Two couples have filed a proposed class action lawsuit in which they allege security vulnerabilities in Ring LLC’s indoor security cameras have allowed hackers to “spy on and harass” consumers and children inside their own homes.
The 37-page suit out of California charges that although the Amazon subsidiary promises to take users’ security seriously, Ring has “created a living nightmare” for some by “refus[ing]” to implement “even the most basic security precautions” to prevent unauthorized parties from gaining access to customers’ security cameras.
The Birth of a Surveillance Network
Santa Monica, California-based Ring has built its brand on creating products that promise to keep consumers’ homes safe and secure. In fact, Ring’s stated mission, the complaint mentions, is “to reduce crime in neighborhoods,” purportedly by offering “smart security here, there, everywhere.” From its origins as a company called DoorBot, Ring has grown into a billion-dollar business after it was acquired by Amazon in 2018, a move that has allowed the defendant to swell beyond offering only Wi-Fi-connected doorbells.
Today, the suit continues, Ring sells a full range of Wi-Fi-connected home security devices, including video doorbells, indoor and outdoor security cameras, and motion sensor-activated outdoor spotlights and floodlights. Along with its product selection, Ring’s capabilities have similarly expanded, the suit says, effectively allowing the company to cultivate a nationwide surveillance network that works alongside hundreds of police departments.
Although Ring’s marketing materials and public stance fortify the notion that installing the company’s products will make any home safer, the plaintiffs argue that their experiences with the indoor security cameras are far different—and far more harrowing—than those on which the defendant stakes its reputation.
In-Home Peace of Mind?
The plaintiffs mince no words in alleging that contrary to Ring’s public promises, the company has failed to implement even the most basic cybersecurity measures, all but erasing any chance for consumers to achieve the at-home peace of mind they sought when installing the indoor security cameras. Even the existence of a “widely livestreamed” podcast centered on tips and tricks to hack Ring devices has done nothing to sway the company to put in place stronger security precautions, according to the suit.
To set up a Ring device, a user has to download the company’s app and create a username and password, which links to an individual’s mobile device and grants access to a camera’s feed. The plaintiffs stress, however, that unlike other companies, Ring fails to make use of “basic, industry standard measures,” such as two-factor authentication, to protect users’ accounts from the moment they sign up.
“Although Ring offers two-factor authentication, it does not require it,” the complaint reads. “And new Ring users are not prompted to enable two-factor authentication at the time they create an account—virtually assuring that the vast majority of users will never enable it.”
Similarly, Ring lacks security protocols to notify a user when someone logs into their account from a new device or unrecognized IP address. Though “most companies” ask for confirmation before allowing a sign-in from another device or IP address to occur, Ring, the lawsuit alleges, “lets it happen no questions asked.”
Further still, the plaintiffs claim Ring fails to provide users with any way to see how many individuals are currently logged into their account, a measure that could help identify whether an unknown party had gained access to and watched a particular camera feed. Ring, the lawsuit says, also does not monitor whether a user is simultaneously logged in from two places at once, nor provides users with a list of previous login attempts. The combination of these shortcomings, the plaintiffs stress, “mak[e] it difficult—if not impossible—to tell whether an unauthorized user has accessed a user’s account.”
According to the complaint, Ring also fails to protect users against repeated, automated login attempts despite it being well known in the cybersecurity community that hackers can use software capable of rapidly checking whether email and password combinations will grant access to a particular account. Hackers will often attempt “brute force entry” on an account, the case explains, by way of using bots or software to rapidly enter combinations of letters, numbers and symbols into the password field to effectively guess a user’s password.
Whereas the defendant could, for instance, implement a procedure to lockout a user after too many invalid login attempts, mark certain IP addresses as suspicious, or utilize a captcha to check whether a user is a human rather than a software program, Ring “does not offer these standard measures,” the case says.
“Inadequate and Seemingly False Excuses”
Citing a number of reports of hackers gaining access to Ring’s indoor security cameras and spying on and harassing homeowners, the lawsuit scathes that the company “has not taken responsibility, apologized, or outlined any measures it is taking” to bolster its security. To the contrary, Ring, the plaintiffs say, has “placed fault on the victims for its own deficient security features,” choosing to blame unauthorized intrusions on the use of the same username and password for multiple services rather than its own security inadequacies.
“In other words, according to Ring, the hacked cameras were accessed when unauthorized individuals were able to use a login and password combination that it obtained from somewhere else,” the complaint says. “But Ring’s excuses fail to recognize that Ring’s own products are not designed in a manner that would prevent such hacks, even though it could have easily implemented security features designed to do just that.”
“A Living Nightmare”
One set of plaintiffs, a husband and wife from Mississippi, say they had no issues with their indoor Ring security camera for the first four days of use. The couple—who the suit says bought the device to watch their children, one of whom has a history of seizures, during the wife’s night shifts—say that initial feeling of security vaporized on December 4, 2019, when a mysterious song began to play through their Ring devices. From the lawsuit:
Shortly after 8 p.m., both of the Blakeleys’ cameras began live-streaming, and the Tiny Tim cover of ‘Tiptoe Through the Tulips,’ a song that appeared in a scene from the 2020 horror film ‘Insidious,’ began to play through the two-way talk feature. At the time, Ms. LeMay was out running errands, but Mr. Blakeley was at home with their children.
Intrigued by the music, the Blakeleys’ eight-year-old daughter, A., went to the room she shares with two of her younger sisters to investigate. But the room was empty. A. wandered the room, looking for the source of the music, the song abruptly stopped, and a man’s voice rang out: ‘Hello there.’
A hacker had gained unauthorized access to the Blakeleys’ device. He was able to do so because Ring does not utilize ordinary, basic security precautions to secure their users’ accounts.”
According to the lawsuit, the hacker went on to shout racial slurs at the plaintiffs’ eight-year-old daughter before her father disabled the device. The plaintiffs claim that after calling Ring and being told the company would look into it, they left for a vacation and returned on December 9 without hearing from the defendant.
“To this day, Ring has not disclosed the identity of this unknown hacker to the Blakeleys, who have no way of knowing the motives of the digital intruder or whether he could come to their home in person and threaten the physical safety of their family,” the lawsuit reads, adding that the plaintiffs have been unable to use their indoor security cameras since the December 4 incident “out of fear they will be hacked again.”
The second set of plaintiffs, a couple from Texas, relay a similarly distressing story. From the complaint:
A loud voice began shouting inside the home, ‘Ring support! Ring support! I would like to notify you that your account has been terminated by a hacker!’”
Ms. Amador was napping at the time, and was awakened by the noise. Mr. Craig was standing in front of his indoor camera at the time of the breach, and jumped at the sound.
A stranger had hacked the couple’s Ring system and was spying on the inside of their home.
The hacker blared sirens through the Ring cameras. He threatened, ‘Pay this 50 bitcoin ransom or you will get terminated yourself!’”
Though the plaintiff says he went on to disable the indoor Ring camera, the hacker, the lawsuit goes on, then accessed the couple’s doorbell. Despite informing Ring of the situation, the couple has received no information from the company regarding the intrusion, such as a log of the unauthorized access and confirmation of the account used in the breach.
The complaint claims that had the plaintiffs and proposed class members known the truth about Ring’s “substandard security practices,” they never would have purchased—or would have paid substantially less for—the company’s products.
“Plaintiffs purchased Ring indoor security cameras to try to protect their homes and feel safer,” the case says. “Instead, the Ring devices created a living nightmare by allowing intruders to come into their homes and harass them and their families.”
Who Does the Lawsuit Cover?
The plaintiffs look to include all consumers who bought an indoor security camera from Ring LLC during a to-be-defined time period. The lawsuit additionally looks to cover a subclass of all consumers who bought a Ring indoor security camera and whose Ring account was accessed by an unauthorized third party.
The complaint can be read below.