Ring Doorbell Privacy Concerns, Recent Password Breach News, Biometrics and Fifth Amendment Rights

This is your Shared Security Weekly Blaze for January 21st 2019 with your host, Tom Eston. In this week’s episode: Ring doorbell privacy concerns, news on a recent password breach, and a new ruling on biometrics and Fifth Amendment rights.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Amazon, who now owns popular smart doorbell maker Ring, is being accused of mishandling video footage from customers’ cameras. In a report from the Intercept, Ring is accused of mishandling videos that were taken from their line of smart home security cameras and allowing unrestricted access by internal employees to these videos. According to the article, in 2016 Ring moved its R&D operations to the Ukraine in a cost saving measure and the team had quote “unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” end quote On top of that, there was a database that allowed internal users access to run a search on any videos linked to a particular user and Ring executives and engineers in the US were allowed quote “unfiltered, round-the-clock live feeds from some customer cameras.” end quote

Apparently, Ring uses this team in the Ukraine to manually tag videos so that one day Ring’s AI technology could be trained to leverage this type of metadata. Video’s from Ring’s line of smart cameras can contain video from outside and inside someone’s house. Ring responded to the Intercept article with the following statement quote

“We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.” end quote. There was more to their statement about their internal policies but I think you get the idea. The Intercepts sources for this story, of course, dispute these claims from Ring’s management.

While one can argue the trustworthiness of this article, it does have a great point to it. If you’re using a smart device like a Ring doorbell camera that saves its video or data to the cloud, you should probably assume that someone else will most likely be able to view your data. Regardless of what the companies privacy policy or terms of use say, there will always be ways for internal employees to access this data. From customer support situations or using your data to improve their own technology, companies will find creative ways to leverage incredibly valuable private information, especially from video feeds.

Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.

Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.

Visit edgewise.net to get your free month of visibility.

When you see articles with sensational titles like “Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach” you usually think that this is a pretty serious situation. However, in this day and age, don’t be so quick to jump to conclusions as in this case these 773 million records with 21 million unique passwords are actually a collection of past data from many different data breaches. This data dump called “Collection #1” is approximately 87GB in size and was first analyzed by Troy Hunt who manages the HaveIBeenPwned data breach notification service. Troy Hunt confirmed that this data was in fact made up of many different data breaches from many different sources. Brian Krebs from KrebsOnSecurity.Com went a step further and contacted the seller of this data to find out more details. In discussions with the seller, he actually steered Brian away from “Collection #1” since the seller said that this data was at least 2-3 years old. The seller then tried to sell him more recent data which was less than 4GB in size and less than a year old.

So besides trying not to fall for “click bait” articles like the one created by Wired, the moral of this story is that collections of data from previous data breaches is big business. Data like this can easily be repackaged and resold as a “recent” data breach with very little ramifications. The take away from this is that if your information was ever part of one of these data breaches it can easily be recycled over and over to the highest bidder. As we always say, you should periodically think about your password management strategy. And this should include using a password manager, choosing unique passwords for each and every site and service that you use and using two-factor authentication (preferably app based) where ever possible or available.

Last week a US judge ruled that law enforcement cannot force individuals to unlock their mobile device through biometrics like your finger or face, whether or not a warrant has been issued.  The judge, who was presiding over a case in the US District Court for the Northern District of California says that by forcing someone to unlock their device through biometrics violates a person’s Fifth Amendment rights against self-incrimination. This development is a long time coming as previously it was viewed that law enforcement had the right to force people to unlock a device with their face or finger. Before this new ruling, law enforcement treated biometrics just like passwords as suspects could be forced to unlock their device upon request. The judge has said “There are other ways that the government might access the content that do not trample on the Fifth Amendment.”

You may remember that I mentioned this exact topic back in October of last year where for the first time ever, there was now a documented case of law enforcement forcing an Apple iPhone X owner to unlock their device with their face. Now with this recent development, it’s great to see that while technology like biometrics are being treated the same way as passcodes from a Fifth Amendment perspective. I’ll bet, that future cases will challenge this ruling. But in the meantime, let’s call this latest ruling a victory for our privacy.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.