Ring Security Updates: Still Require Opt-In

Ring Enhances Security and Privacy Features

Ring, the manufacturer of video doorbells, often described as creating the “largest civilian surveillance network the U.S. has ever seen,” is now implementing new, albeit overdue, security and privacy enhancements.

Past Security Concerns

The company, owned by Amazon, experienced damage to its reputation following a series of account breaches in late 2019. During these incidents, unauthorized individuals gained access to Ring user accounts and engaged in harassment of children within their homes.

Exploiting vulnerabilities in Ring’s security protocols, hackers created specialized software to systematically attempt to crack passwords on Ring accounts. At the time, these accounts were protected solely by user-selected passwords. Compromised Ring user credentials were also found circulating on the dark web.

Initially, Ring attributed the breaches to users employing weak passwords, such as “password” and “12345678,” which the system permitted. However, the company later acknowledged its own shortcomings and introduced mandatory two-factor authentication via text message. This was a positive initial step, intended to make large-scale automated account takeovers more challenging.

New Security Measures

Ring is now advancing its security posture with the introduction of app-based two-factor authentication. This method, commonly offered by many companies, delivers two-factor codes through a secure, encrypted connection, unlike text messages which are vulnerable to interception.

Furthermore, Ring is implementing CAPTCHA within its applications. This addition aims to impede automated login attempts by requiring users to demonstrate they are not automated bots.

Enhanced Data Protection with Encryption

The launch of video end-to-end encryption is also being announced, having initially been released earlier this year as a technical preview. A frequently highlighted, yet controversial, aspect of Ring is its practice of allowing users to share video footage with over 1,800 partnered local police departments.

However, law enforcement agencies possessing a valid search warrant can always directly request footage from Ring. End-to-end encryption ensures that any video recorded by a Ring device is accessible only to the account holder, excluding Ring and its law enforcement collaborators.

Balancing Privacy and Partnerships

Josh Roth, Ring’s CTO, stated in a blog post that the company believes “our customers should control who sees their videos.” If this principle were fully embraced, Ring would have activated end-to-end encryption for all users by default, providing inherent privacy.

However, doing so could potentially hinder the company’s efforts to expand its partnerships with police departments, which contribute to increased adoption of Ring devices within communities.

User Control and Opt-In Features

Compared to previous security updates that were insufficient, Ring’s latest features represent significant improvements, offering users the ability to enhance the security of their accounts and protect their data. However, these features are not automatically enabled; users must actively choose to opt-in.

This approach is typical, as companies often hesitate to impose security changes on users, fearing disruption to the user experience. Nevertheless, the consequences of an account compromise due to inadequate security measures are demonstrably more severe.

How to Activate New Features

Enabling app-based two-factor authentication is straightforward; simply navigate to Ring’s account settings and switch from text message-based codes to those delivered by an authenticator application. Resources are available explaining the importance of this change and recommending suitable applications.

The most substantial change users can implement is activating end-to-end encryption within their accounts through the advanced settings of Ring’s control center. This will not restrict account functionality or prevent sharing footage with contacts or law enforcement, but it will grant users greater control over their data.

Activating end-to-end encryption provides assurance that you, and not Ring, control your data and its usage.