Monday, December 23, 2019

Safe People or Safe Systems? The Ring Security Breach


On Wednesday, December 4, eight-year-old Alyssa LeMay heard the sound of Tiny Tim singing "Tiptoe Through the Tulips" coming from her bedroom upstairs in her home in Mississippi.  As she walked into the room, the music stopped and she heard a voice say, "Hello there."  As she looked around the room to see where the voice was coming from, it called her a racial slur which was neither acceptable nor accurate, claimed that it was the voice of Santa Claus, and told her to start misbehaving by, for example, breaking her TV.

Having more sense than to listen to such temptations, she went downstairs and told her father, "Someone's being weird upstairs."  He discovered that a Ring security camera that the family had bought during a Black Friday after-Thanksgiving sale had been taken over by someone who obviously wasn't supposed to be able to do that. 

The LeMays eventually contacted the Washington Post, whose story on the episode was republished widely.  When the LeMays called Ring to complain, they were told basically that the breach was their fault.  Ring determined that the bad actor had obtained the LeMay's username and password from another site and used them to hack into Alyssa's bedroom.  Ring castigated the LeMays for not using the two-step authorization method that Ring recommends.  In a statement published on Ring's website, the company said "we have investigated this incident and have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network."

Let's step back a moment and parse that statement.  What Ring means by unauthorized, and what the LeMays mean by unauthorized, appear to be two different things.  Only an authority, an entity or person capable of authorizing someone, can really authorize an intrusion or compromise.  For that matter, saying "unauthorized intrusion" is like saying "impermissible burglary."  I'm not aware of any kind of burglary that is permissible, or an intrusion that is authorized.  But the point is that the LeMays were by any reasonable standard, the only people who are logically empowered to authorize access to the camera, microphone, and speaker in their daughter Alyssa's bedroom.  They did not authorize the criminal who gained access to the Ring device, and therefore, by this reasonable, common-sense definition of "authorized," there was unauthorized access.

Now look at it from Ring's point of view, which by implication is Amazon's point of view, as Amazon owns Ring.  Think like a software lawyer for a minute.  When we sell a product to a consumer, we have to make sure that the consumer has enough information to avoid problems with the product.  We as lawyers observe the legal fiction that every one of our customers always reads all the fine print and boilerplate that comes with all our products, including the stuff about installing two-step verification for passwords, using strong passwords, and so on.  If we actually made the product so that it wouldn't work unless the user really took all these complicated measures, very few people except computer nerds and lawyers would buy it, so we make it so it will work even if you leave your username as "1234" and your password as "password."  But if the user is so negligent, stupid, (fill in your favorite lawyerly pejorative adjective here) as to not take the recommended precautions, well, too bad.  We've done our lawyerly job, and if anything goes wrong it's on the consumer's head.  To us, "unauthorized" means that somebody hacked into our system and was able to access a device that even the most computer-savvy consumer installed with all the security bells and whistles.  And that didn't happen here, so we are blameless.  Legally speaking.

There is a progression in the safety and security of innovative technologies that often follows a well-known pattern.  At first, a new technology requires the users to learn lots of detailed precautions that must be followed to avoid injury or other types of harm.  But as the technology becomes more widespread and lesser-trained people use it, the harms that can come from uneducated users sometimes happen more often, so often that the very existence and continued use of the technology is threatened.  Only then will the technology's designers step back and ask themselves, "How can we make this really foolproof, so that someone who knows next to nothing about it can nevertheless use it safely?"  At that point, engineers begin to design safety into the technology itself.  It may cost a little more, but the improvement in safety when used by untrained personnel is usually worth it.

This pattern happened with railroading, it happened with automobiles, and in some ways it's happened with computer and information technology.  But not nearly enough, as Alyssa's story shows.  In consumer electronics, where ease of use and cheapness are two paramount requirements, security often becomes an afterthought.  A non-technically-trained user who simply wants to be able to check on his or her daughter with a camera should not be expected to do anything that isn't strictly necessary to set up the system.  The two-step verification security precaution obviously wasn't necessary for the camera to work, so the LeMays didn't do it.  And by reusing passwords—an unfortunate but understandable practice in these days of seventeen gazillion passwords that all our devices and services demand of us—they created a situation in which some hacker stole their credentials and used them to access the Ring device in Alyssa's room.

Ring wants their consumers to be safe people—people who don't reuse passwords and who read enough of the fine print in the online instructions to go the extra mile and install extra, though non-necessary, security precautions.  But people, by and large, want safe systems—systems that simply will not work unless they are set up with sufficient security to begin with.  And history shows that the systems and technologies that survive beyond a highly trained niche market are usually safe systems—systems that anybody off the street can get running with a minimum of effort without running the risk of endangering himself, herself, or one's family members. 

Sources:  The Austin American-Statesman carried the Washington Post's article "Camera in child's room hacked, 8-year-old harassed" on pp. E3-E4 of their Dec. 15, 2019 edition.  The statement from Ring concerning this incident can be found at https://blog.ring.com/2019/12/12/rings-services-have-not-been-compromised-heres-what-you-need-to-know/.

No comments:

Post a Comment