Over the past few years, the Digital Lab evaluated and test a number of products and services informed by criteria, indicators and testing processes from the Digital Standard. To bring more transparency to the Digital Standard, we are launching a series of case studies aimed to highlight examples that will help clarify:
- Problems & Context: What type(s) of problems with products and services does Consumer Reports look into for further testing and evaluation ?
- Processes & Methods: What processes or methods does the team use to evaluate and investigate products and services?
- Impact: What type of impact do the product and service evaluations have on stakeholders like industry practitioners, manufacturers, and policymakers?
- Using The Digital Standard: How was the impact of this work informed by the Digital Standard?
Our next case study covers Consumer Reports’ work on connected cameras.
3,000 Ring Doorbell and Camera Accounts May Be Vulnerable to Hackers: Ring users should change their passwords and enable two-factor authentication
First test scores: December 2019
Latest update on test scores: June 2020
Sensitive data collection: Connected devices such as cameras are increasingly being used in the private sphere of the home and collect highly sensitive information including voice and visual recordings of the home and the area immediately around a private residence. However, as multiple reports of connected camera hacking and incidents of unauthorized access have shown, many of these products are built without adequate security.
Exposure of account credentials: There were a series of hacks and vulnerabilities that have affected Ring security cameras and video doorbells, exposing account credentials. Reports surfaced of multiple Ring accounts being hacked through credential stuffing. Back in November 2019, it was revealed that Ring video doorbells contained a vulnerability that exposed WiFi network names and passwords. And last May, The Information reported a vulnerability that let individuals stay logged into Ring accounts even after a password change. At the end of December 2019, it was also reported that Wyze had suffered a breach of their customer data, leaving customers open to unauthorized access of their cameras.
Security breaches: Attackers have openly viewed home security systems and baby monitor feeds, and have even spoken with residents, including young children. In December 2019, Consumer Reports reported on a series of security breaches. The news mainly on Amazon Ring products, where hackers compromised devices, harassed homeowners and sometimes children. While much news coverage was focused on Ring, it was possible that other popular connected camera brands could have similar vulnerabilities.
These issues don’t just plague Ring devices either. In January 2020, there were reports of Nest cameras being hacked, again through credential stuffing. In response to the number of hacks and vulnerabilities, Consumer Reports initiated product testing across 14 connected camera products.
[Excerpts gathered from CR Article: 3,000 Ring Doorbell and Camera Accounts May Be Vulnerable to Hackers and this advocacy letter to connected camera companies]
Full testing: Across 14 home security connected cameras, Consumer Reports performed a round of full testing across these devices in accordance with criteria/indicators of the Digital Standard. The result of this testing was a set of Consumer Reports ratings for home security cameras available to consumers (image left) which incorporated data privacy and security categories. Consumer Reports also reviewed cameras in 2019.
Output & Impact
Created campaign strategy: In order to organize our efforts, the Consumer Reports team strategized a campaign by doing research on reported hacking incidents in the month of December 2019, reviewed the IP camera testing report from August 2019 and assembled a list of company contacts at the 25 manufacturers of connected camera products we have reviewed.
Wrote letter to manufacturers: In January 2020, Consumer Reports drafted and sent letters to the 25 manufacturers of connected cameras, smart doorbells, and DIY security products, since all of these products make use of cameras that collect sensitive information within and outside the home. These letters put the companies on notice that they must have reasonable cybersecurity measures in place in order for consumers to trust and use their products. Specifically, we stated:
“…Consumer Reports writes to urge your company to raise the standard of security for your connected camera, doorbell, or security system. We request clarification on the steps you are taking to prevent hacks and unauthorized access to these cameras and the systems that underlie them. We also want makers of connected devices to know that CR’s ratings will continue to change to reflect the stronger data security and privacy practices we believe are essential for consumer protection, which could impact a product’s eligibility for recommendation.”
Identified 10 security measures: The letters also urged the company to implement stronger security measures to adequately protect consumers and their privacy. These measures may include but are not limited to:
- Automatic firmware/software updates enabled by default;
- Protection against credential stuffing and reuse;
- Require multi-factor authentication and captchas in the authentication system;
- Email notifications for users when a login occurs from a new device or a new IP address;
- Require users to sign back in after changing a password;
- Confirm with the user when the credentials have been changed;
- Password creation rules that require more secure passwords;
- Compatibility with password managers;
- Increased protection against brute-force dictionary attacks by rate-limiting login attempts; and
- Inclusion of a visible indicator (e.g., a prominent LED light) when cameras are active.
Engaged manufacturers with product improvements: Of the 25 companies contacted, seven never responded to our letters or repeated emails, one responded by telling us about their privacy and security initiatives (but did not detail what security measures they implement or plan to implement), and one responded via a physical letter sent to our DC offices.
Discovered vulnerabilities: We tested these cameras in 2019. From December 2019 — January 2020, we conducted a campaign to send out the letters to company CEOs, re-examine our testing of the cameras, and then rescored them, resulting in security vulnerabilities. We responsibly interacted with manufacturers to disclose these issues. Some of the results of the security and privacy tests resulted in an article: Wyze and Guardzilla Security Cameras Have Security Risks, Consumer Reports Finds.
Designed a Consumer Reports ratings page warning: In order to publicize this effort, we posted a press release. In addition, we created a notice (image below) to place above our ratings pages to warn consumers about the security issues in these products.
Offered other helpful resources: Article highlighting best security cameras: Based on these ratings, we published an article that highlighted How to Use Ring’s Control Center for Better Privacy and Security, the Best Wireless Home Security Cameras of 2020, and CR’s Home Security Camera Ratings & Buying Guide.
In addition to these resources, in June 2020, we held a conference call presentation with the companies with the goal of informing them about what we heard back from companies and how we are giving greater weight to automatic security updates and requiring two-factor authentication.
We are still monitoring industry updates and upstream impact from this work.
How was this work informed by the Digital Standard?
This work incorporated several specific elements from the larger Digital Standard framework. Specifically, the comparative analysis used elements from the Security, Privacy and Governance sections of the Standard:
To see The Digital Standard in full, please visit: https://www.thedigitalstandard.org/