Ring doorbells let people use the app, and watch video feeds, even if passwords had changed
A flaw allowed people to use the Ring device — even after their permission was revoked
UPDATED May 14, 2018 9:30 AM Ring video doorbells continued to give people access to the app and the device — allowing them to tap into video feeds and even download them — after the password had changed.
The discovery by The Information, found that even if a password change was made in Ring's app, people could still get into the device, see and even download videos. Ring's CEO Jamie Siminoff has admitted that to revoke access to the Ring app immediately after changing a password, would hamper the speed of the app.
Ring said it learned of the concern in January, and had since thrown people out of the app who shouldn't have access. While Siminoff noted that Ring was now dropping people an hour after a password change, The Information found it could still get in several hours later.
"Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security," says a Ring spokesperson by email. "We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring's "Shared Users" feature. This way, owners maintain control over who has access to their devices and can immediately remove users. Our team is taking additional steps to further improve the password change experience."
Smart devices rely on passwords to gain access to their functions — opening a smart lock for example, or tapping into a video feed in a smart doorbell or a smart security camera. Passwords are essential to smart device security.
The ability to add people to an app, or throw them out, is also key to the flexibly of smart devices, and one of the reasons smart locks, in particular, appeal not just to home owners but to renters. You can change a lock, so to speak, by just issuing a new password and code. If password changes do not take affect, if you can't later lock someone out, the security feature these products promise are compromised.
Amazon, which bought Ring in February for approximately $1 billion, has been promoting several ways its customer can get packages without being home through its service called Amazon Key. Delivery people can drop off packages into houses by working in tandem with Amazon's indoor security camera Cloud Cam, or even in a car, if the vehicle has OnStar.
Besides video doorbells, Ring makes connected security cameras as well, which compete with its new parent, Amazon.