Just over a year ago, Ring committed so many security flaws that it became impossible to recommend its products, especially after blaming users for its lax security policies. But the company changed its tone and, more importantly, made amends. Now, over a year later, Ring deserves your attention ̵
Table of contents
Privacy is important in security and smart home products
Every time you buy a new smart home product, you open a window into your life that businesses can see through. For example, an Alexa speaker is not only a handy voice assistant; it is also a shopping center and tracking hub. Voice assistants don’t listen to everything you say, but link your voice searches to your web searches.
Security cameras don’t track you the same way, but they still pose privacy concerns. Every camera in your home is a different device literally looking at you, another device that you trust won’t share your intimate moments with the world. That’s where it’s wrong for Ring.
Thanks to a combination of weak passwords and social engineering, Ring users found that other people were watching their camera feeds and even talking to their children. It’s a nightmare scenario. In response, Ring blamed users for their password practices when the company should have admitted its mistakes.
At the time, Ring didn’t check for weak passwords and didn’t need two-factor authentication. The Ring app did not control who could access your cameras. The company shared your information with third parties without a way to opt out, and it did not provide end-to-end encryption for camera feeds.
Around the same time, Ring’s uncomfortable close association with law enforcement came to light. That partnership isn’t necessarily a problem, but without transparency in the midst of a scandal, things didn’t look good. Nor was it necessary to fire four employees for watching customer videos without permission.
Fortunately, Ring has changed course.
New dashboard, new policy and a new life contract
So why does Ring deserve a second care after so many stumbling blocks? Because it started to take security seriously. It stopped blaming users for weak passwords and started demanding strong passwords. Last year we were able to create a Ring account with “password” as the password. Ring put an end to that.
Not only does it require a complicated password (eight characters, uppercase and lowercase letters, one number and symbol), but it also checks for simple passwords. We have “Password1!” Tried and it dismissed that as too common. You also cannot include your name or e-mail address in the password.
In addition, Ring now requires two-factor authentication for all accounts. If you’re using a password again (don’t: use a password manager), two-factor authentication should keep the bad guys out even if they have your compromised credentials. Additionally, Ring will now check for compromised credentials and will notify you if you need to change your password.
Ring also introduced a privacy dashboard that allows you to see all connected devices and remove them if you don’t recognize a phone or tablet. The company has paused third-party analytics long enough to introduce opt-out options in the dashboard. Opt-in would be better, but opt-out is a step in the right direction.
And recently Ring introduced end-to-end encryption for wired cameras. That should prevent anyone from intercepting your camera feeds. It would be good to see wireless cameras getting that treatment, but it’s another win for privacy.
While Ring has not reconsidered his close relationship with law enforcement, it is now more transparent. You can now check the active map of Ring’s agencies to see if law enforcement officers in your area are working with Ring and how many video requests those agencies have recently made. A partnership doesn’t necessarily have to be a bad thing, but transparency helps in decisions that require trust.
Ring’s practices aren’t perfect yet, but it’s vastly improved.
Recognize a change in attitude
Last year, we wrote that in order to regain our trust, Ring should enable two-factor authentication by default, check for reused passwords, avoid weak passwords during installation, and start checking IP addresses at login.
Ring did all of that, except for IP logging. Two-factor authentication is now enabled by default for all users; you must unsubscribe. Ring will not let you use a weak password and will scan databases for compromised credentials.
The new privacy dashboard goes beyond our recommendations, and you can now easily see who can access and delete your account. You have more control over what Ring shares, and if you have a wired camera, it uses end-to-end encryption. That’s almost all we asked for plus more.
The only thing we would still like to see is IP logging. Whenever someone tries to log into a Ring account, Amazon can tell if the request is somewhere unusual. A Ring representative previously told us that Ring would take action if a login attempt seems suspicious, but our experience says otherwise.
While writing this article, we were able to log into a US based Ring account from a Switzerland based IP address. That should have been suspicious, but Ring let it through. However, Ring immediately sent notifications and emails about the sign-up, specifying a date, time and partial IP address. That should be enough information to determine if someone outside of your family has signed into an account. However, you’ll have to dig into the Control Center in the Ring app yourself to kick the new device. We recommend Amazon include a direct link in the notification for your convenience.
A total block would still be better, but Ring’s new tools gave us exactly the information to protect our account from a potential hacker. That is a big change from the past. And that’s exactly why you can trust Ring again.
The fact that a company has made mistakes should never be the whole story. It’s about what the company does next. Ring made mistakes, there’s no denying that. But solid steps have been taken over the year to correct those errors, provide greater transparency and the tools to protect your security cameras.
That makes it worth your time and money.