Ring security cameras, the inexpensive security cameras that people can hook up in their houses or on their doors, were not fully secure for years, according to the Federal Trade Commission.
The video doorbell company allegedly "gave every employee ... full access to every customer video" before 2017 and failed to patch bugs in the system that allowed hackers to access cameras and scare consumers, the FTC's federal complaint says.
"Not only could every Ring employee and Ukraine-based third-party contractor access every customer's videos (all of which were stored unencrypted on Ring's network), but they could also readily download any customer's videos and then view, share, or disclose those videos at will," the civil complaint filed in U.S. District Court for the District of Columbia on Wednesday by the Justice Department on behalf of the FTC says. "Before July 2017, Ring did not impose any technical or procedural restrictions on employees' ability to download, save, or transfer customers' videos."
The FTC says that the "dangerously overbroad access" employees received led to at least one employee viewing "thousands" of video recordings "belonging to at least 81 unique female users (including customers and Ring employees) of Ring Stick Up Cams."
"The employee focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as 'Master Bedroom,' 'Master Bathroom,' or 'Spy Cam.' On hundreds of occasions during this three-month period, the employee perused female customers' and employees' videos, often for an hour or more each day. Undetected by Ring, the employee continued spying for month," the filing adds.
In August of 2017, a supervisor discovered what the employee was doing only "after the supervisor noticed that the male employee was only viewing videos of 'pretty girls,'" the complaint alleges. That employee was terminated, the filing says.
Another incident allegedly occurred in 2018, when a male employee allegedly accessed a fellow female employee's camera "and watched her stored video recordings without her permission," per the filing.
The FTC alleges that Ring didn't notify consumers of the broad access to cameras.
The company also "systematically failed" to control two types of cyber attacks and failed to patch system vulnerabilities" before January 2020, the FTC says. Because Ring allegedly did not take appropriate security measures, despite knowing about the problems, "the attacks continued to succeed," through December of 2019, when media reports were published detailing alarming behavior from attackers, the filing adds.
"During the course of these attacks, approximately 55,000 U.S. customers suffered serious account compromises," the complaint alleges. "For at least 910 U.S. accounts (affecting approximately 1,250 devices), the bad actor not only accessed the accounts, but took additional invasive actions, such as accessing a stored video, accessing a live stream video, or viewing a customer's profile. The bad actors disproportionately targeted indoor cameras. Even though indoor cameras are a relatively small subset of Ring's product offerings, approximately 500 of the 1,250 compromised devices in the U.S. (i.e., approximately 40% of the compromised devices in the U.S.) were Stick Up Cams or Indoor Cams, both of which Defendant markets for indoor use."
In at least 20 instances, bad actors accessed the Ring accounts device for more than one month, per the complaint.
"And, in many instances, the bad actors were not just passively viewing customers' sensitive video data," the complaint says. "Rather, the bad actors took advantage of the camera's two-way communication functionality to harass, threaten, and insult individuals -- including elderly individuals and children -- whose rooms were monitored by Ring cameras, and to set off alarms and change important device settings."
Some of the alleged harassment and slurs included hackers cursing at women in bed, children being the object of hackers' racist slurs and numerous death threats from hackers to Ring consumers, the FTC says.
Amazon, Ring's parent company, said the doorbell company "promptly addressed the issues at hand."
"Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry," an Amazon spokesperson told ABC News. "Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security."
Under the proposed FTC order, Ring will be prohibited from profiting from unlawfully accessing consumers videos and directed to pay $5.8 million in consumer refunds, according to court documents.
Ring, founded in 2013 as Doorbot, was sold to Amazon for $1 billion in 2018.