Ring doorbell privacy concerns: Smart home cybersecurity news [January 2020]
Prevalent in smart home cybersecurity news for months now, Ring doorbell privacy concerns continue to surface— This week, news broke out regarding the presence of third-party trackers in the Ring Video Doorbell mobile app for Android.
Ring is among the family of Amazon-owned companies and is said to specialize in home security. Yet, recent news stories bring the company's own security practices into question:
- Massachusetts Senator Ed Markey describes Ring security investigation findings as 'an open door for privacy and civil liberty violations'
- Bitdefender security researchers discover Ring Video Doorbell vulnerability that allows hackers to steal your WiFi password
- Hacker exploits Ring device to target Mississippi family's 8-year-old daughter
- Amazon Ring hacker taunts Florida homeowner and a police officer
As such, both Ring and Amazon were presented with a federal lawsuit at the end of 2019 for the devices' seemingly lax security measures and practices. Additionally, consumer and privacy groups have stepped in with product warnings issued for Ring devices.
Ring doorbell privacy concerns
Now today, there's another concern to add to the growing list. Findings from an investigation held by the Electronic Frontier Foundation (EFF) reveal the Ring Video Doorbell Android app to be packed with third-party trackers that are disclosing device users' Personally Identifiable Information (PII):
"Our testing, using Ring for Android version 3.21.1, revealed PII delivery to
facebook.com. Facebook, via its Graph API, is alerted when the app is opened and upon device actions such as app deactivation after screen lock due to inactivity. Information delivered to Facebook (even if you don’t have a Facebook account) includes time zone, device model, language preferences, screen resolution, and a unique identifier (
anon_id), which persists even when you reset the OS-level advertiser ID."
Below are the certain types of PII received by the other three tracking companies, where only one of which is listed on Ring's List of Third-Party Analytics Services.
- Branch— device_fingerprint_id; hardware_id; identity_id; local IP address; device model; screen resolution; DPI
- AppsFlyer— mobile carrier; time of Ring install and first launch; a number of unique identifiers; the app you installed from; whether AppsFlyer can be preinstalled on the device; installed device sensors and current calibration settings
- MixPanel— users' full names; email addresses; device OS; device model; whether bluetooth is enabled; app settings, which include number of locations where Ring devices are installed
EFF points out the major concern that Ring users should have now knowing these trackers are in place: These small bits of PII are sent off to tracking companies, enabling them to form a "unique picture of the user's device"— one that can be used for further tracking the user as they use said device, even beyond the Ring Video Doorbell app.
Ring devices are among the many IoT seen on the Minim platform, and we are proud to say the third-party trackers in question are on our block list. In fact, Minim users are able to proactively protect all of their connected devices, beyond just Ring, from these domains. If you are interesting in learning more about how Minim secures and protects the smart home, let us know.
Past smart home cybersecurity news roundups:
- June 2019: Linksys Smart WiFi router vulnerability and Android pre-installed backdoor
- July 2019: Website drive-by attacks on home routers
- August 2019: VxWorks and Google Nest Cam IQ Indoor vulnerabilities
- September 2019: SMS-based attacks and major router vulnerabilities
- October 2019: What is Gafgyt malware?
- November 2019: What is Light Commands?
- December 2019: Blink camera and Ruckus router vulnerabilities