Oregon Senator Ron Wyden isn’t satisfied with Amazon’s response to a string of incidents involving compromised home security cameras made by its subsidiary Ring, such as a high-profile event in 2018 in which a hacker taunted an eight-year-old Tennessee girl in her own bedroom.
Motherboard reported last year that hackers have developed software to rapidly cycle through databases of leaked email addresses, usernames, and passwords to gain access to Ring devices without two-factor authentication activated—something that manufacturer Amazon did not require by default. Amazon also didn’t implement basic security precautions like alerting users to remote logins or attempt to verify logins from unknown IP addresses. Some internet sickos even took to livestreaming intrusions on compromised Ring devices inside people’s homes via Discord.
Even amid news that account credentials for thousands of Ring owners were discovered floating around online, Amazon insisted that the compromised accounts were the fault of users. Democratic Senators Ron Wyden, Edward Markey, Chris Van Hollen, Chris Coons and Gary Peters asked Amazon in a recent letter what it planned to do about the situation; Amazon responded on Monday, the same day that it announced it would require two-factor authentication on new accounts (but not existing ones) and launch a privacy Control Center, per CNET.
Amazon said it wouldn’t require two-factor authentication be enabled on old accounts because it would force users to log out first, portraying the issue as a security concern rather than a business decision. Wyden told Gizmodo in a statement on Wednesday that he wasn’t satisfied with Amazon’s approach.
“Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers,” Wyden wrote. “Amazon needs to go further—by protecting all Ring devices with two-factor authentication.”
In their response to the senators, Amazon also acknowledged that on four separate occasions in the last four years it had terminated employees due to “complaints or inquiries regarding a team member’s access to Ring video data” in excess of “what was necessary for their job functions.” Amazon wrote that Ring had investigated each incident and “taken multiple actions to limit such data access to a smaller number of team members.”
“We take the protection of customer data very seriously and are always looking for ways to improve our security measures,” Amazon told CNET in a statement.
Ring is facing a class action lawsuit in California on claims of negligence, invasion of privacy, breach of contract, and unjust enrichment over its handling of security, with plaintiffs claiming it failed to meet its “basic obligation [to ensure] its Wi-Fi enabled cameras were protected against cyber-attack.” The company has also come under fire for its partnerships with hundreds of police departments across the country, who could potentially tap into the vast network of Ring cameras for surveillance purposes.