After a series of Ring camera hacks, the Amazon-owned security company has claimed that any intrusions into its customers’ cameras or accounts were perpetrated by hackers who obtained login credentials from hacking forums or the dark web, not from the company’s database.
Lawyers representing some of the hacking victims in a class-action lawsuit against Ring told Digital Trends that their clients used unique passwords that could not have been hacked anywhere else.
Hassan Zavareei, a partner at Tycko & Zavareei LLP, a firm specializing in class-action and privacy litigation, said the defense that login information was taken from other, unrelated data breaches is “baseless and false.”
The class-action suit, filed January 3 in the U.S. District Court for the Central District of California, describes several graphic incidents in which the plaintiffs’ Ring cameras were hacked. They include an incident where a young girl was exposed to racist insults that the hacker yelled at her, and another case where a hacker accessed the doorbell camera of clients Todd Craig and Tania Amador, and threatened them with “termination” unless they paid him 50 bitcoin (about $436,000).
“We know that [Ring’s defense] is not accurate because our clients Todd Craig and Tania Amador each created a unique password for their Ring accounts that they did not use for other accounts,” said Zavareei. “Mr. Craig created a unique 16-character password, and Ms. Amador created a unique 14-character password. If Ring’s excuses were true, the hackers would not have gained access to their Ring accounts, because their username and password combinations were not associated with other online accounts.”
Ring’s track record
The class-action lawsuit alleges negligence, public disclosure of private facts, and intrusion, among other things. Lawyers for the plaintiffs say they’re expecting a third family to join the class action as well.
Previously, Ring has claimed little responsibility for the hacks, describing them as issues with individual users’ passwords, not Ring’s database.
“Ring has refused to take responsibility for the security of its own home security devices.”
“It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services,” the company said in a statement to ABC News last month when asked about another, similar suit that it’s facing.
In December, a data leak exposed the personal information of more than 3,000 Ring users. At the time, Ring told Digital Trends that there was no evidence of a hack of its systems. Earlier in January, Ring told a group of U.S. senators that Ring employees improperly accessed doorbell videos on four separate occasions.
“Even in light of widespread reports of hacks and unauthorized access to devices, Ring has refused to take responsibility for the security of its own home security devices, and its role in compromising the privacy of its customers,” the suit says.
Ring is not the only home security camera company with security issues. Wyze, a Ring competitor, suffered a major data breach at the end of 2019 that affected millions of customers. It was caused in part by the lack of basic security features, experts said. Ring has also suffered a smaller leak, but has denied that its own systems were compromised.
“At Ring, our top priority is the safety and security of our customers,” Ring said in a statement to DT. “While we do not comment on ongoing litigation, it is important to note that there is no evidence that Ring’s systems or network were compromised. But we have taken the issues seriously and plan to launch new user privacy controls. We will continue our long-standing commitment to making our Ring devices even stronger and more secure than ever.”
‘Inadequate security’
Whatever Ring’s new upcoming user privacy controls are, lawyers representing hack victims said Ring’s own security system is not very secure in the first place.
“This is different than the typical data breach case where there’s a mass exfiltration of information,” Austin Moore, a partner at Stueve Siegel Hanson LLP, which is also litigating the case, told Digital Trends. “This goes more to inadequate security.”
“It’s very ironic. You buy [Ring] for security, and they end up opening the door into everybody’s homes.”
“I don’t understand why Ring didn’t implement standard basic security protocols that are known to be effective at preventing unauthorized access,” Moore said.
Moore also added that it was “complete speculation” by Ring that clients’ passwords were stolen from elsewhere, as opposed to hackers exploiting a basic flaw in Ring’s system.
According to both Moore and Zavareei, Ring does not require two-factor authentication, and does not lock out a user after multiple wrong password attempts. This means a hacker can run a simple script that tries combinations of alphanumeric codes an unlimited number of times until it finds the one that will allow a login, Zavareei said.
“There are so many basic security precautions that need to be added here,” Zavareei said. “This is one of the more egregious examples of a failure to protect a privacy interest. It’s very ironic. You buy them [Ring] for security, and they end up opening the door into everybody’s homes.”
