Ring “security” Drone

Discussion in 'Technical Corner' started by denverpilot, Sep 30, 2020.

  1. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Wyze released facial recognition on their stuff in the last week or two, on a $20 camera. It’s all done on their servers. Not a word from them whether they have any privacy policy at all, or a dead man switch to notify customers if a government entity forces exfiltration of video. (In other words, they’ll probably sell it, like Ring.)

    Way more fun :

    City of San Diego recently learned when the City Counsel wanted to turn off all the cameras on their fancy integrated GE traffic lights — citizens decided they don’t like them and amazingly the politicians agreed — GE didn’t provide a way to do that. Cameras are always powered and always sending.

    Can turn off the receiving server and/or block them on the network, but turning the cameras all the way off? Not a feature. GE didn’t even provide it.

    GE division that made them essentially went bankrupt (GE selling assets to stave it off anyway...) and sold off to another company.

    New company says they’ll happily write “custom code” to kill the cameras, if San Diego coughs up the right dollar amounts. LOL.
     
    flyingcheesehead likes this.
  2. Lindberg

    Lindberg En-Route

    Joined:
    Sep 25, 2013
    Messages:
    3,360
    Location:
    North Texas
    Display Name:

    Display name:
    Lindberg
    Tin_foil_hat_2.jpg
    :rolleyes::rolleyes::rolleyes:
    Wyze has a privacy policy right here: https://wyze.com/privacy-statement
    And you've still provided no source for your other claims.
     
  3. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Correct. I still don’t do your security homework for you.
     
  4. Lindberg

    Lindberg En-Route

    Joined:
    Sep 25, 2013
    Messages:
    3,360
    Location:
    North Texas
    Display Name:

    Display name:
    Lindberg
  5. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Still missing the dead man. All it takes is a supoena and suppression and that document is worthless.

    By the way... if you want a fun read — go see how the San Diego thing got started.

    Hmm. LE used the cameras intended for traffic control in over 400 court cases before someone said, “Hey SD. Can we have some public information on that system?”

    Then oh look... wasn’t intended or funded as an LE tool.
     
  6. Lindberg

    Lindberg En-Route

    Joined:
    Sep 25, 2013
    Messages:
    3,360
    Location:
    North Texas
    Display Name:

    Display name:
    Lindberg
  7. Lindberg

    Lindberg En-Route

    Joined:
    Sep 25, 2013
    Messages:
    3,360
    Location:
    North Texas
    Display Name:

    Display name:
    Lindberg
    Yeah because it's illegal to delete data that's subject to a subpoena. Is your point now solely that cloud providers comply with legitimate law-enforcment requests? Because duh. But that's not what you were previously claiming.
     
  8. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    No. The collection server was switched off. The cameras are still quite active. The only way to kill them would require physically cutting their power leads up on the poles.

    Whether that can be exploited by bright minds from the multiple holes in the data network (including RF) remains to be seen. The system doesn’t have a switch for demultiplexing the streams.

    Zero funding to properly decommission. Like I said, could be done at the source instead of the receiver by custom code.

    “Off”, “Not transmitting but on”, and “ignoring what they send” are significantly different things in the security engineering world.

    “Encrypted by the source device with third party audited recipient key access and all key access driven by audited RBAC as well as all access logged and available to the public” Is the only correct security and access control available today for video data.

    Not your data, you don’t have the encryption key. Access to the key and each use of the key is provided by role and logged by someone else uninvolved with the system. Best if it’s stored in servers under physical access controls that are also third-party monitored and audited, also. Collected and disseminated for only written published voted upon purposes with a full source device to viewer audit trail.
     
    flyingcheesehead likes this.
  9. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    They actively pitch access to the data as a revenue stream. The “free storage” business model doesn’t pay for itself.

    Blink recently dropped their free one year storage to 60 days. The bean counters are catching on.

    Same problem even with non-private video that YouTube has always had, they’ve yet to turn a profit. Netflix (besides their content licensing problems) also recently upped their prices. In other words, video storage is expensive. And they don’t need special handling for their stuff or the aforementioned encryption from source camera to owner.

    Handling privately owned video properly is orders of magnitude more expensive. Follow the money as the investor loans dry up. If you own your own camera’s footage, you’d better be the only one with the de-encryption key. Otherwise, you don’t really own it.

    “Oh look. A lawyer promised me they won’t do anything else with it!” LOL. Right. I think I’ll take that key and an audit trail instead, thanks. Can’t provide that? I’ll store it myself. Clearly if it costs me X and you’re offering a price less than a tenth of that, someone’s lying or going out of business eventually anyway.

    “We have a new privacy policy. Click accept to continue to use the service. Our loans got called.” Takes a few years.

    See: GSuite for Business vs Google Workplaces. Mandatory switch coming up, Mar 2021. Or eBay. Or PayPal. The list of bait and switch tech never slows or sleeps. Camera tech is just further left on the timeline right now.

    Ask em. See if they’ll offer that end to end encryption feature. It already got Zoom’s ass in a sling this year when they claimed they did it. And didn’t. Not like it’s a new concept.

    If any camera is attached to any network and it can’t envrypt end to end, you don’t want it, unless you control the network and every device the data lands on. We “learned” this back in the late 90s in videoconferencing. Was even a standard customer request.

    An outdoor camera owned by the citizenry or one sitting inside a home owned privately, is no different. Probably needs it worse, really.

    Old concept, easy to do right. Not free. Definitely not $20 in hardware and free storage. You will absolutely get what you pay for.
     
  10. smv

    smv Pattern Altitude

    Joined:
    Dec 30, 2019
    Messages:
    1,663
    Display Name:

    Display name:
    smv
    Was not that long ago it was pretty easy to find webcams open to the WWW. Last time I checked, everything from office cams to home security systems to private laptops were freely (and unknown to their owners) available for anyone with a reasonable amount of Google-Fu.
     
  11. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Quite a few devices exposed, yeah. Lots still exposed.

    NAT is somewhat saving the world from crap engineering work in the vast majority of “IoT” consumer devices.

    IoT is a total dumpster fire. Most are hacked in minutes. Even the older home routers are all joining the botnets these days. Big names made em too, and abandoned patching their bad code.

    Oh well. Better send all camera footage everywhere to Bezos. That’ll turn out well, I’m sure. LOL. Mildly better than Google? Ha.

    Deciding which cloud vendor to store your camera data in, without end to end encryption, still or video, is like asking if you like your steamy turds they sell plain, or rolled in glitter. :)
     
  12. smv

    smv Pattern Altitude

    Joined:
    Dec 30, 2019
    Messages:
    1,663
    Display Name:

    Display name:
    smv
    I have a cloud-based camera/security system with two interior cameras and 10 exterior cameras. The interior cameras are not even connected to power until we are on our way out the door. Really do not understand folks with indoor security cameras running 24/7. That is just creepy and a bit naive, in my opinion.
     
  13. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Very.

    We have a couple inside cameras for “reasons” (mostly they end up being used to check on pets but that wasn’t the design reason for them).

    Like yours, they aren’t even active except in very specific circumstances and they’re never in private areas inside the house.

    But then again I’ve never understood all the way back to the 80s why folks used unencrypted baby monitors and cordless phones, either. The always on baby monitor transmitters with ultra hot mics, were just dumb. One could hear everything in the house.

    Technically we were still a number of years away from Phil Zimmerman ****ing off our government though, so true high encryption wasn’t readily available. But there were audio scrambling and frequency hopping schemes that would at least thwart a casual listener with a standard communications receiver.

    Was some interesting listening though. LOL.

    Can easily forgive the old baby monitor folks over the modern fools not using encryption though. It’s not like encrypting even an “HD quality” stream at the device before shipping it anywhere, is a significant cost difference anymore.

    Shouldn’t even be possible to view it at the offsite storage location. They have no business need for that. (And that also means it becomes unreadable anywhere in between without any additional effort.)

    Encrypted steam straight to the remote disk, and only the sender can de-encrypt it if they ask for a copy back. That’s all you really need for a cloud camera storage solution for personal use.

    There’s a reason none of these companies implement it, and it isn’t cost. Costs them the same to store that data, either way.

    Turning on an unencrypted stream, for a third party to view, should be the exception event in the code, authorized by the device owner, not the default.
     
    smv likes this.
  14. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    22,948
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    You forgot AMPS. To this day publicly available communications receivers are supposed to be blocked from receiving certain frequencies. Like that did any good.
     
    denverpilot likes this.
  15. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    My RF Service Monitor didn’t get the memo back then. LOL.
     
  16. flyingcheesehead

    flyingcheesehead Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    23,793
    Location:
    UQACY, WI
    Display Name:

    Display name:
    iMooniac
    Yeah. I'm pretty fed up with all of my camera devices, especially Ring.

    Yeesh. Yup. It's very high on my list to update my home network and put all the IoT stuff in its own little VLAN sandbox and replace all my cameras with a system with local storage.

    Yeah. Have you heard about Amazon Sidewalk? That is some next-level creepy stuff there... Pretty much creating an Amazon-owned mesh network using Ring and Echo (Alexa) devices.
     
  17. DaleB

    DaleB En-Route

    Joined:
    Aug 24, 2011
    Messages:
    4,564
    Location:
    Omaha, NE
    Display Name:

    Display name:
    DaleB
    Ha! I remember that far back. My Motorola flip phone had a handy-dandy diagnostic mode, available through the keypad, that would let you select whatever cell channel you wanted to monitor. That was occasionally entertaining, though you'd generally only hear half the conversation.
     
    denverpilot likes this.
  18. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    54,037
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    LOL yeah. If you lose the battery door screw on the Ring doorbell, be careful which one you replace it with...

    https://www.nytimes.com/2020/11/11/business/ring-doorbell-recall.html

    Sidewalk is one of the “data sales” things that a certain user here says doesn’t exist. LOL. It’s been in beta for quite a while and I was aware of it at beta start. :) Been a topic amongst security and privacy pros in the places they hang out in for a while now. But yeah, mildly creepy.

    Technically that one is opt-in, but lots and lots of useful idiots will do that without any conscious thought of why they’d give any permission to their video they own to unknown players.

    Including, whoever hacks them eventually. Because they will either be hacked or they’ll have a leak.

    World’s third largest manufacturer of computers got hit by ransomware this week.

    I see Woot also literally ***just*** started the sell off of the Ring doorbells. Haha. Have to get them out of the warehouses to get the recall done? LOL. $69.

    Wyze has announced a bejillion new cloud toys in the last two weeks. Neat and cheap but no local API... the reason I mention it though is security was nearly non-existent on their early stuff and it led to code that allows some of that stuff to be used in ways Wyze never intended.

    Their 900Mhz receiver is plugged into my home automation system directly for sensor use, instead of the back of their camera where they wanted it. Ha. Motion and open/close sensors work great with a little help from GitHub. :)

    The one plus of bad IoT security. They make the hardware, sell it (probably) below cost, and “we” replace the firmware and the nice hardware never talks to the “cloud” ever again... LOL.
     
    flyingcheesehead and jsstevens like this.