Amazon-owned Ring app ‘packed’ with 3rd-party tracking, sharing users’ data without consent
Security researchers from Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, thus, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network.
The US-based digital rights group the Electronic Frontier Foundation (EEF) has found that Amazon-owned Ring doorbell app is "packed" with third-party tracking, sending out plethora of customers' personally identifiable information.
An investigation of the Ring doorbell app for Android discovered that four main analytics and marketing companies - including Facebook and Google -- were receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.
"Not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data miners," the EEF said in a release late Tuesday.
"Ring claims to prioritize the security and privacy of its customers, yet time and again we've seen these claims not only fall short, but harm the customers and community members who engage with Ring's surveillance system," said the non-profit group.
In a statement to Gizmodo, the Amazon-owned home security and smart home company said it limited the amount of data it shared.
ALSO READ: Facebook blames Apple for Amazon CEO Jeff Bezos' phone hack
"Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience and evaluate the effectiveness of our marketing," the company said.
In November 2019, Amazon rolled out a security patch for its Ring Video Doorbell Pro after Bitdefender security researchers found that it was exposing Wi-Fi network credentials, thus, allowing nearby attackers to intercept them and compromise the household network.
Security researchers from Bitdefender said the Amazon-owned doorbell was sending owners' Wi-Fi passwords in cleartext as the doorbell joins the local network, thus, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network to launch larger attacks or conduct surveillance.
ALSO READ: India is likely to get more affected by hacking in APAC region
The EEF said that Ring has exhibited a pattern of behaviour that attempts to mitigate exposure to criticism and scrutiny while benefiting from the wide array of customer data available to them.
"Our testing, using Ring for Android version 3.21.1, revealed PII (personally identifiable information) delivery to branch.io, mixpanel.com, appsflyer.com and facebook.com. Ring also sends information to the Google-owned crash logging service Crashalytics. The exact extent of data sharing with this service is yet to be determined," said the group.
The group has in the past alerted about the mismanagement of user information which has led to data breaches.
"This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship, it added.
Amazon bought Ring in 2018 that sells a range of home security cameras as well as doorbells.
In December last year, parents of an eight-year-old girl in the US were left stunned when a hacker accessed a Ring video camera installed in their daughter's room and taunted her.
In the video, the hacker can be heard taunting the eight-year-old several times as she is seen clueless as where the voice is coming from.
Follow HT Tech for the latest tech news and reviews , also keep up with us on Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.