Class Action Lawsuit Targets Amazon, Ring Over Weak Camera Security

A lawsuit was filed in the U.S. District Court of the Central District of California targeting Amazon and Ring’s alleged negligence with regard to security practices.

Class Action Lawsuit Targets Amazon, Ring Over Weak Camera Security 

SANTA MONICA, Calif. — Ring and Amazon have come under fire in recent weeks due to a rise of incidents in which hackers gained control of a user’s Ring security camera and begin to speak through it.

Motherboard even discovered that hackers created a tool specifically for compromising Ring cameras.

In addition to scrutiny from these events, Ring and Amazon now have to contend will a class action lawsuit filed by Alabama resident John Baker Orange.

Orange claims a hacker talked to his children through his Ring camera while they were outside playing basketball.

The lawsuit was filed last Thursday in the U.S. District Court of the Central District of California, which makes it a federal lawsuit.

The lawsuit targets Amazon and Ring’s alleged negligence with regard to security practices. After the rise of hackings, Ring released a statement saying the incidents were in no way related to a breach or compromise of the company’s security.

Instead, it blamed the security breaches on poor password practices and the lack of utilizing two-factor authentication. However, Ring does not make two-factor authentication a requirement.

The lawsuit holds Ring responsible for damages due to negligence, invasion of privacy, breach of the implied warranty, breach of the implied contract, unjust enrichment and unfair competition.

The total aggregated claims of class members in the suit exceed $5 million, exclusive of interests and costs.

Using default credentials, reusing passwords and not enabling two-factor authentication makes it easy for hackers to infiltrate IoT devices. It’s time for manufacturers to make two-factor authentication a must and end the use of default login credentials.

Until that happens, it’s up to you to protect yourself and/or your customers.

You can view the lawsuit, here.

Posted in Main | Leave a comment

Report: Hackers Have Created Dedicated Software to Break into Ring Security Cameras

After a rise of Ring camera-hacking incidents, Motherboard discovered a tool circulating on hacker forums targeting the smart home camera.

Report: Hackers Have Created Dedicated Software to Break into Ring Security Cameras 

This past week has seen several instances of hackers seemingly speaking to people through their Ring security cameras. On Monday, NBC2 in Cape Coral, Fla. reported that a couple heard a voice spewing racial comments about their son through their camera.

Just yesterday, KSHB4 posted a story about a woman in Wichita, Kan. that claims her Ring cameras were hacked when a voice talked to her and her children through their device. Also yesterday, Fox17 reported a woman in Memphis, Tenn. said a mysterious voice from her camera began taunting and harassing her 8-year-old daughter.

So what’s going on? The victims in Florida and Tennessee reached out to Ring who responded with the following response:

Customer trust is important to us and we take the security of our devices seriously. While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring’s security.

Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services. As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords.

Using recycled log-in credentials is a common mistake that is frequently made with IoT devices and can lead to these types of incidents. This is because there is a pretty good chance these credentials have been exposed in a data breach. We’ve seen numerous Google Nest hacks due to this.

However, there seems to be something more sinister afoot. Why the sudden rise in Ring camera hackings? After combing through different hacker crime forums, Motherboard has learned that hackers have developed a tool specifically for breaking into Ring accounts with cameras.

According to Motherboard, one forum has a post for a “Ring Video Doorbell Config.” A config is a file used to drive special software to quickly churn through usernames or email addresses and passwords and trying to use them to log into accounts.

One hacker is offering a Ring.com checker for $6. Another hacker even commented on how popular the tool is, saying, “I saw multiple people asking for this config.”

These incidents highlight the importance, and arguably necessity, for creating unique log-in credentials and enabling two-factor authentication for every account.

Posted in Main | Leave a comment

New Report Calls for Massive Alarm Panel Recall

Recall DOES NOT affect any My-Alarm equipment or customers!

For the past 20 years most hardwired alarm panels have been manufactured in deviation to UL 1023, UL 985 and NFPA 72 standards, Jeffrey Zwirn contends.

New Report Calls for Massive Alarm Panel Recall

Zwirn’s findings are supported by a peer review report conducted and written by Merton Bunker, a former veteran staff liaison to the National Fire Protection Association (NFPA).

   Jump to Comments

Photos and Videos

 View Slideshow

FRAMINGHAM, Mass. — Nationally recognized alarm and security forensic expert Jeffrey Zwirn is heading an effort to have the U.S. Consumer Product Safety Commission (CPSC) investigate the noncompliance of UL and NFPA 72 codes that he argues should result in the recall of tens of millions of alarm panels.

At the heart of Zwirn’s critical recall request are noncompliance dangers and vulnerabilities within single data-bus connected control units that are commonplace to hardwired residential and commercial alarm panels. Under a single fault condition, such as the introduction of a short circuit to the data-bus circuit, fire and intrusion alarm panels can be rendered partially or fully nonfunctional, Zwirns says he discovered as part of his forensic practice.

Nonfunctioning panels are therefore unable to communicate an alarm condition to the monitoring center. Also, peripheral devices such as smoke detectors, carbon monoxide detectors and intrusion alarm sensors will fail to audibly alert property occupants with the potential for severe injury or even death, according to Zwirn.

Zwirn, a contributor to SSI, is president of IDS Research & Development, an alarm and security consultation, expert litigation witness and training authority. He detailed his findings in a 43-page forensic analysis that focuses specifically on non-compliance issues involving UL 985, UL 1023, NFPA 72 of the National Fire Alarm Code, and NFPA 72 of the National Fire Alarm and Signaling Code. You can view video demonstrations of each non-compliance issue, here.

For the past 20 years the vast majority of hardwired alarm panels have been manufactured in deviation to UL 1023, UL 985 and NFPA 72 standards, Zwirn contends. The extensive nonconformity ought to result in “the largest recall the industry has ever seen,” he tells SSI.

“Concurrently, alarm companies will have many opportunities to help minimize property loss, serious personal injury and even death by correcting these serious deficiencies, which before now was not known by the alarm industry,” Zwirn says. “If that was not enough both UL, Intertek and other Nationally Recognized Testing Laboratories [NRTL] need to take responsibility as well for failing to comply with the standards which they represent that all of their control panels comply with, which was not accurate.”

Furthermore, he continues, manufacturers of alarm control panels have the duty to ensure the products that they designed, made and sold were code complaint to both UL and NFPA standards.

Connaughton Group, a product integrity consulting firm retained by IDS, assisted with the filing of a request for investigation of “Complaint of Non-Conforming Products” to the CPSC. In the filing, Connaughton Group President and CEO Thomas Connaughton states “ … it is estimated that the totality of the non-confirming control panels total hundreds of millions of units which were sold and installed across the country.”

The filing also makes reference to “documented losses of life and property where these control panels were installed and failed,” which Connaughton Group provided within its regulatory package.

According to the CPSC’s recall handbook, reporting a suspect product does not automatically mean the Commission “will conclude the product creates a substantial product hazard or that corrective action is necessary. The CPSC staff will evaluate the report and works with the reporting firm to determine if corrective action is appropriate.” Many reports submitted to the Commission require no corrective action, the handbook states, “because the staff concludes that the reported product defect does not create a substantial product hazard.”

UL, Intertek Investigating

Teams from UL and Intertek have undertaken investigations of the claims documented in Zwirn’s forensic analysis, according to the filing. The outcomes of both investigations are yet to be released. UL provided the following statement to SSI:

“UL’s public mission is to promote safer working and living environments for all people. We make every effort to confirm that UL-certified products meet stringent safety requirements, including opening a Product Incident Report for any issue that comes to our attention. Consistent with our usual policies regarding product safety matters, when UL received the alarm system claims, UL immediately opened a Product Incident Report and began an investigation.

During such investigations, certification documentation is reviewed, products are often re-tested, and if any issues are found, UL works with the product manufacturer to resolve the issues. In some instances, a public notice may be issued. Based on the investigation completed thus far, no safety issues have been identified. The investigation is still ongoing.”

Zwirn’s findings are supported by a peer review report conducted and written by Merton Bunker, a former veteran staff liaison to the National Fire Protection Association (NFPA). Among his vast credentials, Bunker was chief electrical engineer for the NFPA, responsible for the development of the National Electrical Code from 1998 to 2001.


In these videos, Zwirn demonstrates how various alarm panels and peripherals will fail when single data-bus connected control units are subjected to short circuiting.


In a formal letter provided to the CPSC as part of the Connaughton Group filing, Bunker states that he “technically duplicated, validated and verified” the findings in Zwirn’s forensic analysis report.

Addressing the gravity of the noncompliance issues and potential risk to life and property, Bunker calls for immediate steps to be taken, including: “Authorities having jurisdiction across the country and around the world need to be put on notice immediately.”

He continues, “All of the affected consumers and businesses where these control panels are installed should be put on notice that immediate corrective action is required since the control panels are non-conforming equipment.”

In all, Bunker lists a half-dozen brief  opinions in his two-page letter. The last one stresses, “A comprehensive and corrective action plan needs to be instituted immediately.”

Zwirn to Market Panel Fix

While UL and Intertek investigations continue, and the industry awaits a decision by the CPSC, Zwirn is ramping up marketing efforts for a device he claims provides an easy fix to non-compliant single data-bus control panels.

Some industry stakeholders may be familiar with the Interceptor, a small control unit module that Zwirn has previously attempted to bring to market. He introduced the Interceptor in 2017 at ISC West. The now UL-Listed device is billed as a first-of-its-kind microprocessor based on patent pending technology designed to protect critically vulnerable data-bus and auxiliary power output wiring.

In a press release describing the product at the time of its introduction, the control unit module was said to eliminate “potentially dangerous and serious vulnerabilities that a multitude of equipment manufacturers and alarm companies have not identified and/or recognized.”

Zwirn has teamed with security industry veteran Keith Jentoft who will lead the marketing efforts for the device. Jentoft’s industry tenure includes serving as president of Videofied/RSI Video Technologies, which was acquired by Honeywell in 2016. He also founded the Partnership for Priority Verified Alarm Response (PPVAR).

Jentoft explained to SSI they will look to license the product to one or more manufacturers or other entities.

“You can imagine a tremendous business opportunity because every panel that’s out there is going to need one of these modules, that is the cheapest way [to fix the non-compliance issue] in any case. And if I was Company X, maybe I want to buy this as an exclusive,” he said. “So with all those panels, now I have my fingers in there. And maybe I want to have them reporting to me. There is a whole bunch of things you could do if you’re the only one that had it.”

SSI asked Zwirn about the potential conflict of interest in pursuing an unprecedented panel recall while simultaneously marketing a quick-fix product to solve the non-compliance issues and panel weaknesses. He responded:

“The standards which I rely upon were created by the alarm industry itself to define what a safe and reliable system is. Based on the codes and standards, which have been used for decades, the industry supports my position. The issue here is not the standards; it is the egregious failure of UL to verify and test that the control panels which each manufacturer submits to them are compliant.

Manufacturers pay UL to test their products. UL tests and certifies that they comply. Then the manufacturers in good faith sell these control panels to the dealers and the dealers in good faith install them in both residential and commercial applications,” he commented.

He continued, emphasizing his belief that UL is clearly at fault “because the industry has already defined what a safe control panel looks like, and they depend on UL to certify that they comply.”

“As far as a conflict of interest, I spent my own money to develop a solution to address what I perceived as a life-safety weakness in control panels before I recognized that UL had not properly tested the control panels,” he said. “I was motivated by life-safety concerns then and I still am.”

Posted in Main | Leave a comment

Report: Ring Wanted 911 Calls to Activate Its Video Doorbells

Emails shows Ring and law enforcement were in the early stages of creating functionality that would turn on video doorbells in the vicinity of a 911 call.

Report: Ring Wanted 911 Calls to Activate Its Video Doorbells 

Ring has been on the hot seat ever since a report emerged in July that revealed the company essentially enlisted police departments as salespeople for its video doorbells.

The latest development to come out of that partnership is the revelation that Ring considered building a tool that would make 911 calls automatically activate its video doorbells.

According to emails obtained by CNET, Ring told a California police department in August 2018 that the function could be introduced in the “not-so-distant future.” The project has since been abandoned.

In emails to the police department, Ring described a system in which a 911 call would trigger the cameras on Ring doorbells near the site of the call. The cameras would then start recording and streaming video that police could use to investigate an incident.

“Currently, our cameras record based on motion alerts,” Steve Sebestyen, vice president of business development for Ring, said in an email that CNET obtained through a public records request. “However, we are working with interested agencies and cities to expand the device owners controls to allow for situations where a CFS [call-for-service] event triggers recording within the proximity of an event.”

Though Ring users would have to opt-in to the feature, it still raises privacy concerns. Currently, police departments that are partnering with the company are contractually obligated to provide Ring with certain information, such as access to call logs and incident data.

Additionally, Ring has partnered with several public safety software providers such as Central Square Technologies, NC4 and Motorola to harvest data, and even scrapes public records sources.

This computer-aided dispatch (CAD) data helps dispatchers improve call response times and determine the best way to provide resources, according to CNET.

“CAD data reveals a host of intimate and personal information from domestic problems to medical crises to who lives at a particular address and with whom,” says Andrew Guthrie Ferguson, author of The Rise of Big Data Policing and a law professor at the University of the District of Columbia. “While important, they are the product of emergency reactions and imperfect information.”

What is Ring doing with all of this data? The company’s Neighbors app, which is essentially an online neighborhood watch, posts alerts about local crimes and emergencies. For instance, it will alert users if there are reports of a shooting nearby.

The unfortunate truth is providing people with this type of platform can cause a rise in paranoia, which then leads to biases and false alarms. Imagine what would happen if suddenly every neighborhood video doorbell turned on when a 911 call is placed.

“What happens when someone calls the police because there’s a ‘suspicious person’ in the neighborhood?” asks Electronic Frontier Foundation policy analyst Matthew Guariglia. “Now every camera in that neighborhood is turned on and tracking a dog walker or someone out on a stroll just because of their race or the color of their skin.”

Posted in Main | Leave a comment

‘Amazon Choice’ Cameras Found to Have Huge Security Flaws

Tests conducted by a consumer watchdog group revealed certain cheap IP cameras found on Amazon can easily let hackers into user’s homes.

‘Amazon Choice’ Cameras Found to Have Huge Security Flaws 

If you are a frequent shopper on Amazon, you are likely familiar with the “Amazon’s Choice” label that appears next to certain products. Nowhere on the site is it explicitly explained what exactly that means. It would probably be safe assume that the label is only applied to products of reasonable quality, right?

In general, the label appears on certain products that are frequently purchased, have a high rating and are competitively priced. However, some of these products are less than reliable.

Take for example the countless wireless surveillance cameras that are being sold on Amazon. Which?, a UK-based consumer watchdog, recently purchased four wireless security cameras from the e-commerce giant.

All the cameras were from companies based in Shenzhen, China. Which? was unable to find much, if any background information on the manufacturers.

When testing the cameras, it immediately became apparent how vulnerable each device is. One camera, the Vstarcam C7837WIP, used “admin” as the default username and an easily guessable password. This would allow anyone with that information to take over the camera.

The ieGeek 1080p and Sricam 720p cameras appear to use the same app, which require the user to input their WiFi password which is then sent unencrypted over the Internet. This could enable a hacker to view any information being sent or stored on devices connected to the network, such as laptops or even smart speakers.

“There appears to be little to no quality control with these sub-standard products, which risk people’s security yet are being endorsed and sold on Amazon,” says Adam French, a consumer rights expert at Which?. “Amazon and other online marketplaces must take these cameras off sale and improve the way they scrutinize these products,” he continued. “They certainly should not be endorsing products that put people’s privacy at risk.”

Not only have these dangerous cameras caught the eye of consumer watchdogs, but of Amazon customers as well. There are numerous negative reviews on the cameras that explain their vulnerabilities.

One disturbing review for a Victure security camera that carries the Amazon Choice badge states, “Someone spied on us. They talked through the camera and they turned the camera on at will. Extremely creepy. We told Amazon. Three of us experienced it, yet they’re still selling them.”

Between dangerous products and fake reviews, it is always important to do your due diligence when shopping online, especially when it comes to security products. Or better yet, call a professional.

MY-ALARM 1-866-641-6599

 

Posted in Main | Leave a comment

3 in 4 Broadband Households to Acquire a Security or Privacy Service in Next 12 Months

A new report by Parks Associates shows that 62% of these U.S. consumers would opt to pay an additional fee for these services.

   Jump to Comments
3 in 4 Broadband Households to Acquire a Security or Privacy Service in Next 12 MonthsAccording to Parks Associates, with increased device ownership consumers show greater levels of interest for all types of data privacy and security solutions, though there is a significant deficit between interest and adoption.

DALLAS — A large majority of consumers in the United States are expressing greater levels of interest for all types of data privacy and security solutions, according to new research by Parks Associates.

The report, “360 Deep Dive: Consumer Privacy: My Smart Home, My Castle,” found that 75% of heads of U.S. broadband households intend to acquire a security or privacy service in the next 12 months. Almost 40% of these consumers rank receiving these services bundled with their broadband service at no additional charge as most desirable, while the remaining 62% would opt to pay an additional fee for these services, either through a subscription, warranty, or one-time fee.

“Security and privacy services include parental controls, malware detection, and network activity monitoring. While interest is high, consumers still show a reluctance toward recurring fees — only 27% of data security/privacy intenders would opt for a subscription model,” says Lindsay Gafford, research analyst, Parks Associates.

Gafford continues, “The challenges to securing the smart home will intensify as consumers acquire more devices, creating ample business opportunities throughout the value chain for security solution providers. Vendors can differentiate by providing security expertise and flexible solutions that keep pace with changing security requirements.”

With increased device ownership, consumers show greater levels of interest for all types of data privacy and security solutions, though there is a significant deficit between interest and adoption. Among all U.S. broadband households, 63% are interested in a solution preventing identity theft, but only 19% actually use identity theft solutions.

“Consumers are struggling to understand what services are available to them, which service will actually protect their data, and which services fit into their payment preferences,” Gafford explains. “The service potential is immense, and broadband service providers are entering this space by partnering with data security solution providers to provide value-added services for consumers.”

“360 Deep Dive: Consumer Privacy: My Smart Home, My Castle” provides consumer data on current attitudes around data privacy, the value of data, privacy controls, and preferences for how companies collect and manage their data.

Additional results from the study:

  • Nearly 40% of consumers do not take any action to protect themselves from unauthorized access to their connected devices.
  • Only 15% of consumers strongly believe they receive a lot of benefit in sharing access to their data.
  • 63% of U.S. broadband households use at least one data security service for any purpose.
Posted in Main | Leave a comment

SimpliSafe DIY Security System Can Be Bypassed With $2 Emitter

The $2 wireless emitter fools the SimpliSafe security system by mimicking the frequency of its door and window contact sensors.

   

DIY home security systems continue to soar in popularity. However, they also continue to show why they are not always as reliable as professionally installed security systems.

SimpliSafe, one of the first major DIY security companies, has faced scrutiny over the past several years for vulnerabilities in its smart security system.

In 2016, the SimpliSafe system was found to be “inherently insecure and vulnerable to even a low-level attacker.” Later that year, SSI contributor and forensic alarm expert Jeffrey Zwirn analyzed SimpliSafe’s DIY offering and found disturbing results.

The latest person to find a flaw in the SimpliSafe system is a YouTuber that goes by the name “LockPickingLawyer.” He recently posted a video that demonstrates how the system can be fooled by a $2 wireless emitter that mimics the frequency of its door and window contact sensors.

This is possible because the DIY security system’s base communicates with its sensors on the 433.92MHz frequency, which is used by many other electronic consumer products.

The system can be fooled by using the emitter the same time as opening a door or window (breaking the contact of the sensors). The emitter is apparently powerful enough to block the sensor’s communication back to the base, preventing the alarm from sounding.

However, if the emitter is close enough to the alarm base, the end user will be notified of wireless interference. You can watch the demonstration in the video above.

Tech website The Verge reported on this video and received the following response from SimpliSafe:

The video is misleading, and it doesn’t apply to how security systems work in real life.

As the video demonstrates, SimpliSafe systems are engineered to detect this kind of interference.

In this video, the videomaker finds a precise frequency, signal strength, and orientation of system components in which they can thread the needle of blocking system communication without triggering an alert.

In real life, this is unlikely. Because signal strength degrades unpredictably depending on distance and landscape, it would be very difficult for anyone to hit on the “right” strength without triggering an alert.

In addition, the setup the videomaker demonstrates (in which the sensors, base, keypad and “jammer” are all close together) does not resemble the setup of an actual home. In other words, prior knowledge of the layout of the motion sensors, door sensors and base station in the customers home and a rehearsal of how to move about the home would be necessary to confidently select a strength that will both jam and not be detected. In order for a real bad actor to effectively interfere with the system in this way, they would likely have to already be inside the home and have had ample practice.

We take very seriously anything that might interfere with our mission of keeping every home secure. We have the ability to tune the detection parameters and regularly release security and usability updates, making it increasingly difficult for anyone to use this type of attack.

The Verge then reached out to LockPickingLawyer to get his comment on SimpliSafe’s statement. He says he didn’t have to tune the $2 device in any way to get it to reliably bypass the alarm system and it was able to do it right out of the box. He also said it sometimes triggered an interference notification, though never an alarm.

He said:

The farthest from the base station I tested was about 60 feet (through two walls), and it worked the same as shown in my video.

SimpliSafe takes issue with the system components being arranged close together during the video. That was a necessity of filmmaking, not a physical limit of the exploit. In my testing, I carried sensors away from the base station to the far reaches of my home, then conducted the same tests with the same device and obtained the same results. If anything, testing at realistic distances showed a more significant problem insofar as the SimpliSafe system was less likely to detect the interference.

SimpliSafe’s other criticism is that someone would need prior knowledge of the system’s arrangement to avoid the detection of interference. The company is attacking a straw man. What is necessary to avoid detection of this exploit was outside the scope of my testing. In fact, my video explicitly notes that SimpliSafe may detect the interference. Detection of interference, however, never triggered an alarm in my testing. It only sent an “alert” that the resident may or may not investigate. As such, my video specifically advised owners of this system to take these alerts seriously regardless of how many prior alerts they’ve received as a result of non-malicious interference. It’s also important to note that if the system owner doesn’t have security cameras with which to investigate, the alert is of very limited usefulness. This is why I recommend the system be used in conjunction with security cameras.

As more DIY solutions hit the market, it’s important for security professionals to educate consumers about the dangers of going DIY. Though no solution is 100% bulletproof, it is important to choose a solution that can’t be compromised with something as simple as a $2 wireless emitter.

Posted in Main | Leave a comment

Alerts from Amazon Ring are often false alarms

www.cnet.com
ring-door-view-cam-22Residents with Ring doorbells have been frequently pinging police with footage that doesn’t contain any crimes.

Chris Monroe/CNETIn May, police in Hammond, Indiana, got a suspicious-person alert from a concerned resident. She could see a man, she told officers, through her Ring smart doorbell.

The resident had already sent police another message, along with footage from her internet-connected video doorbell, about an earlier incident. Now the resident was even more frightened, having watched a new incident unfold on her phone through a live feed from her Ring app.

She sent police the video recorded from the doorbell. Police immediately knew the man wasn’t a criminal.

“It was one of our detectives. He was going there to interview the person for whatever the situation was,” said Steve Kellogg, a public information officer for Hammond Police, adding that the cop was wearing plain clothes but had a badge around his neck. The badge was out of the Ring camera’s line of sight, but the resident would have spotted it immediately had she gone to the door, the officer added.

“He’s clearly on the camera saying he’s with the police department,” Kellogg said.

The incident is among the growing number of false alarms involving Ring cameras, which have spread around the country as police departments partner with Amazon’s smart doorbell company. False alarm calls are nothing new, but police say the Ring doorbells make it easier for citizens to report anything they find suspicious and send video for law enforcement to review.

Ring and police have promoted these partnerships on social media, often demonstrating their value by highlighting incidents in which Ring has stopped package thefts.

“The more people involved in your neighborhood watch, the safer our neighborhoods become,” Ring says on its website. “Ring connects citizens with each other and local law enforcement to make a true impact on your community.”

Ring’s limitations, however, aren’t prominently featured.

Once you start having all of these cameras and start linking them to automatic notifications, the public may get the sense that crime is on the rise when it actually isn’t.Dave Maass, senior investigative researcher at the Electronic Frontier Foundation

In towns where police have signed up for Ring, officers told CNET that having the extra sets of eyes in neighborhoods doesn’t mean the police are solving more crimes. In some cases, it simply means there’s more worry among residents.

At the International Association of Chiefs of Police conference in May, police from Chandler, Arizona, said apps like Ring’s Neighbors have prompted residents to believe crime is prevalent even though violent crime is at historic lows in the city, according to notes provided by Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation, who attended the conference.

“Once you start having all of these cameras and start linking them to automatic notifications, the public may get the sense that crime is on the rise when it actually isn’t,” Maass said.

Detective Seth Tyler, a Chandler police public information officer, told CNET that the department has received an average of two alerts a day from residents through the Neighbors app since the department partnered with Ring in April. Typically, the footage is of cars driving in neighborhoods, people walking or strangers at doorsteps, Tyler said. These aren’t crimes, but Chandler police will still investigate those leads, the officer said.

“Some people are better than others at determining crimes,” Tyler said. “But from our perspective, I can tell you that we would be more than happy to investigate all of those.”

The department’s crime prevention unit has three officers responsible for watching footage from Ring’s app and investigating leads. Last December, Ring CEO Jamie Siminoff and Neighbors general manager Eric Kuhn told CNET that roughly one in three posts shows crimes or public safety issues. About 65 percent of posts on Neighbors are “suspicious behavior” or solicitors and strangers on people’s property.

“Ring is proud of how engaged our users are within their communities, which includes alerting local law enforcement if something seems out of the ordinary,” a Ring spokesperson said in a statement. “Reaching out to local law enforcement for help is exactly what the public has been taught to do and gives local law enforcement the chance to decide if further action is needed. This is a key part of the community’s relationship with law enforcement, and that is not exclusive to owning a Ring device or engaging on the Neighbors app.”

Amazon doesn’t disclose how many police departments it works with, but a CNET investigation found more than 50 law enforcement agencies had developed relationships with the Ring business over the last two years. Fight for the Future, a tech-focused nonprofit, has created an interactive map to identify where police have partnered with Ring. Motherboard reported that Ring told police it’s partnered with 200 law enforcement agencies in the US.

Amazon purchased Ring in 2018 for $839 million, according to SEC filings. At the time, analysts forecast that more than 3.4 million video doorbells would be sold that year.

Some Ring trueNot all calls to Ring are false alarms.

The cameras have helped solve plenty of crimes, including a double homicide in Gary, Indiana. Prosecutors in a murder case in Texas used Ring footage to show an alleged killer entering a home. In Bloomfield, New Jersey, an entire town covered in Ring cameras, the system has helped solve an armed robbery as well as car thefts, according to Capt. Vince Kerney, Bloomfield’s detective bureau commander.

Still, there’s often more footage of innocent behavior than there is of actual crime, police say.

Kerney recalls an incident in which his department received footage from four homes about a truck suspected of following a child around. They were able to identify the truck based on the video provided. After investigation, it turned out to be a false alarm.

“There was no crime that was being committed. It was just a coincidence that this person pulled over in front of a kid, and he got scared and ran away,” Kerney said.

It’s unclear how many false alarms have been sent to police. Amazon doesn’t provide overall statistics on usage of the device.

In February, The Outline detailed an incident in which a resident called police after seeing footage of someone walking through her front door in California. The dispatcher helped the caller realize she was watching footage of herself entering her home.

Though Ring has helped police solve some crimes, it’s unclear if the technology has any significant effect on crime rates. Amazon says it does, citing a 2015 pilot program in Los Angeles that found Ring doorbells helped to more than halve burglaries. Last October, MIT Technology Review looked at crime data and found the study wasn’t as accurate as its authors claimed.

In some cases, police don’t get information from Ring or Neighbors quickly enough to be useful. In Hampton, Virginia, police put out an alert for a missing person on Neighbors, asking residents to send any footage they could. The missing person was found before any footage was received, police said.

More footage, more problemsIn March, Eric Piza, an associate professor at the John Jay College of Criminal Justice, released a study that found surveillance cameras were mostly effective when they were being actively monitored. They did little to reduce crime rates if police were receiving footage after an incident.

With Ring, police are receiving even more footage, and Piza found that officers often don’t have resources dedicated to watching it all.

“What my research has found is that police can have too many videos to actively monitor,” he said. “If police plan on integrating Ring footage into their operation, technology requires manpower to be effectively used.”

Because Ring partnerships give citizens a direct line to police through the Neighbors app, Piza is concerned about overreporting of innocuous activities. In February, Motherboard reviewed more than 100 Neighbors posts, the majority of which were reports of people of color going about daily life.

We’ve seen from research that people are not the best judges of criminal behavior.Eric Piza, associate professor at the John Jay College of Criminal Justice

Often, the footage simply captures people walking through a neighborhood. They aren’t engaged in any activity that could be considered suspicious, Piza said.

Ring’s relationship with police has created more cameras in residential neighborhoods and more opportunities to find footage to solve crimes, but it’s also opened up the pipeline for unfounded concerns.

“We’ve seen from research that people are not the best judges of criminal behavior,” Piza said. “Especially recently, with white citizens reporting black citizens for innocent and innocuous behavior.”

Posted in Main | Leave a comment

Vivint’s Solicitation Permit Revoked in N.C. Town After Breaking Door-Knocking Rules

Huntersville, N.C. police say residents complained about Vivint door-knockers “being pushy, argumentative, sometimes cursing and coming late at night.”

   Jump to Comments
Vivint’s Solicitation Permit Revoked in N.C. Town After Breaking Door-Knocking Rules 

HUNTERSVILLE, N.C. — Door knockers present a bit of a quandary for the security industry. On one hand, door-to-door sales can be an effective marketing tool. On the other, a public nuisance.

Huntersville police have kicked Vivint door-to-door salespeople out of its town after hearing complaints from residents.

“We received a lot of complaints from residents throughout Huntersville about them being pushy, argumentative, sometimes cursing and coming late at night,” Officer Odette Saglimbeni told WBTV.

Huntersville Police say it ran background checks on the employees who would be soliciting in the town when Vivint applied for the solicitation permit.

The permit was granted after everything came back okay. The permit was issued with the understanding that the workers would operate under the usual door-knocking parameters, including a town ordinance that bans soliciting between 8 p.m. and 7 a.m.

However, police say the workers broke the rules within two weeks. Because issues persisted, even after being warned, police decided to revoke the solicitation permit.

“If they’re being pushy and argumentative causing an issue with residents that’s not what we want. If they want to go out there and solicit business that’s fine but they need to do it in a professional manner that does not cause people to be concerned, doesn’t scare people or feel like they’re being pressured,” says Saglimbeni. “We felt that they were enough complaints and they were pretty consistent with everybody that was complaining that they were being pushy, argumentative, and trying to get into homes, not leaving when asked to leave – so we felt best interest of the public we should revoke that permit.”

Posted in Main | Leave a comment

How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in

Reed Albergotti, The Washington Post

 Published 

Tara Thomas thought her daughter was just having nightmares. “There’s a monster in my room,” the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realized her daughter’s nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their Novato, California, home. Hackers, whose voices could be heard faintly in the background, were playing the recording, using the intercom feature in the software. “I’m really sad I doubted my daughter,” she said.

SHOCKING FIND: Opossum lived in 7-year-old’s room for 3 days before anyone noticed

Though it would be nearly impossible to find out who was behind it, a hack like this one doesn’t require much effort, for two reasons: Software designed to help people break into websites and devices has gotten so easy to use that it’s practically child’s play, and many companies, including Nest, have effectively chosen to let some hackers slip through the cracks rather than impose an array of inconvenient countermeasures that could will detract from their users’ experience and ultimately alienate their customers.

The result is that anyone in the world with an internet connection and rudimentary skills has the ability to virtually break into homes through devices designed to keep physical intruders out.

As hacks such as the one the Thomases suffered become public, tech companies are deciding between user convenience and potential damage to their brands. Nest could make it more difficult for hackers to break into Nest cameras, for instance, by making the log-in process more cumbersome. But doing so would introduce what Silicon Valley calls “friction” – anything that can slow down or stand in the way of someone using a product.

At the same time, tech companies pay a reputational price for each high-profile incident. Nest, which is part of Google, has been featured on local news stations throughout the country for hacks similar to what the Thomases experienced. And Nest’s recognizable brand name may have made it a bigger target. While Nest’s learning thermostats are dominant in the market, its connected security cameras trail the market leader, Arlo, according to Jack Narcotta, an analyst at the market research firm Strategy Analytics. Arlo, which spun out of Netgear, has around 30 percent of the market, he said. Nest is in the top five, he said.

Nik Sathe, vice president of software engineering for Google Home and Nest, said Nest has tried to weigh protecting its less security-savvy customers while taking care not to unduly inconvenience legitimate users to keep out the bad ones. “It’s a balance,” he said. Whatever security Nest uses, Sathe said, needs to avoid “bad outcomes in terms of user experience.”

Google spokeswoman Nicol Addison said Thomas could have avoided being hacked by implementing two-factor authentication, where in addition to a password, the user must enter a six-digit code sent via text message. Thomas said she had activated two-factor authentication; Addison said it had never been activated on the account.

JOHN CORNYN CHALLENGED: A Texas Democrat has launched a campaign 

The method used to spy on the Thomases is one of the oldest tricks on the Internet. Hackers essentially look for email addresses and passwords that have been dumped online after being stolen from one website or service and then check to see whether the same credentials work on another site. Like the vast majority of Internet users, the family used similar passwords on more than one account. While their Nest account had not been hacked, their password had essentially become public knowledge, thanks to countless other data breaches.

In recent years, this practice, which the security industry calls “credential stuffing”, has gotten incredibly easy. One factor is the sheer number of stolen passwords being dumped online publicly. It’s difficult to find someone who hasn’t been victimized. (You can check for yourself here.)

A new breed of credential-stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. Netflix and Spotify both said in statements that they were aware of credential stuffing and employ measures to guard against it. Netflix, for instance, monitors websites with stolen passwords and notifies users when it detects suspicious activity. Neither Netflix nor Spotify offer two-factor authentication.

But the potential for harm is higher for the 20 billion Internet-connected things expected to be online by next year, according to the research firm Gartner. Securing these devices has public safety implications. Hacked devices can be used in large-scale cyberattacks such as the “Dyn Hack” that mobilized millions of compromised “Internet of things” devices to take down Twitter, Spotify and others in 2016.

In January, Japanese lawmakers passed an amendment to allow the government to essentially do what hackers do and scour the Internet for stolen passwords and test them to see whether they have been reused on other platforms. The hope is that the government can force tech companies to fix the problem.

PRO TIP: Stop using these same dumb passwords everyone is using 

Security experts worry the problem has gotten so big that there could be attacks similar to the 2016 Dyn hack, this time as a result of a rise in credential stuffing.

“They almost make it foolproof,” said Anthony Ferrante, the global head of cybersecurity at FTI Consulting and a former member of the National Security Council. He said the new tools have made it even more important to stop reusing passwords.

Tech companies have been aware of the threat of credential stuffing for years, but the way they think about it has evolved as it has become a bigger problem. There was once a sense that users should take responsibility for their security by refraining from using the same password on multiple websites. But as gigantic dumps of passwords have gotten more frequent, technology companies have found that it is not just a few inattentive customers who reuse the same passwords for different accounts – it’s the majority of people online.

Credential stuffing is “at the root of probably 90 percent of the things we see happening,” said Emmanuel Schalit, chief executive of Dashlane, a password manager that allows people to store unique, random passwords in one place. Only about 1 percent of Internet users, he said, use some kind of password manager.

“We saw this coming in late 2017, early 2018 when we saw these big credential dumps start to happen,” Google’s Sathe said. In response, Nest says it implemented some security measures around that time.

It did its own research into stolen passwords available on the Web and cross-referenced them with its records, using an encryption technique that ensured Nest could not actually see the passwords. In emails sent to customers, including the Thomases, it notified customers when they were vulnerable. It also tried to block log-in attempts that veered from the way legitimate users log into accounts. For instance, if a computer from the same Internet-protocol address attempted to log into 10 Nest accounts, the algorithm would block that address from logging into any more accounts.

But Nest’s defenses were not good enough to stop several high-profile incidents throughout last year in which hackers used credential stuffing to break into Nest cameras for kicks. Hackers told a family in a San Francisco suburb, using the family’s Nest Cam, that there was an imminent missile attack from North Korea. Someone hurled racial epithets at a family in Illinois through a Nest Cam. There were also reports of hackers changing the temperature on Nest thermostats. And while only a handful of hacks became public, other users may not even be aware their cameras are compromised.

The company was forced to respond. “Nest was not breached,” it said in a January statement. “These recent reports are based on customers using compromised passwords,” it said, urging its customers use two-factor authentication. Nest started forcing some users to change their passwords.

This was big step for Nest, because it created the kind of friction that technology companies usually try to avoid. “As we saw the threat evolve, we put more explicit measures in place,” Sathe said. Nest says only a small percentage of its millions of customers are vulnerable to this type of attack.

According to at least one expert, though, Nest users are still exposed. Hank Fordham, a security researcher, sat in his Calgary, Alberta, home recently and opened up a credential-stuffing software program known as Snipr. Instantly, Fordham said, he found thousands of Nest accounts that he could access. Had he wanted to, he would have been able to view cameras and change thermostat settings with relative ease.

While other similar programs have been around for years, Snipr, which costs $20 to download, is easier to use. Snipr provides the code required to check whether hundreds of the most popular platforms, from League of Legends to Netflix, are accessible with a bunch of usernames and passwords – and those have become abundantly available all over the Internet.

Fordham, who had been monitoring the software and testing it for malware, noticed that after Snipr added functionality for Nest accounts last May, news reports of attacks started coming out. “I think the credential-stuffing community was made aware of it, and that was the dam breaking,” he said.

Nest said the company had never heard of Snipr, though it is generally aware of credential-stuffing software. It said it cannot be sure whether any one program drives more credential stuffing toward Nest products.

What surprises Fordham and other security researchers about the vulnerability of Nest accounts is the fact that Nest’s parent company, Google, is widely known for having the best methods for stopping credential-stuffing attacks. Google’s vast user base gives it data that it can use to determine whether someone trying to log into an account is a human or a robot.

The reason Nest has not employed all of Google’s know-how on security goes back to Nest’s roots, according to Nest and people with knowledge of its history. Founded in 2010 by longtime Apple executive Tony Fadell, Nest promised at the time that it would not collect data on users for marketing purposes.

In 2013, Nest was acquired by Google, which has the opposite business model. Google’s products are free or inexpensive and, in exchange, it profits from the personal information it collects about its users. The people familiar with Nest’s history said the different terms of service and technical challenges have prevented Nest from using all of Google’s security products. Google declined to discuss whether any of its security features were withheld because of incompatibility with Nest’s policies.

Under Alphabet, Google’s parent company, Nest employed its own security team. While Google shared knowledge about security with its sister company, Nest developed its own software. In some ways, Nest’s practices appear to lag well behind Google’s. For instance, Nest still uses SMS messages for two-factor authentication. Using SMS is generally not recommended by security experts, because text messages can be easily hijacked by hackers. Google allows people to use authentication apps, including one it developed in-house, instead of text messages. And Nest does not use ReCaptcha, which Google acquired in 2009 and which can separate humans from automated software, like what credential stuffers use to identify vulnerable accounts.

Sathe said Nest employed plenty of advanced techniques to stop credential stuffing, such as machine learning algorithms that “score” log-ins based on how suspicious they are and block them accordingly. “We have many layers of security in conjunction with what the industry would consider best practices,” he said.

When asked why Nest does not use ReCaptcha, Sathe cited difficulty in implementing it on mobile apps, and user convenience. “Captchas do create a speed bump for the users,” he said.

The person behind Snipr, who goes by the name “Pragma” and communicates via an encrypted chat, put the blame on the company. “I can tell you right now, Nest can easily secure all of this,” he said when asked about whether his software had enabled people to listen in and harass people via Nest cams. “This is like stupidly bad security, like, extremely bad.” He also said he would remove the capability to log into Nest accounts, which he said he added last May when one of his customers asked for it, if the company asked. Pragma would not identify himself, for fear of getting in “some kind of serious trouble.”

That’s when Fordham, the Calgary security researcher, became concerned. He noticed the addition of Nest on the dashboard and took it upon himself to start warning people who were vulnerable. He logged into their Nest cams and spoke to them, imploring them to change their passwords. One of those interactions ended up being recorded by the person on the other end of the camera. A local news station broadcast the video.

Fordham said he is miffed that it is still so easy to log into Nest accounts. He noted that Dunkin’ Donuts, after seeing its users fall victim to credential-stuffing attacks aimed at taking their rewards points, implemented measures, including captchas, that have helped solve the problem. “It’s a little alarming that a company owned by Google hasn’t done the same thing as Dunkin’ Donuts,” Fordham said.

A spokeswoman for Dunkin’ declined to comment.

According to people familiar with the matter, Google is in the process of converting Nest user accounts so that they utilize Google’s security methods via Google’s log-in, in part to deal with the problem. Addison said that Nest user data will not be subject to tracking by Google. She later said that she misspoke but would not clarify what that meant.

Knowing that the hack could have been stopped with a unique password or two-factor authentication has not made Thomas, whose daughter’s camera was hacked, feel any better. “I continuously get emails saying it wasn’t their fault,” she said.

She unplugged the camera and another one she used to have in her son’s bedroom, and she doesn’t plan to turn them on again: “That was the solution.”

Posted in Main | Leave a comment