Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine
Staff able to watch customers in the bathroom? Tick! Obviously shabby infosec? Tick! Training AI as an excuse for data retention? Tick!
America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.
The regulator on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus.
The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”
“Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” reads the FTC's complaint [PDF].
The document goes on to describe how “a customer service agent might need access to the video data of a particular customer to troubleshoot a problem, that same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer service.”
Another nightmare: “Although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.”
Ring staff weren’t trained on how to handle private data. And some abused it, horribly, according to the consumer watchdog.
The complaint details one employee who, the FTC said, “viewed thousands of video recordings belonging to at least 81 unique female users,” and “focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as ‘Master Bedroom,’ ‘Master Bathroom,’ or ‘Spy Cam’.”
The employee spent more than an hour a day on this revolting stuff, undetected by Ring, for months, it was claimed.
When a female coworker reported this activity, her supervisor “discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts," the FTC noted.
Amazon opens its ad-hoc Wi-Fi-sipping Sidewalk mesh to all manner of gadgetsREAD MORE
“Only after the supervisor noticed that the male employee was only viewing videos of ‘pretty girls’ did the supervisor escalate the report of misconduct.”
Ring responded to that 2017 incident by restricting some access to vids for customer service staff, but other employees retained access to vids, the watchdog said.
The FTC complaint also alleges Ring knew its cloud services were susceptible to credential stuffing and brute-force attacks but did little to stymie such efforts. 55,000 US-based Ring customers’ accounts were therefore compromised, meaning “bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes.”
The miscreants also had access to users’ accounts, which is where things get worse because Ring devices provide real-time messaging and communications, the FTC pointed out. Those breaking into people's accounts thus were able to interact with customers via their Ring devices. “Several women lying in bed heard hackers curse at them,” the complaint states, and “several children were the objects of hackers’ racist slurs.”
On another occasion “a hacker told an individual through her camera that the hacker had killed the individual’s mother and then directly threatened the individual: ‘Tonight you die’.”
- Voice assistants failed because they serve their makers more than they help users
- Swatting suspects charged with subverting Ring doorbell cams and calling cops
- Amazon expands end-to-end video encryption to battery-powered Ring devices
- 90+ orgs tell Slack to stop slacking when it comes to full encryption
The complaint details even nastier attacks – skip pages 13 and 14 to avoid references to incidents of a sexual nature.
The FTC’s complaint pointed out that Ring’s main marketing message was that it's products improve safety, yet its actions meant its products did the opposite.
Alexa? Rat out my kids
The FTC also took on Amazon over its Alexa devices’ data-retention policies.
“Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted,” the FTC alleged. “And even when a parent sought to delete that information… Amazon failed to delete transcripts of what kids said from all its databases.”
Amazon argued the data retention was necessary to, among other things, train Alexa’s underlying AI models to improve the recognition of children’s voices.
Unfortunately for Amazon, the US Children’s Online Privacy Protection Act requires parents to be informed of how data about kids under-13 is used, and such data is to be expunged if it is no longer needed to provide a service
The FTC has proposed an order [PDF] that will see Ring cough up $5.8 million (£4.7 million) to settle the matter.
Amazon has also agreed to pay $25 million (£21 million) to settle the Alexa-and-kids-related allegations.
In a statement, an Amazon spokesperson said: “While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.”
Amazon’s most recently reported quarterly results revealed net income of $3.2 billion, meaning the biz can put these small payouts behind it with a single day’s worth of surplus cash.
But it is entirely conceivable those unfortunate Ring customers who were, as the FTC described, verbally assaulted in their homes will perhaps take years to get over the ugly incidents Amazon’s laxness made possible. ®