By Phoebe Clewley
The past several years have seen a drastic increase in the number of home security devices across the country. These devices, such as Amazon’s Ring camera and Google’s Nest, boast peace of mind and safety for users. However, the security of these devices has recently come into question after several breaches occurred, all involving hackers remotely gaining access to the devices. While the security device companies deny any liability, instead blaming the problem on poor user practices, they remain under fire for blurring ethical lines and approaching security with a relaxed attitude.
The home security devices work by connecting to your home Wi-Fi network and sending alerts to your mobile phone when motion is detected. The most popular location for these devices is above a front door – operating as a monitor for visitors and a barrier between your home and the outside world. However, both Ring and Nest offer devices meant for indoor security as well. Furthermore, the camera devices capture 24/7 live video footage, which is sent directly to your mobile phone. The video footage is also available to Police Departments upon request and in the event of an emergency. The footage is often used for aiding law enforcement in piecing together crimes or tracking down suspects. Furthermore, along with the ability to monitor the cameras on their smartphones, users have the capability to speak to people through the camera’s two-way audio feature. Home security device companies highlight this feature given its utility when homeowners are away from their house and need to give direction to the postman or to a dog walker.
Last month, a Mississippi couple installed a Ring home security device in their daughter’s room, hoping to provide an extra layer of safety to their home. Soon after the device was installed, the device’s speaker began playing music, and when the couple’s eight-year-old daughter checked on the music, a man started speaking to her through the device. The man repeatedly called the girl racial slurs and claimed he was Santa Claus. At least three similar cases of security hacks across the country were reported in the same month, prompting privacy concerns and increased scrutiny of the devices. After the incident was reported to Ring, a spokesperson for the company stated that the recent hacking episodes could be attributed to poor user login practices. However, the families involved criticized the company’s response to deflecting responsibility for the multiple incidents.
In response to multiple breaches, Ring issued statements describing the hacks as a result of external emails or passwords being exposed in a data breach unrelated to any compromise of Ring’s security. Ultimately denying any liability for these hacks, the home security device companies instead encourage customers to use a variation of passwords across all devices and to set up two-factor authentication whenever possible. However, victims of the hacking incidents have questioned the validity of the advice, stating that their security device passwords are over 20 characters long and only used on the home device. Furthermore, users of both Ring and Nest contend that the home security device companies have failed to set up basic cybersecurity protections against hackers, claiming that they were not aware that they could use two-factor authentication for the devices. While several of the home security device companies offer two-factor authentication – a process where users enter their password and then confirm their identity after a code is sent via text message to their smartphone – most don’t require this two-step process. The irony of the situation is that the device, which is designed to provide extra security to families and their homes, is itself less than secure. Users of these home security devices complain that, without explicit instruction to do so, they would have no way of knowing about two-factor authentication. Despite the denial of liability, if these companies wish to avoid lawsuits in the future, they will likely want to implement basic cybersecurity protections such as mandating two-factor authentication.
With the increase in home security device use across the country, the potential for device hacks and breaches is at an all-time high. To avoid further repercussions and backlash from these incidents, home security companies should take precautions to avoid hacks altogether. Beyond mandating two-factor authentication, home security companies could better monitor suspicious user activity such as multiple login attempts, or logins from unknown locations. In conclusion, companies should be aware of the risk with device use and should aim to prevent, instead of remedy, the breaches.
Student Bio: Phoebe Clewley is a current second-year law student at Suffolk University Law School, where she is a staffer on the Journal of High Technology Law. Prior to law school, Phoebe worked as a Legal and Compliance Associate at Foundation Medicine, a biotechnology firm in Cambridge, Massachusetts.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.