News, Culture & Society

Amazon’s Ring Neighbors app exposes locations and home addresses of users who posted in the app

A bug in Ring’s Neighbor app exposed the locations and home addresses of users who shared posts on the platform.

The number of users affected is unknown, but reports show four million posts were shared to the app last year.

The video-doorbell maker launched Neighbor as a hyperlocal community-watch app in 2018, allowing members to report crime and unusual activity in a five mile radius of their home.

Names and exact locations aren’t shared when posts go up, but detailed specifics — including home addresses and even latitude and longitude — are recorded on Ring’s servers.

The flaw was publishing the hidden data but no bad acts have been tied to the security gap yet.

Ring, which was purchased by Amazon for $1.2 billion, says the security flaw has since been fixed.

  Hidden information from Ring servers, including addresses and longitude and latitude, was being published as a result of a security flaw, the company admits

‘At Ring, we take customer privacy and security extremely seriously. We fixed this issue soon after we became aware of it,’ Ring spokesperson Yassi Shahmiri said, TechCrunch reported.

‘We have not identified any evidence of this information being accessed or used maliciously,’

The Neighbors app has grown in popularity, with some 10 million users in September 2020, but it’s fallen prey to security flaws before.

A similar bug was discovered in 2019, revealing the locations of tens of thousands of Ring users.

Privacy experts complain Ring security camera systems leave users vulnerable to hackers and bad actors. The company's partnerships with law enforcement has also been criticized

Privacy experts complain Ring security camera systems leave users vulnerable to hackers and bad actors. The company’s partnerships with law enforcement has also been criticized 

Gizmodo was able to compile data on 65,800 Neighbors users’ individual posts — some going back 500 days — then home in on locations to plot maps with the near-exact location of their Ring doorbells.

The site said it only stopped mining the data when it had enough to demonstrate the ease of access, not because it was stopped by Ring.

Dan Calacci, a computer scientist at MIT’s Media Lab, was able to plot the locations of up to 20,000 of Ring cameras across 15 US cities, and compile a map showing every Ring video posted to the Neighbors app since 2017.

Dan Calacci from MITs' Media Lab was able to plot the locations of up to 20,000 of Ring cameras across 15 cities

Dan Calacci from MITs’ Media Lab was able to plot the locations of up to 20,000 of Ring cameras across 15 cities

In 2019, Ring log-in credentials of more than 3,600 users — including emails, passwords and phone numbers — were leaked onto the dark web. 

That same year, Ring and Amazon were hit with a class-action lawsuit by customers who say they weren’t sufficiently protected from hackers commandeering their device’s microphones.

How do I secure my Ring doorbell?

The Ring doorbell introduces a potential digital vulnerability to your physical world. If you plan to use it, then make sure you do so securely and take the following precautions: 

  • Protect your Wi-Fi with a guest network and use a strong password. Also, make sure to have well-customised settings (eg. do not share your Wi-Fi publicly and disable SSID broadcast so your network is not visible to strangers); 
  • Use a firewall and antivirus software; 
  • Be sure to attach your device securely so that it can’t easily be stolen; 
  • Always keep its software up-to-date; 
  • Do not share Ring videos on social networking apps as it might pose a threat to your security and privacy; 
  • Do not keep old footage. Delete it so there would be less information available about you in case of a breach. 

Source: NordVPN

One plaintiff alleges someone breached his Ring and proceeded to comment on his children playing basketball in the yard.

There have been at least a half-dozen virtual break-ins reported, including a mother in Tennessee sharing chilling footage of a hacker pretending to be Santa Claus talking to her 8-year-old daughter.

‘They could have watched them sleeping, changing,’ she said. ‘I mean they could have seen all kinds of things.’

In another disturbing encounter, someone hacked into a Ring to blare loud noises and berate a family with racial slurs.

Ring says it encourages customers to use its two-step authentication process, select unique passwords and change them regularly. 

The company’s ongoing partnership with more than 700 local law enforcement departments has also raised privacy concerns.

Agencies can request help locating a missing person or get details on a suspect, and collect publicly posted pictures and video to assist in ongoing investigations.

But Ring also gives authorities maps identifying where homeowners live and reportedly allows them to search for specific addresses to see nearby camera concentrations.

In its early days, Ring even encouraged members to form ‘Digital Neighborhood Watches,’ reporting suspicious activity in exchange for free or discounted products. 

If a Digital Neighborhood Watch helped solve a crime, members would receive a $50 discount off any Ring product.

A spokesman said the program was introduced in 2017, before Ring was purchased by Amazon, and discontinued that same year.