Dozens of customers of a popular smart doorbell are suing the Amazon-owned manufacturer after their devices were hijacked, according to a new class action lawsuit.
The new legal case joins together complaints filed by over 30 users in 15 families who say that their devices were hacked and used to harass them.
They allege that the company has failed to update its security measures in the aftermath of these incidents and that it “blamed the victims, and offered inadequate responses and spurious explanations,” according to The Guardian.
A notable case last year involved a Ring camera which was installed in an eight-year-old girl’s room by her parents. It was subsequently hijacked by a man claiming to be Santa Claus who played unsettling music through its speaker, taunted the child and asked her if they could be friends.
Other incidents cited in the case involved users being threatened with sexual assault, murder, racial slurs and blackmail, according to the report.
Although Ring’s position has been to blame users for not setting up strong enough passwords on their devices, thereby allowing attackers to brute force or guess them, the suit alleges that the company itself should have required strong passwords and two-factor authentication (2FA) out-of-the-box.
It also claims that Ring may be to blame for a 2019 incident in which compromised usernames, camera names and passwords for over 3600 users were found online.
The firm has denied that it was breached, claiming the list could have been compiled from compromises elsewhere. However, the addition of Ring camera names to the trove would seem to rule out standard credential stuffing.
Other key contention of the lawsuit is that Ring “has not sufficiently improved its security practices or responded adequately to the ongoing threats its products pose to its customers.”
The smart device market is increasingly in need of regulation to mandate baseline security for users. The UK is taking a lead on this, by forcing all consumer devices to require unique passwords which are not resettable to factory defaults, alongside other measures.
However, there’s no mention of how strong these passwords need to be, and 2FA seems to have been left out of the law.
The US lawsuit apparently covers the tens of thousands of customers who bought a Ring doorbell between 2015 and 2019, even if they were not hacked. Lead attorney on the case, Hassan Zavareei, has claimed that there may be many more users affected who don’t yet know they were hacked.