Ring reportedly gave employees access to customer video feeds

Discussion in 'Cyber Security' started by actran, Jan 10, 2019 at 4:53 PM.

Share This Page

  1. actran

    actran Getting the hang of it

    Joined:
    May 8, 2016
    Messages:
    303
    Likes Received:
    98
  2. GCoco

    GCoco Getting the hang of it

    Joined:
    Jun 29, 2015
    Messages:
    274
    Likes Received:
    94
    Location:
    Louisiana
    Another example of why not to use cloud based storage,
     
    Mike, Philip Gonzales and mat200 like this.
  3. crw030

    crw030 Getting comfortable

    Joined:
    Apr 26, 2016
    Messages:
    373
    Likes Received:
    185
    Location:
    Colorado
    All I can say, is once something goes out to the internet you should never expect for it to completely disappear. You are really putting a lot of faith & trust in these cloud providers that 1) they wont share/misuse access they likely have to your cloud-connected camera, 2) they will make and update the device to keep it completely secure from hackers and 3) their cloud setups are secure and careful managed to avoid improper access.

    You see data breaches often because it is very hard to properly setup secure cloud service access for someone without that specific expertise, which does not inadvertently provide access either to someone that gains a password of someone with access or understands the Amazon ecosystem better than your IT team and can locate and login to these systems. With conventional IT and business resources tinkering with cloud services there will be continued surprises I have no doubt.
     
  4. icecoffee

    icecoffee Getting the hang of it

    Joined:
    Oct 3, 2018
    Messages:
    51
    Likes Received:
    32
    Location:
    Houston
    I used Ring Pro video doorbell for a year and dig them after my trial end. From my experience with many call to them, their normal CS need your authorization to access the device remotely but level 2 CS don't have to, all they need is your email and they can have total access, control of it.
     
    Philip Gonzales and mat200 like this.
  5. crw030

    crw030 Getting comfortable

    Joined:
    Apr 26, 2016
    Messages:
    373
    Likes Received:
    185
    Location:
    Colorado
    On one hand it makes sense (if you think of the people most likely going to buy the Ring product) that CS would need to be able to help them through the process of setting the cameras up and assisting in troubleshooting, but would be completely different if it at least had to be authorized each time.

    However, the thought that you are basically giving ANYONE (at any level) the ability to peer into your life without you knowing (and by extension hackers/curious that can gain access to their subsystems or POTENTIALLY law enforcement without a warrant), should be absolutely terrifying in the USA, and that doesn't even speak to the risks associated with a country that has fewer protections from government abuse.
     
    mat200 likes this.
  6. icecoffee

    icecoffee Getting the hang of it

    Joined:
    Oct 3, 2018
    Messages:
    51
    Likes Received:
    32
    Location:
    Houston
  7. mat200

    mat200 IPCT Contributor

    Joined:
    Jan 17, 2017
    Messages:
    3,540
    Likes Received:
    1,779
    The slippery slope of monopoly powers and industry consolidation issues:

    HOW soon until Amazon starts to demand videos from your cameras when you report a lost package?

    Most people will probably be OK with that.. however, the devil is always in the details and things begin to get more complex now as companies which has access to your data / videos /audio can be compelled by warrants to provide others access your data in the cloud

    Some of this will be good to counter delinquents, however it can also be abusive. ( example: TSA agent calls in sick when there is no pay check - Government representative questions it and asks for data from IoT and Internet Connected devices and cell to confirm - discovers agent is working as Uber driver to pay bills - fires agent.. )
     
  8. Mr_D

    Mr_D Getting comfortable

    Joined:
    Nov 17, 2017
    Messages:
    478
    Likes Received:
    360
    Location:
    Southern California
    And now they have cameras they're pushing for indoor use. No thanks.
     
    Philip Gonzales likes this.
  9. dark current

    dark current Getting the hang of it

    Joined:
    Dec 23, 2018
    Messages:
    112
    Likes Received:
    61
    Location:
    Your Kitchen
    In the states, if the government wants legal access, all they have to do is convince a judge that it be granted. If you're the target of a warrant, and the information exists outside of your control, they'll probably get it - legally. I don't find that terrifying at all. I think garden variety stalkers/peepers within a company managing the storage, and hackers outside the company are more likely to violate internal policies and laws to gain access than the government. That's more of a concern, in my eyes.

    Yep. If anyone accessing your data (legally or not) is a serious concern, it shouldn't be in someone else's hands. External drive swapping with the backup kept at a second location is an inexpensive, reliable way around the cloud.

    I'd be surprised if that scenario could occur without a warrant, or a very stupid employee. Even if a GPS trail from a work issued phone showed that a "sick" employee wasn't huddled in their bed during business hours, it would require more than that to establish they were dodging work. "My back was sore, and the only seat I found comfortable was behind the wheel of my car, so I spent the day driving around to take my mind off the pain."

    A geotagged photo taken with the work phone showing Mr. Sick competing in a tree climbing competition out of state might be a different matter. : )
     
    mat200 likes this.
  10. mat200

    mat200 IPCT Contributor

    Joined:
    Jan 17, 2017
    Messages:
    3,540
    Likes Received:
    1,779
    Indeed numerous potential pitfalls already to catch those employees calling out sick.

    In terms of warrants - DHS does unwarranted searches of citizens already, so it would not be out of standard operating procedures for a DHS manager to do this similarly to his/her employees, in fact they probably already have consented to it in their employment contracts.
     
  11. dark current

    dark current Getting the hang of it

    Joined:
    Dec 23, 2018
    Messages:
    112
    Likes Received:
    61
    Location:
    Your Kitchen
    There's a big difference between a warrantless search of someone crossing an international border and snooping an employee's data over a sick day.

    I'd also be surprised if their union would ever agree to allowing an exception to the 4th Amendment into their contract. If an employee is on the clock, or if an employer's equipment is in use, that's another matter, as the expectation of privacy is low to non-existent. The law is pretty clear on that point.
     
  12. mat200

    mat200 IPCT Contributor

    Joined:
    Jan 17, 2017
    Messages:
    3,540
    Likes Received:
    1,779
    Guess it really depends on how powerful AFGE is.
     
    dark current likes this.