
Ring Throws Customers Under the Bus After Data Breach - mab879
https://www.eff.org/deeplinks/2019/12/ring-throws-customers-under-bus-after-data-breach
======
rurcliped
EFF is incorrect that there are "basic guidelines" for authentication to
websites that are integrated with physical-security systems, in which "locking
the account until the owner can be contacted" is reasonable. The legitimate
owner of a Ring device may have a specific need to access Live View within
seconds of providing the correct authentication data. (For most other
categories of web sites, temporarily disrupting legitimate logons is often
acceptable.) A sample attack scenario is:

1\. The threat actor knows the device's physical location, and has software to
perform a brute-force attack on the account of the device owner.

2\. The device owner happens to be, for whatever reason, signed out of the
Ring app.

3\. A 14 year old child of the device owner is home alone.

4\. The threat actor launches the brute-force attack and then attempts to
visit the home.

5\. The child sends a text to ask the parent to immediately interrogate the
visitor over Live View.

6\. The parent cannot immediately logon.

7\. In most cases, the family is less safe than if "locking the account until
the owner can be contacted" doesn't ever happen.

