Amazon's Ring security camera faced accusations for lack of security in recent months. It was scrutinized for police partnerships, account security, vulnerabilities, employee snooping and sharing of extremely detailed location data. Now, another report came which claims that the app which the customers use to manage the Ring camera is sending away all kinds of personal data.
As per the Electronic Frontier Foundation, the Android version of Ring app, which is packed with third-party trackers, is sending out a huge amount of personally identifiable information of the customers. Such an operation takes place without the consent or knowledge of the app user. But as per the experts, there are no ways to reduce the amount of damage which is already done.
Ring camera vulnerability
The American multinational technology company Amazon and its Ring home security camera have been sued by an Alabama homeowner who said the camera's defective design leaves the buyers vulnerable to hacking. As per the class-action lawsuit, the US citizen John Baker Orange said an unknown hacker recently accessed his Ring camera while his children, aged between seven and 10, were playing basketball on the driveway and through its speakers he encouraged them to move closer to the camera.
John Yanchunis, a lawyer for Orange, said in an interview that "A company that sells a device that is supposed to protect occupants of a home shouldn't become a platform for potentially endangering those occupants."
It should be mentioned that the Ring's main product is a doorbell that includes a security camera and lets homeowners monitor as well as communicate with visitors through a phone app even if they are not at home. Amazon said it bought Ring in April 2018 for $839 million in cash.
The vulnerability is getting worse
As per reports, it looks like the personal data of the customers goes to four main recipients, which are Branch, ApplsFlyer, MixPanel and Facebook. It should be mentioned that according to the experts, the data recipients combine the information with data they collect from other sources, such as collecting information in-house or trade details from other third parties, to build a digital look-alike profile for any given user.
It should be known that Facebook received information about the user's time zone, device model, language preferences and screen resolution tied to a unique identifier. But the surprising fact is, as per the EFF this information goes to Facebook regardless of whether the user has a Facebook account or not. In addition, it was also revealed that the user identifier persists even when you reset your advertiser ID in your OS.
The other recipient Branch gets several unique identifiers relating to user identity and device fingerprint, along with the other device data points such as IP address, phone model, screen resolution and DPI. As per the new revelation, the other two services get more detailed information.
AppsFlyer, a SaaS mobile marketing analytics and attribution platform, receives a unique identifier as well as information about your wireless carrier. It receives data about all a user's onboard sensors of phones, including the magnetometer, gyroscope, as well as accelerometer and the sensors' calibration settings. It also collects data when Ring was installed and launched as well as what app a user used to install Ring from and whether the platform came pre-installed on your device, which is common in low-end Android phones.
Mixpanel, which is a business analytics service company, receives the most personal information out of the whole set. It collects a users' name and his email address, device Bluetooth information and app settings including data on how many locations the user has Ring devices in.