before becoming more permanent.

Preserving the exemption was a key concern for security manufactures and systems integrators. Without it, product redesign and adjustments to manufacturing processes would needlessly increase the cost of the equipment by 200% to 300%, according to industry estimates, affecting not just manufacturers but the entire value chain.

Enactment of this solution would not have been possible without the bipartisan leadership of the bill’s sponsors, Sens. Cory Gardner, R-Colo., and Maria Cantwell, D-Wash., as well as Reps. Peter Welch, D-Vt., and Susan Brooks, R-Ind. In the past two years, Gardner, Welch and Brooks have been recognized with SIA’s Legislator of the Year award for their support of this and other policies important to the security industry.

Posted in Main | Leave a comment

Hacked! Why Home Security Camera Installs Should Be Left to Pros

When selling video surveillance systems to would-be DIYs, remind customers about all the cybersecurity hacks out there, especially through IP cameras.

   Jump to Comments
Hacked! Why Home Security Camera Installs Should Be Left to ProsRemote networking, monitoring and management tools like SnapAV’s Luma + OvrC can help customers protect their surveillance systems from hacking.

Over the last year there have been several high-profile hacking events, including a distributed denial of service (DDoS) attack on Dyn, the Internet performance management company, which shut down major websites across the East Coast, and the much more recent Equifax breach.

Hackers are consistently working to take advantage of weaknesses, and security systems are a top target on their list. One of the more common devices in these systems is the IP camera  — it’s incredibly common, and many are inexpensive and poorly maintained.

Yet these products can be so simple and inexpensive for DIYs to install themselves, why would they need a pro for the job? Consider that getting the cameras and recorders up and running is the easy part. Maintaining these products and services over time is actually the hard part.

Manufacturers forget to mention this, even with a small asterisk, when they tell you, “It’s so easy your grandmother can do it.”

Remote networking, monitoring and management tools like SnapAV’s Luma + OvrC can help customers protect their surveillance systems from hacking. Recently, several surveillance manufacturers, including some really big ones, have announced known exploits on their systems that have comprised not only home security by the Internet in general. (See the running list at CVE, Common Vulnerabilities and Exposures.)

Breaches through cameras and other IoT devices remain a constant and ever-changing threat.  Professional installers should make sure the products are connected over a secure network, administered properly and updated constantly to ward off the latest Internet security threats.

In selling surveillance — even DIY products — remind clients that a security system is just like any piece of software that needs to be maintained and updated. New firmware is available on a regular basis to fix security threats, as well as address known issues and add new features (same is true for most connected devices).

Security systems should always be running on the latest available firmware, which requires them to be updated frequently. When given the option, do consumers press the “upgrade now” button or, like many of us, do they cancel and put it off to a later date?

As for home-technology pros, updates can consume quite a bit of time if done manually. To update the firmware of a handful of cameras and a recorder might take an hour. But multiply that across 25 sites and you are talking about significant time — and cost.

Thankfully, there are remote management systems that can ease this burden — simplifying the process and greatly reducing the time it takes to keep your customers’ security systems up to date. This includes instant notifications when new firmware is released, the ability to update remotely, and more.

Posted in Main | Leave a comment