After breaking up with his boyfriend, Jesus Echezarreta changed the password on his Ring smart doorbell—twice. Still, his ex-boyfriend was able to download video from the home security device as well as remotely ring the doorbell in the middle of the night. The company says it fixed the security flaw that made this possible in January, but The Information reports that problems remain.
Ring makes a smart doorbell with a wifi-connected camera that lets users watch videos on their phone rather than through a peephole. Amazon dropped $1 billion to acquire Ring in February, finally edging its way into cameras and keyless entry after smart lock company August rejected its bid for $100 million in 2016.
The security breach detailed above was possible because Ring’s software let users stay logged into a doorbell on the app, even after the password was changed. A Ring spokesperson told The Information that the Ring app was updated in January, which happens to be when Echezarreta reached out to the company for help. The spokesperson reportedly said that users are now logged out of the app when a password is changed and required to log back in.
But Ring CEO Jamie Siminoff admitted to The Information’s Reed Albergotti that this process is not immediate, saying it could take an hour for someone to get kicked off in the event of a password change. Speaking to Gizmodo, Albergotti said that a full 24 hours after changing the password on his Ring doorbell, he’s still logged in and able to access his camera.
Echezarreta says his ex-boyfriend confirmed that he had been spying through the doorbell camera, and Ring gave Echezarreta a new device. But the doorbell itself wasn’t the issue—it was the weak security measures in place before this deeply disturbing invasion of privacy took place. For a company that is positioning itself in the security space, this oversight is alarming, and customers are wise to ask tech firms like Amazon to earn their trust before opening their doors.
Update 4:11pm: A Ring spokesperson told Gizmodo in a statement that they are “taking additional steps to further improve the password change experience.” They also said that they “strongly recommend that customers never share their username or password” and that they should instead add other users through their “Shared Users” feature so that they can “maintain control over who has access to their devices” and “immediately remove users.”