Home security breach roundup
Why track security breaches?
It’s only natural to expect security companies to prioritize protecting their customers, but this isn’t always the case. Whether you’re holding the magnifying glass up to skipped security measures, sold customer data, or questionable business practices, there’s a lot that security companies can improve.
We’re not here to accuse companies of misconduct without evidence. We just want to promote awareness so you can make informed decisions and companies can raise their standards.
At SafeWise, we spend most of our time writing reviews and guides, so we can’t devote our resources to reporting on current events in the same way as other websites. But behind the scenes, we’re scouring the news to learn about company reputations as part of our methodology.
Consider this an invite to check out our virtual sticky notes on the latest in home security news.
We understand the effort and skill that goes into this kind of journalism, so we recommend exploring the full articles using the links in each summary.
Check back occasionally, and you might find something new on our list. For tips and advice, check out our guide to preventing smart home hacking.
Recent hacks and breaches
Because the digital world is flooded with talk of hacks and breaches, we decided to break our findings into two categories: breaches and research on preventing them.
How to protect yourself from breaches
- Choose devices wisely.
- Change your default username.
- Use strong passwords.
- Use two-factor authentication.
- Avoid public Wi-Fi for remote access.
- Check app permissions.
Breaches
Accidental breaches tend to result from human error, lax policies, or underinvesting in security technologies. You see these breaches when companies skip steps like these:
- Sensitive data encryption
- Strong password requirements
- Enhanced features like two-factor authentication
Deliberate breaches happen when determined hackers bypass customers to attack companies directly. By intentionally exposing sensitive data or degrading services’ effectiveness, hackers want a big payout or simply to spread fear.
ADT
Date
|
Incident
|
May 2020
|
ADT terminated an employee after a customer discovered an unauthorized account login. The employee had been illegally watching security camera feeds from hundreds of Texas customers for seven years. ADT is facing class-action lawsuits related to the incidents.
|
Source: Kaley Johnson, Fort Worth Star-Telegram, “ADT Employee Spied on Hundreds of Dallas-Fort Worth Families for 7 years, Company Says,” May 2020. Accessed July 30, 2020.
Various security camera brands including Google Nest
Date
|
Incident
|
January 2020
|
Researchers discovered a sextortion campaign focused on users of security cameras, including some from Google Nest. It likely came from harvested email addresses, but the researchers said there was no evidence that perpetrators possessed real videos.
|
Source: Alex Scroxton, ComputerWeekly.com, “Sextortion Campaign Hits Nest Home Security Cameras,” January 2020. Accessed July 30, 2020.
What is sextortion?
Ring (Amazon)
Date
|
Incident
|
January 2020
|
Ring announced the termination of four employees for spying on customers' camera feeds. The events spanned the previous four years, but this was the first public acknowledgment.
|
Source: Dalvin Brown, USA TODAY, “Amazon’s Ring Fires Four Employees for Snooping on Customers’ Doorbell Camera Video Feeds,” January 2020. Accessed July 30, 2020.
Date
|
Incident
|
December 2019
|
Following an incident where someone remotely harassed a Mississippi girl using a Ring security camera, an Alabama man filed a class-action lawsuit against the company for failure to provide sufficient security. Ring suggested the hacks came from weak customer security but didn't encourage users to create strong passwords before the incident.
|
Source: Jon Fingas, Engadget, “Amazon, Ring Face Lawsuit over Alleged Security Camera Hacks,” December 2019. Accessed July 30, 2020.
Wyze Labs
Date
|
Incident
|
December 2019
|
Public exposure of data from 2.4 million customers, including email addresses and Wi-Fi network information, but no passwords. The breach was an accidental byproduct of an employee conducting internal analytics work.
|
Source: Nicole Karlis, Salon.com, “A Huge Security Camera Company Just Had a Huge Security Breach,” January 2020. Accessed July 30, 2020.
Research to prevent breaches
Security researchers help companies by discovering possible breach tactics before they occur. The research primarily focuses on the technology behind breaches and often informs the security strategies of businesses.
These finds aren’t as practical for everyday consumers, but you can pull them out of your back pocket to sound smart at your next dinner party.
Various security camera brands including Google Nest and Xiaomi
Date
|
Incident
|
July 2020
|
Researchers revealed how the size of the datastream from a security camera, which is typically unencrypted, could show outside observers whether someone is home or not. This is because security cameras don't use as much data when there's nothing to record.
|
Source: Jack Guy, CNN, “Security Cameras Can Tell Burglars When You’re Not Home, Study Shows,” July 2020. Accessed July 30, 2020.
iBaby Labs
Date
|
Incident
|
March 2020
|
Researchers spotted a vulnerability in iBaby baby monitors that could have given access to recordings, personal information, and the popular baby camera's controls. Only after this news became public did the company patch the vulnerability, despite the researchers' efforts to contact the company in the previous 10 months.
|
Source: Sara Morrison, Vox Media, “The Case against Smart Baby Tech,” March 2020. Accessed July 30, 2020.
Philips Hue
Date
|
Incident
|
February 2020
|
Researchers explained a bug that could allow hackers to fake a defective smart light bulb, prompting users to reinstall the bulb. After a reset, hackers could install malware on the Hue hub and home network. Philips Hue fixed the bug between November 2019 and February 2020, when the report went public.
|
Source: Aaron Mamlit, Digital Trends, “Hackers May Attack Home Networks through Philips Hue Smart Bulbs Vulnerability,” February 2020. Accessed July 30, 2020.
Culture and government
Governments carry an absolute responsibility to protect citizens, so it’s important to recognize potential security failures when they crop up. Here are some activities, laws, and regulations to think about.
Date
|
Incident
|
July 2020
|
During a congressional antitrust hearing, Rep. Kelly Armstrong, from North Dakota, asked about Google's compliance with controversial geofence warrants in the wake of racial equality protests. Geofence warrants allow law enforcement agencies to access data from anyone in a certain place at a specific time.
|
Source: Alfred Ng, CNET, “Lawmaker Questions Google’s CEO about Geofence Warrants,” July 2020. Accessed July 30, 2020.
Ring (Amazon)
Date
|
Incident
|
June 2020
|
Ring has partnerships with over 1,300 law enforcement agencies across the US, which present a threat to Americans' privacy and well-being—especially people of color—if abused, according to the Electronic Frontier Foundation (EFF).
|
Source: Jason Kelley, Matthew Guariglia, Electronic Frontier Foundation, “Amazon Ring Must End Its Dangerous Partnerships with Police,” June 2020. Accessed July 30, 2020.
Police-tracking apps
Date
|
Incident
|
June 2020
|
CNET highlights how protesters have used apps like Citizen and Ring Neighbors to track police activity. Conversely, the information shared in these apps is often available to law enforcement.
|
Source: Laura Hautala, CNET, “Police-tracking Apps Are More Popular than Ever Thanks to the Protests,” June 2020. Accessed July 30, 2020
Questionable business practices
While we understand that businesses first and foremost aim to maximize profits, that can create stumbling blocks for customer experience and lead to privacy pitfalls.
Amazon and Google
Date
|
Incident
|
March 2020
|
Both Amazon and Google require third-party partner companies to continually share status updates with them, potentially exposing user data to attacks. Previously, access to this information occurred only upon issuing a command.
|
Source: David Priest, CNET, “Smart Home Developers Raise Concerns about Alexa and Google Assistant Security,” March 2020. Accessed July 30, 2020.
Ring (Amazon)
Date
|
Incident
|
January 2020
|
The Ring app shares varying levels of user data with five companies: Facebook, Branch, AppsFlyer, MixPanel, and Crashalytics (Google). According to the EFF, the data presents a privacy hazard since marketing companies can track users.
|
Source: BBC, “Ring Doorbell ‘Gives Facebook and Google User Data’,” January 2020. Accessed July 30, 2020.
Source: Mark Huffman, ConsumerAffairs, “Amazon Engineer Goes Public with Criticism of the Ring Doorbell Security System,” January 2020. Accessed July 30, 2020.
Responses and improvements
Breaches usually lead to improvements if companies are willing to learn from their failures. Here are some examples of companies improving things after a breach (it doesn’t even have to be their breach).
Amazon, IBM, and Microsoft
Date
|
Incident
|
June 2020
|
Amazon started a one-year moratorium of police access to its facial recognition software following concerns that police would try to identify and target protesters. Microsoft and IBM have made similar decisions with IBM stopping facial recognition development entirely.
|
Source: Rebecca Heilweil, Vox Media, “Big Tech Companies Back Away from Selling Facial Recognition to Police. That’s Progress.,” June 2020. Accessed August 12, 2020.
Blink (Amazon) and Arlo
Date
|
Incident
|
March 2020
|
Blink and Arlo now require two-factor authentication to protect user data.
|
Source: Thomas Ricker, The Verge, “Arlo and Blink Cameras are Boosting Security to Beat Hackers,” March 2020. Accessed July 30, 2020.
Google Nest
Date
|
Incident
|
February 2020
|
Google Nest now requires two-factor authentication to protect user data.
|
Source: Allison Matyus, Digital Trends, “Nest Makes Two-Factor Authentication Mandatory for its Smart Home Devices,” February 2020. Accessed July 30, 2020.
Ring (Amazon)
Date
|
Incident
|
January 2020
|
Ring added a Control Center to the Ring app so users can easily manage security settings. Some security features were previously in separate places, while others are new to Ring accounts, like two-factor authentication.
|
Source: Dan Seifert, The Verge, “Ring Adds Privacy Dashboard to App in Response to Security Concerns,” January 2020. Accessed July 30, 2020.
The post Security School: Latest Home Security Breaches and Responses appeared first on SafeWise.
No comments:
Post a Comment