Smart doorbell cameras - hackable or privacy compromised?

pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
With the news that Ring cameras can be polled by police for video of a specific time/area (not continuous feed), it makes me wonder what other doorbell cameras are like in respect to privacy, both of the owner, and of passers-by (who may or may not be criminals or have criminal intent). Are we setting up a "Big Brother is watching you" situation? What about hacking? Can non-police "request" video feeds from the many brands of door cameras?
I'd like discussion and links to informative sites if possible.
--Pete
Bon Vivant and Raconteur
VioletChepilCiaran

Comments

  • HronosHronos Member, Beta Tester Posts: 283 ✭✭✭✭
    I am not over USA land, so the problem is kind of different, but the concern is there, in my case, I think, the capability of been hacked.
    If over a cloud service, some one (government, police, courts, etc.) demands access, they could access it. whether we liked it or not.  But the hacking one if more to think, that means complete access at any time.  As we know, there is nothing 100% secure, so we need to be very judicious (wanna sound smart xD) with our chooses in regard of security. 
    Keep looking up!
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    For example:  https://www.eff.org/ring
    --Pete
    Bon Vivant and Raconteur
    BetaFinger
  • VioletChepilVioletChepil London, UKMember Posts: 2,474 admin

    Community Manager at Fing

  • CrowgrandfatherCrowgrandfather Member, Beta Tester Posts: 39 ✭✭✭

    I want to hit on one thing that seems to get missed frequently in regards to this. Police need a warrant.


    They can't access the camera feeds at any time they please and Ring doesn't store FMV, only clips.


    But this isn't exclusive to Ring. Police with a court order could subpoena video from any manufacturer.


    As far as hacking goes, there have been no actual cases where the Ring or Nest devices have been compromised themselves. Every case of people hacking into a home and taking control of a camera involved weak or reused passwords and no 2FA.

    VioletChepilHronosJayG
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    Police might need a warrant to force disclosure of video from Ring (or any) cameras, but Ring in partnership with 400+ (maybe over 500 in some recent reports) departments in the US, offers police the facility to ask for video clips from a certain area (up to a half mile square) and for a certain time range, via email. Users (which Amazon disingenuously calls "Neighbors") can opt out or refuse the requests, but are made to feel churlish and anti-safety if they do refuse. Amazon also says it can keep clips that users think they have deleted in order to comply with such warrants.

    Police can easily see who has a Ring camera (by its glowing ring) and come directly to the door and ask personally. (Who wants to go on record as refusing such a direct request?) Ring also offers users the opportunity to send clips directly to the police flagging the subject as "suspicious". "Neighbors" can also share clips with other users via Ring's public social network. (What stops a police department from buying a Ring and joining the network with a sock-puppet?) Once the police have a clip, they can keep it indefinitely, without any warrant, and subject it to any facial recognition software they may have.

    https://www.washingtonpost.com/technology/2019/08/28/doorbell-camera-firm-ring-has-partnered-with-police-forces-extending-surveillance-reach/

    To paraphrase Ben Franklin: "If people are willing to give up some privacy in exchange for some perceived safety, soon they will have neither." 
     
    --Pete
    Bon Vivant and Raconteur
    VioletChepileJonyAlderete
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    edited November 25
    I am an avid proponent of cyber security and internet privacy. I am a member of the EFF, and 9/10 times I agree with the agenda. However, on the flip side of the topic, if you have the ability to aid in the investigation of a criminal (especially one in your own neighborhood), why would you opt out? Since when are your local police officers the enemy?
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    VioletChepilHronosNye
  • MirekmalMirekmal Member, Beta Tester Posts: 55 ✭✭✭
    To me, there are few aspects of smart home (so not limited to smart doorbell cameras) I'd to look at:
    - Security of the entire system; from this perspective I'm big fan of avoiding, wherever possible of cloud based solutions. As we are not designers of these devices, we do not really know what information is collected by smart devices, eventually transferred out and how it might be used by owners of the service. Recent cases of Facebook app 'accidentally' switching on phone camera when in in use and sending data to FB is one of such cases. If not discovered and highlighted in media, who knows for how long and for what purpose they were collecting such information. Please note that it is rather impossible that faulty code activated camera. There have to be some lines of code placed there specifically to do so, so it is not coding mistake. If we use cloud based solution, we agree to not having control over the data. We do have in place all sort of privacy agreements and I'm not saying that all companies are doing this, but if you want to be safe, take care of it.
    - What information might be eventually send out. Simple example of Netatmo Weather Station - it collects and send out to the cloud data like temperature, humidity, pressure, noise level. Is it affecting my privacy? Most likely not. Is it affecting my security - this is another question! By analyzing such data one might find if I'm at home! If temperature in house is dropping, CO2 ppm is dropping, there is no noise it might means that I left home for extended period of time and it is running in away mode.
    vulcansheart mentioned) you can get the same level of support from fully local system (like Synology Surveillance Station), while retaining control over data. For the same reason if I'd need to install smart doorbell, I'd go for some fully locally managed solution... obviously that would limit probably functionality of such device (remote door opening?), but staying safe is priority. 
    - Finally, having fully locally managed solution does not make us safe either... There are different SW/HW components of every smart device, that we do not know where these are coming from and what might be hidden inside, not by OEM, but by components providers. Not everything is open source, so can be investigated! Remember case of Supermicro being suspected to have some Chinese chips being placed on their motherboard and suspected to send some information back to China? It ended up to be just rumor, but it is possible scenario.
    So it is good to have Fingbox and some tool that helps us to keep track on what is going on our network :-).
    VioletChepil
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    edited November 26
    <snip> Since when are your local police officers the enemy?
    When they adopt technologies that spy and collect data on non-criminal citizens "just because they can". I (and many others) are adamant on this point.
    --Pete
    Bon Vivant and Raconteur
    VioletChepilCG3CYBERAlderete
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    edited November 26
    pwmeek said:
    <snip> Since when are your local police officers the enemy?
    When they adopt technologies that spy and collect data on non-criminal citizens "just because they can". I (and many others) are adamant on this point.
    You are correct that many agencies overstep their authority. There must be a checks and balances and transparency. For instance, if an agency accesses your camera for live or historical footage, it needs to reference a case number and be logged and accessible from the owner's account.

    Working for a public safety agency, I promise your local law enforcement does not collect data "just because they can". Often times they don't even have the funding nor the human resources to be utilizing these extra data sources.
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    Hronos
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    vulcansheart said:
    <snip> 
    Working for a public safety agency, I promise your local law enforcement does not collect data "just because they can". Often times they don't even have the funding nor the human resources to be utilizing these extra data sources.
    Setting up arrays of automated licence plate readers collecting the number of every car that passes? Surely one or two of those cars must have been owned by blameless citizens.
    --Pete
    Bon Vivant and Raconteur
    VioletChepil
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    edited November 26
    pwmeek said:
    vulcansheart said:
    <snip> 
    Working for a public safety agency, I promise your local law enforcement does not collect data "just because they can". Often times they don't even have the funding nor the human resources to be utilizing these extra data sources.
    Setting up arrays of automated licence plate readers collecting the number of every car that passes? Surely one or two of those cars must have been owned by blameless citizens.
    Again, the need for transparency is essential because it is often lacking. LPR's help track hundreds of stolen cars and criminals (like violent sex offender type criminals) every day. When the "blameless citizen" passes the LPR, the query returns negative results. The record typically expires after 30 days. Of course, not all agencies follow ethical data storage practices, and I agree that it needs to be changed.
    These tools help law enforcement do what they are hired to do. When a citizen reports their car stolen, do you want the police to throw it in a pile with all the others, or do you want them to recover the car?
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    VioletChepil
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    To get back a little closer to the original topic, what happens to the video clips that get collected by the policed or are forwarded to them by citizens (either actually concerned or trying to make life difficult for someone)? Is there some way of assuring that they are destroyed (Including being sure that all caches, buffers, and backups have been cleared)?

    It's been my experience that government agencies never give up data voluntarily, and even contrive to get around legal efforts to force then to expunge such data.
    --Pete
    Bon Vivant and Raconteur
    VioletChepil
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    edited November 27
    Speaking from personal experience in my field, we do purge data following a strict retention policy required by our state law to avoid the liability of having it available. Government is subject to FOIA, and no one wants to get called to court to testify on something that happened 10 years ago.
    I guess to better respond to your question, we don't have "proof" that your data is really gone other than one of our IT professionals verifying that they are unable to retrieve the deleted data. We don't make an attempt to recover files just to ensure they are destroyed completely. We just overwrite the blocks with new data.
    The only time data is thoroughly cleaned is when an appliance is EOL and being trashed or auctioned. Often times, the storage is removed and destroyed by physical means.
    Edit*
    I think we are highlighting the difference between local government and bigger federal government. The latter likely retains data for as long as possible...
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
  • NyeNye Member, Beta Tester Posts: 3
    Bias: I've been a victim of porch theft multiple times, and put cameras up after it happened the first time. I feel safer with them, and as such, my views are biased toward the use of cameras such as those discussed in this thread.
    I'm very much agreed with @vulcansheart on this one. I'm a huge proponent of online security/privacy, and I've been a network engineer for a major national datacenter company where security was one of our top concerns.
    At home, I am constantly on VPN, have most of the web-trackers disabled, and love what EFF stands for and promotes. THAT SAID, I've been a victim of porch package theft and bike theft (u-lock was used properly and the bike still got stolen). I am willing to help the local police catch these people SO LONG as the program is opt-in. The agencies in question either need a warrant to obtain video OR have voluntary permission to do so. I don't see a problem with that.
    On "giving up" privacy: What privacy is that, exactly? Nearly every business/store I walk in to has cameras, intersections here are getting more cameras, there are cameras everywhere now. Once you step foot outside your house and into the "public setting" all reasonable right to privacy vanishes. What goes on in the private setting is where my privacy concerns start. Since these doorbells don't show that, I'm good with them.
    In my neighborhood, I've seen instances where porch pirates have been caught as a result of people posting doorbell or porch camera video to the "Neighbors" app and contacting the police with those videos. The police have a MUCH stronger case against thieves if they have video evidence of it happening, especially if several different neighbors have video of them performing thefts. 

    Boombies
  • CG3CYBERCG3CYBER Member, Beta Tester Posts: 1

    I have multiple ip cameras including a door bell camera; they are all wired in to my switch in my home network on a encrypted VLAN.

    I do not use a public cloud based service. Instead I configured my own cloud server so I don't have to depend on anyone else's cloud servers.

    The chances of my cameras being hacked/monitored from an unwanted snooper is very unlikely compared to using a well known service with public servers. Those are pretty easy to hack. =]

    1010101010CG3CYBER1010101010

  • MirekmalMirekmal Member, Beta Tester Posts: 55 ✭✭✭
    Working for a public safety agency, I promise your local law enforcement does not collect data "just because they can". Often times they don't even have the funding nor the human resources to be utilizing these extra data sources.
    I do not question that cloud services providers and government agencies are mishandling data they receive. But since we are taking potential crime, there is always chance that someone, just single individual, working for these companies will mishandle this data. Knowing that you are not at home might lead to situations as highlighted by Nye. So even knowing that my data is handled properly for 99.9999% of time, I'd not willingly risk this 0.00001%
  • MirekmalMirekmal Member, Beta Tester Posts: 55 ✭✭✭
    Working for a public safety agency, I promise your local law enforcement does not collect data "just because they can". Often times they don't even have the funding nor the human resources to be utilizing these extra data sources.
    I do not question that cloud services providers and government agencies are mishandling data they receive. But since we are taking potential crime, there is always chance that someone, just single individual, working for these companies will mishandle our data. Knowing that you are not at home might lead to situations as highlighted by Nye. So even knowing that my data is handled properly for 99.9999% of time, I'd not willingly risk this 0.0001%, unless I have no other choice.
  • SimoneSpinozziSimoneSpinozzi Member, Beta Tester Posts: 77 ✭✭✭
    Honestly any cabled doorbell with a camera does its job and needs not record anything.
    You *can* hack those but they are not worth the effort.
    Anything more than that is usually just asking for trouble.
    There is this idea that a "connected house" is a "better house"... how an why?
    What even is the point of answering a doorbell if you are not at home?!
    To give would be thieves the precise time in which they can go and steal what your postman has left at your doorstep? (best case scenario with total encryption)
  • AldereteAlderete Member, Beta Tester Posts: 13 ✭✭
    edited December 3
    vulcansheart said:
    Working for a public safety agency, I promise your local law enforcement does not collect data "just because they can". Often times they don't even have the funding nor the human resources to be utilizing these extra data sources.
    Hmmm...
    https://duckduckgo.com/?q=police+officer+stalks+ex
    The search results go on for days, and that's just one search. You don't have to work very hard to find real examples of individual police officers abusing their access to official resources. Some of those "official resources" are going to be cameras. Yes, they are "bad eggs". Yes, they sometimes get caught. (Hence the results.) No, that's not normal for police behavior. Yes, I mostly trust the police. 
    But just because something is against the rules, against the law, doesn't mean it doesn't happen. Otherwise no one would bother with security cameras in the first place.
    So, no, I'm not inclined to give anyone blanket access to my security camera footage. Come to my door, ask nicely, explain the purpose: sure, I can help. But if all you need to do is put a potentially bogus case number into an Amazon page and you can look at all of the Ring footage captured in a 1 mile radius of a "suspected crime", without real oversight or accountability? No thank you.
    And, going back to the “collect data "just because they can"” part. Maybe local government agencies don't. Let's agree that it's true! What about Amazon, or Google (Nest), or the Chinese vendor behind some security system you got for a cheap price at Costco or Walmart? You think they're not collecting every single detail about you they can, so they can "aggregate and anonymize" it and then sell it for real money? Of course they are. That's the entire business of Google and Facebook and any other business that isn't charging you money.
    "If you're not the customer, you're the product." I would prefer to not be a product, thank you very much.
  • AldereteAlderete Member, Beta Tester Posts: 13 ✭✭
    edited December 3
    My earlier comment was focused on Ring, and on police access to Ring footage. But it's worthwhile to expand the discussion beyond Ring to cameras in general. I believe that security cameras are a very useful tool for preventing crimes (deterrence), and for catching criminals (forensics). But like any tool, they need to be used properly. There are at least two issues that are worth thinking about for any camera system:
    • Access to the system that is intentional, but is also abusable. (This is Ring, but also many others.) This is something that, with thoughtful discussion, it's possible to arrive with a systems design that works. "Access with accountability" would be my catchphrase. Devil's in the details, but I believe it's possible.
    • Access to the system that's not intentional (hacking), or that is intentionally abusive (spying). 
    This is a lot harder to design out of any system. First, software is hard. Like, really hard. There's a reason all those software engineers in Silicon Valley make such good money. Even with the best of intentions, software defects (bugs) are inevitable, and some of them will let hackers spy on you in your own home.
    But second, and more important, there's often zero consequence for a company that ships an insecure product that can be hacked, even if the hacking is exposed widely. Quick, name a single company that shipped insecure cameras and was penalized. This is called "externalized costs". The company that sold you the camera doesn't pay for the consequences of their insecure product. YOU do. They externalize the consequences onto other folks, and don't pay anything for their mistakes. So why spend money (expensive software engineers) on security when you can spend less, make more, and that's the only difference?
    That's not theoretical. If you want to terrify yourself, spend an hour reading through Bruce Schneier's blog, which collects literally hundreds of examples. Here's just the articles on cameras:
    https://www.google.com/search?q=camera+site:www.schneier.com/blog
    That's a long list, so here's a couple specifics:
    That last one is especially instructive. Anyone know if Samsung is still in business? Profitable? Still selling TVs that collect data about you? (Yes, yes, and yes.)
    Doesn't mean you shouldn't put up cameras around your property if you're concerned about trespassers or burglars. I do! But it's worth thinking about whether that cheap camera system at Walmart is as good a deal as the price would make you think. I spend more money on better equipment from more reputable vendors, and then I add on my own network security expertise (such as it is) to try to limit the consequences of choosing poorly.
    Those are things I'm blessed to be able to do, and not everyone is so fortunate. But, still. Look before you leap.
    Another way to think about it: Imagine that everything you do that's recorded by your own cameras will be put on TV for your friends and family to see, or shown to a jury. Everything. We probably all think of ourselves as good people, but remember the famous quotation from Cardinal Richelieu:
    "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
    I might not hang, but if a picture is worth a thousand words, how many "lines" is a few hundred hours of video worth? I'm certain I'd be embarrassed, or lose a friend, or something. That's the point Richelieu was making: We all would.
    Ciaranpwmeek
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    BTW folks, this is exactly the kind of discussion I was asking for: lots of viewpoints and no flaming. Thank you all.
    --Pete
    Bon Vivant and Raconteur
    vulcansheartAldereteHronos
  • AldereteAlderete Member, Beta Tester Posts: 13 ✭✭
    I hate to continue to pile onto Ring (because I'm becoming boring), but the first article in a three part series about Ring was published just today:
    Amazon's Ring started from humble roots as a smart doorbell company called "DoorBot." Now it's surveilling the suburbs and partnering with police.
    I expect the rest of the series will be equally interesting.
  • BoombiesBoombies Member, Beta Tester Posts: 3
    I am going to agree with @vulcansheart and @Nye on this one. I myself am a proponent of both privacy and internet security. I have no problem with this as long as the program is transparent.  It's a door bell camera... not a bedroom camera. Anything in front of my house is already viewable by the public. Personally, my security cameras are wholly within my network and I assume the risk of maintaining the data. I may choose to share camera feeds if there were a neighborhood watch system in place. Who knows? The key here is 'who owns the data' and does the owner have a choice? Keep in mind the people purchasing these devices are the same people hosting Alexa and Google as permanent guests who are listening to every conversation. Also, while I maintain my statement above, I respect @Alderete 's comments on the topic. Read the fine print and know what you are getting.
    AlderetevulcanshearteJony
Sign In or Register to comment.