The mobile app designed to control Ring's smart doorbells has a security flaw that allows homeowners to log in if they ever log in, reports The Information. Miami-based Jesus Echezarreta found out in January that his ex-boyfriend spied on him with his doorbell, bought from the company that bought Amazon for $ 1 billion in the spring. While Mr. Echezarreta changed his ring password, this did not release his former partner from the service, as he was still allowed to access the camera feed of the ring-made doorbell.
The Santa Monica, California-based company was briefed four months ago by Mr. Echezarreta about the incident and adjusted its platform to log out all customers after a password change, but the transition does not take place immediately. Ring Chief Executive Officer Jamie Siminoff said that an instant change would slow the app down, but that the original device maker had already reduced the response time to one hour. A limited investigation conducted by The Information did not confirm these allegations, and at least some users are still unable to launch all connected clients from their Ring Doorbell profile, even several hours after changing their passwords. Echezarreta's case highlights the more general security concerns raised in the "Internet of Things" segment, using his smart doorbell as an espionage tool against him. An internal investigation also revealed that someone rang the doorbell at night in the middle of the night. The company finally gave him a new device and the episode ended without any significant consequences for his well-being. Amazon has recently proposed considering integrating Ring's offerings into its Amazon Key ecosystem to enable in-house delivery even when the owners are away from home. Development is not the first time a significant security flaw has been discovered with respect to any of Ring's products. In 2015, the company had to close a vulnerability that allowed hackers to access their WLAN by compromising their doorbells, while a previous startup's possibly faulty doorbell sent audio data to China last year, despite the company claiming it was a threat practically nonexistent because the packages in question contained only milliseconds of audio and therefore were incomprehensible.