this post was submitted on 05 Oct 2023
333 points (98.5% liked)

Technology

59370 readers
5279 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Here is an article where you can read more: https://foundation.mozilla.org/en/blog/mozilla-publishes-ring-doorbell-vulnerability-following-amazons-apathy/

Quoted a portion:

(SAN FRANCISCO, CA | TUESDAY, JUNE 6, 2023) -- Today, Mozilla is publicizing a security vulnerability in Amazon’s Ring Wireless Video Doorbell. Mozilla shared the vulnerability with Amazon over 90 days ago, but Amazon has yet to address the issue. Now, per industry standards, Mozilla is sharing its findings publicly to alert Ring Doorbell users and to further pressure Amazon to take action.

Following a penetration test of the Ring Doorbell conducted in October-November 2022, Mozilla and collaborator Cure53 determined that the device is vulnerable to Wi-Fi deauthentication attacks. Bad actors can leverage these weaknesses to disconnect the device from the internet using easily-accessible tools.

As a result, those bad actors could take the doorbell offline and then have their activities go unrecorded — undermining the product’s core purpose. Even after the doorbell is reconnected to the internet, a user will receive no alert about the attack.

Mozilla’s disclosure comes just days after Ring’s $5.8 million settlement with the Federal Trade Commission (FTC) over other serious privacy and security issues. The FTC found that “Ring’s poor privacy and lax security let employees spy on customers through their cameras, including those in their bedrooms or bathrooms, and made customers' videos, including videos of kids, vulnerable to online attackers.”

top 30 comments
sorted by: hot top controversial new old
[–] possiblylinux127 64 points 1 year ago

The flaw: Amazon

[–] [email protected] 47 points 1 year ago (1 children)

Sign a petition? How about not use Amazon smart home products.

It’s like signing a petition to ask McDonald’s to use real ingredients in their food. Why bother, don’t eat it.

I have a hundred other real problems.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago)

I do both

There are a lot of things that don't affect me directly, but I might vote/sign a petition for it. Even if it doesn't actually work out in my favor, more people see it and learn about the issue.

If there's a petition going around or news about the number of people that signed, and someone was already on the fence, it might act as the straw that gets people to dump Amazon smart home products.


There's also the case where these devices are collecting data on you even if you don't own one. What if you go to a friend's place, or a friend is talking about something you're working on, or even if you walk by a house that has a smart doorbell?

Not saying everyone NEEDS to do this, because you need to have the time and mental energy to deal with it. Just saying that there's still value in doing so even if you don't use the products yourself.

[–] [email protected] 23 points 1 year ago (1 children)

it really sucks to have to walk past these cameras... no consent needed apparently but the privacy implications are huge

[–] [email protected] 29 points 1 year ago (1 children)

You're generally in a public place. At least in the US, you have no expectation of privacy in public. Anyone can record you without your consent

[–] [email protected] 20 points 1 year ago (1 children)

While that might be true, I think some of these expectations and understandings are based on a world that no longer exists.

In the past, you could only be seen by the few people around you. Even when recorded, there was a limited number of people that could see the video. Now some influencer can run up to you and share your reaction with a few hundred million people. On the side of data collection, companies have so much more aggregate data that they can use and abuse. With newer algorithms to analyze that data, they can keep pumping more and more data into it to figure out intimate details about who you are and how you feel about things.

So yea that might be how our laws and social norms are set up now, but we don't have to stick to it if it doesn't make sense anymore.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

How long in the past are you talking? Ring cameras are basically just cheap CCTV cameras which have been around for an incredibly long time. You’re complaining you can’t walk in front of people’s houses without being recorded I guess, but how long have you been complaining about not being able to walk past your gas station or Walmart?

It’s a larger scale, but honestly private property deserves the protection more.

Amazon sucks though, ubiquiti is where it’s at.

ETA: I know you’re not the person who originally posted this complaint, but since you’re defending their point then I assume you also agree with it.

[–] [email protected] 15 points 1 year ago

Ring doorbells are the flaw.

[–] [email protected] 9 points 1 year ago (1 children)

But they were purposely made this way precisely to spy on users and create a system of mass espionage in addition to profits.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)

The last 10 years:

Quick, race to install cameras, voice recorders and locks connected to the Internet made by companies who have demonstrated no higher purpose than to sell your data and certainly couldn't give two fucks what is stolen.

/Surprised Pikachu

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

Almost like we forget Alexa, Google,Microsoft and any other company are not your friends and if its free it's because you're the product they're selling.

[–] [email protected] 8 points 1 year ago (1 children)

Is there a fix for de-auth nowadays?

I haven't looked at it for years, but didn't it use to be that devices would listen for a de-auth from any source, meaning that a bad actor could poison any wlan in range?

From my understanding, that's how hotels did it to encourage paying for wifi: If Joe starts a hotspot called JoePhone, their systems would automatically start spamming de-auth for JoePhone.

Unless it got fixed in a 2.4/5GHz revision?

[–] [email protected] 8 points 1 year ago (1 children)

deauth attacks are still a thing, however this is changing with wpa3.

If your router has a setting called "Protected Management Frames" you should enable it ASAP, it's basically encrypted and signed communication for every packet of data, so that your computer basically refuses to trust any deauth signal that doesn't actually originate from the router (massively simplifying here).

[–] [email protected] 2 points 1 year ago

Just double checked mine. Abbreviated as PMF, and it's a toggle to turn OFF. Also have been using wpa3 for a while now.

[–] [email protected] 4 points 1 year ago (1 children)

since Amazon owns blink also, does it have the same security flaws?

[–] [email protected] 2 points 1 year ago (2 children)

Ring and Blink are designed differently and run different hardware. However, I would guess that some Blink devices have the same issue. I might be wrong but I think all 2.4 GHz Wi-Fi is vulnerable to deauth

[–] [email protected] 3 points 1 year ago

5ghz is also susceptible to deauth.

[–] [email protected] 1 points 1 year ago

it's not about the frequency, it's about the protocol. both 2.4 GHz and 5GHz are vulnerable with WPA2 (or worse WEP). WPA3 is not vulnerable

[–] [email protected] -1 points 1 year ago (2 children)

Yeah but what's the exploit

[–] [email protected] 5 points 1 year ago

My take:

Take the thing out of the wifi its connected to, it doesn't record anything during that time, and when it's reconnected it doesn't notify of an outage.

[–] [email protected] 0 points 1 year ago