Why I will never own an Amazon ring camera - indoor cloud cameras are a bad idea

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody how's it going I hope you're having a lovely day so today I'd like to follow up on a topic I discussed four years ago in this video advice to new content creators sponsored by nordvpn now when you look at a video on YouTube that is sponsored by nordvpn something probably different comes to mind than what I'm talking about in this video in this video I'm going over two things a an email sent to me asking me to sponsor nordvpn that was offering me approximately three to six thousand dollars and B I'm going over some sort of breach that they had in their facility that made their services inherently less secure as a result that none of the people that had ever sponsored nordvpn would have any way of knowing because they did not audit the facility in any way shape or form nor could you audit the facility in any way shape or form which is really weird when you have content creators online who are showing something whose sole purpose is privacy and security what you're talking about here is not an open source software project it is a closed door Data Center and one of the things that I was saying is you should be really really careful when you show things on your YouTube channel that where you don't really have knowledge as to whether or not it's able to live up to the expectations the consumer has one of the examples on my YouTube channel is one of the things I show very often is this at nahada rework station it's also because I believe that I'm an expert in micro soldering and repairing small devices and I've also been using this thing for several years so I feel like having used many of them when I show this I feel good showing this because this is literally sitting on my desk at work and I use it on a regular basis the reason I'm bringing this up is because you may have heard a lot of people on YouTube a lot of content creators show something called The Ring doorbell and the ring camera system and I'm not going to point to specific people because I don't want this to become partisan Petty or personal but you probably know somebody at some point in time if you spend any time on YouTube who have Shield the ring doorbell and the ring camera system and today we're going to be going over this complaint from the FTC that's about 20 pages long I have narrowed it down to the parts that I personally found to be the most interesting because it looks like Amazon has settled this for about 30 million dollars so we're going to go over this complaint from the Federal Trade Commission that Amazon saw fit to settle for 30 million dollars and let's go through it so it says the claims in paragraph a211 have implied to reasonable customers that ring devices are a secure means to monitor the private spaces of consumers homes reasonable consumers have understood that ring security claims have implied in part a claim of digital security because a lack of digital security would impede the device's basic function their ability to protect the home bring protection inside and allow customers to see your home away from home if for example a hacker could readily compromise the device's digital security and turn off the security camera the device would have no value as a security monitoring product of the consumer purchased moreover reasonable consumers have understood that Ring's security claims have implied in part a claim of digital security because a lack of digital security creates the very risk of harm the device was intended to minimize such as where a hacker stocks harasses or threatens the consumer or her family members through a compromised device and we're going to get to that very soon despite promising a greater security as its product's core feature ring ignored information security considerations when management believe they would interfere with growth and pursuit of Rapid product development before September 2017 ring did not limit access to customers video data to employees who needed the access to perform their job function like customer support Improvement of the product Etc to the contrary ring gave every employee as well as hundreds of ukraine-based third-party contractors full access to every customer video regardless of whether the employee or contractor actually needed that access to perform his or her job function this comes back to an important point that shows up on this channel many times some people see the cloud as an ultra secure Ultra protected place that nobody could breach in other people the kind of people the demographic that makes up my viewer base tend to view the cloud as someone else's computer that these someone else could peruse and browse through at any point in time if they saw fit too or just want to screw with you and that very well seems to be the case here not only could every ring employ and ukraine-based third-party contractor access every customer's videos all of which restored unencrypted on Ring's network but they could also readily download any customer videos and then view share or disclose those videos at will before July 2017 ring did not impose any technical or procedural restrictions and employees ability to download save or transfer customer videos Ring distributed an employee handbook that prohibited misuse of ring data and required employees to sign a proprietary information and inventions agreement that prohibited data misuse well that'll teach him moaning if you're a pervert and you have access to video of people in their home I'm confident that signing the agreement will not make you curious to look through some 19 year old woman changing her clothes at all that approach to access meant that Rings employees and third-party contractors had dangerous and unnecessary access to highly sensitive data for example although a customer service agent might need access to a video a particular customer to troubleshoot a problem that same customer service agent had unfettered access to videos belonging to thousands of customers who had never contacted customer service although an engineer working on rings floodlight camera might need access to some video data from outdoor devices that engineer had unrestricted access to footage of inside the customers bedrooms how do you only give them access to data when a consumer wants it this would probably require a change in the system that changes the permissions in some way when a user says that they want customer service and clicks consent to it like again this is good probably going to be a pain in the ass to somebody like me that never made it past page 16 of Dennis Ritchie's C programming language who can barely configure vsftpd.com but it shouldn't be a problem for a company that is aiming to be sold for one billion dollars to Amazon but apparently that is apparently making sure that every single person in your company doesn't have access to every single video every single customer created is too much to consider when you're selling a product that's focused on privacy and security as a result of this dangerously overbroad access and lacks attitude to his privacy and security employees and third-party contractors were able to view download and transfer sensitive customer and video data for their own purposes for example between June and August 2017 a ring employee viewed thousands of video recordings belonging to at least 81 unique female users including customers and ring employees of ring stick of cams the employees focused his purion searches on cameras with names indicating that they had surveilled an intimate space such as master bedroom or master bathroom or spy cam can I just suggest that you not put a cloud connected camera in your bathroom again to be clear I am not victim shaming I am not victim blaming here the people at ring should be held accountable and responsible for what they did and in my opinion named in shame publicly that being said I would dare say don't put a camera in your bathroom but if you're going to put a camera in your bathroom don't connect it to the internet just just trust me on that one just don't connect it to the internet on hundreds of occasions during this three-month period the employee Peru's female customers and employees videos often for an hour or more each day undetected by ring the employee continues buying for months and as many of you say the cloud is someone else's computer it can be viewed by someone else and uh okay if I'm going to be doing any sort of stuff like if I'm gonna have a camera in my home that's in my bathroom at the very least I'm going to have that camera this video stored on a local NVR that is not attached to the internet like the camera will attach to a router the NVR computer will attach to a router that router will never connect to the internet and that is the only way that I would allow a camera to be in my bedroom or my bathroom if I'm gonna have a camera that's going to be viewable by anywhere I go it's going to be the front door camera or an outdoor camera where you're not seeing things that you're really like badly not supposed to see as you would in let's say my bathroom or my bedroom ring failed to detect this inappropriate access to any technical means by Good Fortune in August 2017 an employee discovered her co-worker's actions and reported the misconduct to her supervisor initially the supervisor discounted the report telling the female employee that it is normal for an engineer to use on many accounts only after the supervisor noticed that the male employee was only viewing videos of pretty girls that the supervisor escalate the report of misconduct and only at that point did Ring review a portion of the employees activity and ultimately terminate that employee in September of 2017 in response to this incident ring narrowed employee access to customers video data someone so that customer service agents could only access videos with the customer's consent despite this narrowing of access for customer service agents ring continued to allow others including hundreds of employees in ukraine-based third-party contractors access to all video data regardless of whether particular Engineers actually needed to have access to that data to perform their job function his desk gets worse and worse granting employees is grossly overbroad and unmonitored access continue to cause harm in January 2018 a male employee uses broad access rights to spy in a female colleague through her videos using her email address as a lookup mechanism the employee identified as female co-workers device and watched her stored video recordings without her permission so not only could you have unfettered access to all the stuff but you could easily just look somebody up by their email and see if they had an account and they looked at all their cameras for no reason despite these changes Ring's culture of overly broad access the sensitive information continued to result in harm to Consumers first in February 2018 a ukraine-based third-party contractor created an unauthorized tunnel or Pathway to ring services in an attempt to access customer video data ring failed to detect this intrusion by any technical means only when an employee happens to report the misconducted ring removed the Ukrainian team's ability to create such unauthorized Pathways second in May 2018 another employee gave information about a customer's video recordings to the customer's ex-husband without the customer's consent so it's not just looking at the videos for your own perverted pleasure it's also giving those videos to other people in that person's life the type of person that you would never want to see your personal stuff anymore third in August 2020 a whistleblower notified ring that between March 2018 and September 2019 a former employee had provided ring devices to numerous individuals and then accessed their videos without their knowledge or consent when the employee left ring in September of 2019 The Whistleblower allegedly took copies of these videos with him without the knowledge or consent of his unsuspecting victims and without ring noticing that anything was amiss this company has a culture of sick [ __ ] people working there in February 2019 ring changes access practices so that most ring employees or contractors could only access the customers private video with that customer's consent progress importantly because ring has failed to implement basic measures to Monitor and detect an appropriate access before February of 2019 which by the way was about almost a year into a trillion dollar company purchasing them ring has no idea how many instances of inappropriate access to customer sensitive video data actually occurred indeed ring only discovered the incidents described above through the good fortune of employee reporting despite having given employees zero security training and no responsibility to engage in such reporting it's highly likely that numerous other incidents of spying or period behavior and other inappropriate access occurred entirely undetected secondly ring received numerous reports of vulnerabilities relevant to credential stuffing and Brute Force attacks the Rings bug Bounty program this program rewards security researchers and white hat hackers with bounties like payments in exchange for identifying security vulnerabilities between September 2017 and April of 2019 the program received four separate bug Bounty reports about Ring authentication portals being vulnerable to credential stuffing and Brute Force attacks because ring did not use effective rate limiting indeed one researcher ordered in April of 2019 that he was able to guess my own password to a ring login after one thousand tries without getting detected this was not fixed until after 2020 they had been reporting it as early as 2017. it did not get fixed until 2020 the company was purchased by Amazon in 2018. although ring implemented some forms of rate limiting before July 2019 not all authentication portals were covered moreover what rate limiting ring did Implement to prevent multiple login attempts in Rapid succession of the same account that only half the job ring failed to block multiple attempts in Rapid succession to log into different accounts from the same IP address as a result of the defendant's failures to act or act in full between January 2019 and March 2020 which by the way is years after Amazon bought them more than 55 000 U.S customers suffered from credential stuffing and Brute Force attack that compromise ring devices through these attacks Bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers homes including their bedrooms and children's bedrooms recorded by devices that ring sold by claiming they would increase customers security having these systems online is dangerous you do not want a microphone in your home that connects to the internet you don't want a camera in your phone that connects to somebody else's computer I strongly believe this and I am you're not going to convince me otherwise because ring did not take these measures the attacks continue to succeed for example on December 12 2019 prominent media Outlets began publishing reports about hacked ring devices and let's just fast forward here to some of the instances of what happens so examples of harassment and slows and threats that consumers experienced include the following because you have to keep in mind some of these cameras have two-way functionality not just you're talking to the camera and it hears you but the person behind the camera can talk to you as well several women lying in bed heard hackers curse at them several children were the object of hackers racist slurs a teenager was sexually propositioned an 87 year old woman in an assisted living facility was sexually propositioned and then physically threatened a hacker told an individual through her camera that the hacker had killed the individual's mother and then directly threaten the individual tonight you die after a hacker taunted one child in the bedroom she shared with her siblings the child developed a strong fear of her bedroom and required therapy and physical changes to her to help her overcome her Fear One hacker threatened a family with physical harm if they did not pay a ransom in Bitcoin and a hacker told a woman that her location was being tracked and that her device would self-destruct at the end of the countdown she disconnected the device before the countdown ended we could go on for a long period of time because there's a lot more information in this complaint needless to say moral of the story if you have a camera in your home that can view things inside your home and that camera connects to somebody else's computer chances are somebody else can view it which means you probably should not be doing that please understand that regardless of whether a product is a cheap product or a product marketed by a trillion dollar company at the end of the day somebody else's computer is still somebody else's computer and you should be very careful what you store on somebody else's computer and above all I want you to if anything gain a very healthy skepticism from anybody you see on YouTube promoting such products especially myself I don't want to create a rule that applies to another class of people and pretend that I'm outside of that class if I'm promoting something if you see me sponsor sponsored by something on this channel look into it dig into it a little bit don't trust me never trust me never trust anybody you see talking on this platform because if you do you might wind up being one of those people that got a free trial for ring because you know redacted influencer here told you that this is a great product to protect your privacy insecurity and make you feel safe when in reality several years later something like this winds up coming out which is just again something that many people who could have easily predicted given that they were ignoring the complaints and submissions and issues and Bug reports of white hat hackers and security people for a number of years again and if you are a YouTube content creator if you do upload stuff this platform be very careful what you show because again the cost of Shilling a VPN company that winds up getting a breach is your reputation the cost of Shilling a camera or doorbell security system that winds up having random third-party Ukrainian contractors jerking off to you in your shower is going to be your reputation the cost of that is going to be your name and your brand and in my opinion it's not worth it I have likely left a lot of money on the table over the years by not taking these types of sponsorships again North VPO is offering me like six thousand bucks I want six thousand bucks would be nice there's a lot of stuff I could do around the house with an additional six thousand bucks but is it really worth it at the end of the day in my opinion it's not stick to selling things and showing things that you actually use again this hot area workstation I think is awesome I think it's affordable I think it's great I use it in my own facility as do my employees we use it every day and as a result I suggested do I have the ability to audit whether or not Amazon has a secure environment for the processing of video data they grab from cloud device like no of course I don't what business would I have advertising that what business would I have Shilling it to you when I have no ability less than zero ability to audit any of it myself to see if any of their claims are true and if somebody has been Shilling something like this to you I think you should hold them accountable I think you should ask them why did you suggest that I use this one a night both I nor anybody else would have any ability to audit what's going on here again it's not even like this is a piece of Open Source software where somebody can just view the code and figure it out if the influencer or person promoting it or who's saying it's cool wounds up not doing 100 due diligence we're literally talking about a closed Source camera running closed Source proprietary software that uploads your stuff to a closed door data center well let's make it close to anybody unless you're a horny third-party contractor let me know what you think in the comments down below do you think I'm going in a little too hard on people that were breaking in money promoting ring doorbell cameras and everything else or do you think that this is deserved and earned and that somebody should go in hard on them because a lot of people were harmed as a result of this oh last thing a few years ago just I'm just saying this because Amazon paid their slap on the risk fine to the FTC of 30 million dollars if you do the comparison by the way between my net worth and Amazon's market cap this would be like me receiving a fine of somewhere between 50 cents to 75 cents so Amazon like yeah I mean this is a joke the fine that the FTC imposed here is virtually nothing they're not going to care they're not going to care about security into the future they have no incentive to because they pay it again what would be with my net worth versus theirs the equivalent of somewhere around 50 to 75 cents in a fine I'm not going to give a [ __ ] if you find me 75 cents that's like when the clerk at the library says you can find you're getting fined a nickel because you kept the book two weeks like oh I'm shaking in my boots but in all seriousness the FTC did get 30 million dollars a few years ago Biden asked the FTC to look at right to repair he signed an executive order asking the FTC to draft right to repair rules and several years later Butkus we got absolutely nothing I spent about 50 or 60 000 of my nonprofits money writing up a 60 plus page Report with the help of very good Anti-Trust attorneys going over how this has been handled in the past and what the FTC may be allowed to do into the future really trying to lay the groundwork and do a lot of the homework for them the heavy lifting so that it would be easy for them to draft the rules we haven't heard a damn thing so I'm just I'm just saying if Lena Khan is watching this since you got 30 million dollars from Amazon would you be able to focus on my my paper that I sent you like two and a half years ago I'm just saying I'm just saying like you know I know I know it was an executive order and willy-nilly who cares about right to repair but it would be really nice if you could just maybe use a little bit of the money that you got from Amazon just a teeny tiny bit I don't know have an intern read my document that I sent you like two years ago it would be highly appreciated that's it for today and as always I hope you learned something I'll see you all in the next video bye now
Info
Channel: Louis Rossmann
Views: 193,231
Rating: undefined out of 5
Keywords: amazon, ring doorbell, ring camera, spying, data breach
Id: jMuRavcHCDs
Channel Id: undefined
Length: 19min 52sec (1192 seconds)
Published: Tue Jun 06 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.