After a series of security incidents involving products made by Amazon-owned Ring, the home security company is making the case to U.S. senators that its cybersecurity policies are robust.
In a letter to lawmakers this week, which CyberScoop obtained, Ring said it regularly does penetration testing and source code reviews of its products, and that it encrypts the video captured by its cameras.
“Like any rapidly growing company, we recognize that we must continually evolve and enhance our data and security practices to block efforts by bad actors,” Brian Huseman, Amazon’s vice president of public policy, wrote in the letter to five Senate Democrats.
The company said it now “proactively monitors” for customer credentials sucked up in third-party breaches, and recently began prompting users to set up two-factor authentication on their accounts to make it harder for hackers to compromise them.
The senators — Chris Coons of Connecticut; Ed Markey of Massachusetts; Gary Peters of Michigan; Chris Van Hollen of Maryland; and Ron Wyden of Oregon — had requested details on Ring’s security practices following reports of weaknesses in the company’s doorbell cameras.
Ring, like the makers of countless other internet-of-things devices, has to reckon with the tradeoffs of security and accessibility.
Last November, researchers from security company Bitdefender showed how a vulnerability in Ring’s internet-connected doorbells could be used to intercept a customer’s login credentials and then launch a larger attack on the network. Amazon issued a patch for the vulnerability.
Ring cameras have also drawn concerted interest from malicious hackers, who have created dedicated software for breaking into them, Vice reported last month.
In a statement, Wyden said he was encouraged by Ring’s move to two-factor authentication, but added that “there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers.”
“Amazon needs to go further – by protecting all Ring devices with two-factor authentication,” the Oregon senator continued. “It is also disturbing to learn that Ring’s encryption of user videos lags behind other companies, who ensure that only users have the encryption keys to access their data.”
Huseman also told the senators that Ring had fired four of its employees in the last four years for improperly accessing customers’ video data, highlighting the risks to privacy of home IoT devices.
You can read the full letter below.
[documentcloud url=”http://www.documentcloud.org/documents/6603508-Response-Letter-on-Ring-1-6-2020.html” responsive=true]