Ring Neighbors is a neighborhood watch feature that was introduced in 2018 to go along with the Ring video doorbells and home security devices that Amazon acquired for $1.2 billion in 2018. It’s now possible for people who use the Ring app to post photos and videos that their neighbors, local news outlets, and police can see. It’s a free service that allows users to share crime, safety, and other information within a 5-mile radius of their house.
It’s also a place where you can ask neighborsfor help if you need it. The company says that people who use Neighbors should be careful about what they post. They should only post about crime, safety, and unusual activity. They should also be aware that posts stay anonymous and aren’t shared publicly unless a user chooses to do so.
The company has taken a number of important steps in recent years to improve its security, including requiring two-factor authentication and offering end-to-end video encryption. But it’s still grappling with a class-action lawsuit over security camera hacks and has drawn criticism for its eagerness to share data with law enforcement.
This week, TechCrunch reports that a security flaw in Ring’s Neighbors app exposed precise locations and home addresses of people who posted to the platform. While the problem wasn’t particularly serious, it is a reminder of the vulnerabilities that come with using smart devices like Ring.
According to TechCrunch, the problem affected a small percentage of people who had used the app over the past year. It was a bug that exposed positional information from the servers Ring used to store Neighbors content. It was paired with a unique number that incremented by one each time a user posted to Neighbors, making it possible for someone who knew the app’s backend code to glean precise location data even from users who weren’t nearby.
As TechCrunch notes, it was easy to do this because the Neighbors app was able to enumerate the positions of all the previous posts. It did this by grabbing hidden data from Ring’s servers and then combining that with a post’s unique number, which made it possible to find the location of any user who had posted to Neighbors in the past.
While the issue was fixed, it’s a reminder that security isn’t something that should be taken lightly by a company with Ring’s size and influence. It’s hard to trust Ring or any of its partners with personal and financial information if they can’t protect it.
The issue also comes on the heels of another privacy miscue for Ring, which a couple in Mississippi said was hacked by hackers who posed as Santa Claus. They said that someone accessed their Ring security cameras in November and started playing music and talking to them.
That’s not a good look for Ring, which has close partnerships with 1,800 police departments and uses its network of video doorbells to sell facial recognition tools to those agencies. But these deals aren’t always transparent and often don’t require a legal agreement from police.