Home » Security School: Latest Home Security Breaches and Responses

Security School: Latest Home Security Breaches and Responses

John Carlsen
By John Carlsen
Staff Writer, Security & Smart Home
Read More
Published on February 23, 2021

Home security breach roundup

man working on laptop in coffee shop

Why track security breaches?

It's only natural to expect security companies to prioritize protecting their customers, but this isn't always the case. Whether you’re holding the magnifying glass up to skipped security measures, sold customer data, or questionable business practices, there's a lot that security companies can improve.

We're not here to accuse companies of misconduct without evidence. We just want to promote awareness so you can make informed decisions and companies can raise their standards.

At SafeWise, we spend most of our time writing reviews and guides, so we can't devote our resources to reporting on current events in the same way as other websites. But, behind the scenes, we’re scouring the news to learn about company reputations as part of our methodology.

Consider this an invite to check out our virtual sticky notes on the latest in home security news.

We understand the effort and skill that goes into this kind of journalism, so we recommend exploring the full articles using the links in each summary.

Check back occasionally, and you might find something new on our list. For tips and advice, check out our guide to preventing smart home hacking.

Recent hacks and breaches

Because the digital world is flooded with talk of hacks and breaches, we decided to break our findings into two categories: breaches and research on preventing them.

Checklist
How to protect yourself from breaches

Here are some tips from our guide to preventing smart home hacking:

  1. Choose devices wisely.
  2. Change your default username.
  3. Use strong passwords.
  4. Use two-factor authentication.
  5. Avoid public Wi-Fi for remote access.
  6. Check app permissions.

Breaches

friends worried looking at laptop

Accidental breaches tend to result from human error, lax policies, or underinvesting in security technologies. You see these breaches when companies skip steps like these:

  • Sensitive data encryption
  • Strong password requirements
  • Enhanced features like two-factor authentication

Deliberate breaches happen when determined hackers bypass customers to attack companies directly. By intentionally exposing sensitive data or degrading services' effectiveness, hackers want a big payout or simply to spread fear.

Merkury Innovations and Geeni

Date
Incident
February 2021 Researchers from the Florida Institute of Technology discovered security flaws in security camera products from Geeni and Merkury Innovations. The company is working on a fix.

Source: Tonya Riley, Aaron Schaffer, Washington Post, "The Cybersecurity 202: Smart Home Devices with Known Security Flaws Are Still on The Market, Researchers Say," February 2021. Accessed February 23, 2021.

Ring (Amazon)

Date
Incident

January 2021

The Ring Neighbors app had a bug that exposed the locations and addresses of users. The company says it has corrected the problem.

Source: Zack Whittaker, TechCrunch, "Amazon’s Ring Neighbors App Exposed Users’ Precise Locations and Home Addresses," January 2021. Accessed February 23, 2021.

Date
Incident

January 2020

Ring announced the termination of four employees for spying on customers' camera feeds. The events spanned the previous four years, but this was the first public acknowledgment.

Source: Dalvin Brown, USA TODAY, "Amazon's Ring Fires Four Employees for Snooping on Customers' Doorbell Camera Video Feeds," January 2020. Accessed July 30, 2020.

Date
Incident

December 2019

Following an incident where someone remotely harassed a Mississippi girl using a Ring security camera, an Alabama man filed a class-action lawsuit against the company for failure to provide sufficient security. Ring suggested the hacks came from weak customer security but didn't encourage users to create strong passwords before the incident.

Source: Jon Fingas, Engadget, "Amazon, Ring Face Lawsuit over Alleged Security Camera Hacks," December 2019. Accessed July 30, 2020.

ADT

Date
Incident

May 2020

ADT terminated an employee after a customer discovered an unauthorized account login. The employee had been illegally watching security camera feeds from hundreds of Texas customers for seven years. ADT is facing class-action lawsuits related to the incidents.

Source: Kaley Johnson, Fort Worth Star-Telegram, "ADT Employee Spied on Hundreds of Dallas-Fort Worth Families for 7 years, Company Says," May 2020. Accessed July 30, 2020.

Various security camera brands including Google Nest

Date
Incident

January 2020

Researchers discovered a sextortion campaign focused on users of security cameras, including some from Google Nest. It likely came from harvested email addresses, but the researchers said there was no evidence that perpetrators possessed real videos.

Source: Alex Scroxton, ComputerWeekly.com, "Sextortion Campaign Hits Nest Home Security Cameras," January 2020. Accessed July 30, 2020.

Notepad
What is sextortion?

Sextortion is when criminals acquire or claim to possess sexual video or photos of an individual. They use this as leverage to coerce payments in exchange for not posting the images online.

Wyze Labs

Date
Incident

December 2019

Public exposure of data from 2.4 million customers, including email addresses and Wi-Fi network information, but no passwords. The breach was an accidental byproduct of an employee conducting internal analytics work.

Source: Nicole Karlis, Salon.com, "A Huge Security Camera Company Just Had a Huge Security Breach," January 2020. Accessed July 30, 2020.

Research to prevent breaches

man talking on phone while researching on laptop computer

Security researchers help companies by discovering possible breach tactics before they occur. The research primarily focuses on the technology behind breaches and often informs the security strategies of businesses.

These finds aren't as practical for everyday consumers, but you can pull them out of your back pocket to sound smart at your next dinner party.

2020 Xfinity Cyber Health Report

Date
Incident

November 2020

Researchers from Comcast said that most customers wouldn't know if non-screen devices had been hacked. The report also indicates that the average household experiences around 104 security threats each month.

Source: Comcast, "2020 Xfinity Cyber Health Report," November 2020. Accessed February 23, 2021.

Various security camera brands including Google Nest and Xiaomi

Date
Incident

July 2020

Researchers revealed how the size of the datastream from a security camera, which is typically unencrypted, could show outside observers whether someone is home or not. This is because security cameras don't use as much data when there's nothing to record.

Source: Jack Guy, CNN, "Security Cameras Can Tell Burglars When You're Not Home, Study Shows," July 2020. Accessed July 30, 2020.

iBaby Labs

Date
Incident

March 2020

Researchers spotted a vulnerability in iBaby baby monitors that could have given access to recordings, personal information, and the popular baby camera's controls. Only after this news became public did the company patch the vulnerability, despite the researchers' efforts to contact the company in the previous 10 months.

Source: Sara Morrison, Vox Media, "The Case against Smart Baby Tech," March 2020. Accessed July 30, 2020.

Philips Hue

Date
Incident

February 2020

Researchers explained a bug that could allow hackers to fake a defective smart light bulb, prompting users to reinstall the bulb. After a reset, hackers could install malware on the Hue hub and home network. Philips Hue fixed the bug between November 2019 and February 2020, when the report went public.

Source: Aaron Mamlit, Digital Trends, "Hackers May Attack Home Networks through Philips Hue Smart Bulbs Vulnerability," February 2020. Accessed July 30, 2020.

Culture and government

Governments carry an absolute responsibility to protect citizens, so it's important to recognize potential security failures when they crop up. Here are some activities, laws, and regulations to think about.

IoT Cybersecurity Improvement Act

Date
Incident
December 2020 The United States passed the IoT Cybersecurity Improvement Act in December 2020 to set standards for addressing vulnerabilities in IoT devices. It's specific to devices used by the government but will likely have an effect on the IoT industry as a whole.

Source: Andrew Silberman, Security Boulevard, "A Step in the Right Direction: The IoT Cybersecurity Improvement Act," February 2021. Accessed February 23, 2021.

Google

Date
Incident

July 2020

During a congressional antitrust hearing, Rep. Kelly Armstrong, from North Dakota, asked about Google's compliance with controversial geofence warrants in the wake of racial equality protests. Geofence warrants allow law enforcement agencies to access data from anyone in a certain place at a specific time.

Source: Alfred Ng, CNET, "Lawmaker Questions Google's CEO about Geofence Warrants," July 2020. Accessed July 30, 2020.

Ring (Amazon)

Date
Incident

June 2020

Ring has partnerships with over 1,300 law enforcement agencies across the US, which present a threat to Americans' privacy and well-being—especially people of color—if abused, according to the Electronic Frontier Foundation (EFF).

Source: Jason Kelley, Matthew Guariglia, Electronic Frontier Foundation, "Amazon Ring Must End Its Dangerous Partnerships with Police," June 2020. Accessed July 30, 2020.

Police-tracking apps

Date
Incident

June 2020

CNET highlights how protesters have used apps like Citizen and Ring Neighbors to track police activity. Conversely, the information shared in these apps is often available to law enforcement.

Source: Laura Hautala, CNET, "Police-tracking Apps Are More Popular than Ever Thanks to the Protests," June 2020. Accessed July 30, 2020.

Questionable business practices

disappointed couple interacting with a business man

While we understand that businesses first and foremost aim to maximize profits, that can create stumbling blocks for customer experience and lead to privacy pitfalls.

Amazon and Google

Date
Incident

March 2020

Both Amazon and Google require third-party partner companies to continually share status updates with them, potentially exposing user data to attacks. Previously, access to this information occurred only upon issuing a command.

Source: David Priest, CNET, "Smart Home Developers Raise Concerns about Alexa and Google Assistant Security," March 2020. Accessed July 30, 2020.

Ring (Amazon)

Date
Incident

January 2020

The Ring app shares varying levels of user data with five companies: Facebook, Branch, AppsFlyer, MixPanel, and Crashalytics (Google). According to the EFF, the data presents a privacy hazard since marketing companies can track users.

Source: BBC, "Ring Doorbell 'Gives Facebook and Google User Data'," January 2020. Accessed July 30, 2020.

Source: Mark Huffman, ConsumerAffairs, "Amazon Engineer Goes Public with Criticism of the Ring Doorbell Security System," January 2020. Accessed July 30, 2020.

Responses and improvements

Breaches usually lead to improvements if companies are willing to learn from their failures. Here are some examples of companies improving things after a breach (it doesn't even have to be their breach).

Ring (Amazon)

Date
Incident

January 2021

Ring added end-to-end encryption to protect video recordings and other data for the entire transit between the cloud and other devices. Ring previously encrypted cloud data, but not transmissions.

Source: Scott Ikeda, CPO Magazine, "Following a Year of Privacy Worries and Security Breaches, Ring Implements End-to-End Encryption," January 2021. Accessed February 23, 2021.

Date
Incident

January 2020

Ring added a Control Center to the Ring app so users can easily manage security settings. Some security features were previously in separate places, while others are new to Ring accounts, like two-factor authentication.

Source: Dan Seifert, The Verge, "Ring Adds Privacy Dashboard to App in Response to Security Concerns," January 2020. Accessed July 30, 2020.

Amazon, IBM, and Microsoft

Date
Incident

June 2020

Amazon started a one-year moratorium of police access to its facial recognition software following concerns that police would try to identify and target protesters. Microsoft and IBM have made similar decisions with IBM stopping facial recognition development entirely.

Source: Rebecca Heilweil, Vox Media, "Big Tech Companies Back Away from Selling Facial Recognition to Police. That’s Progress.," June 2020. Accessed August 12, 2020.

Blink (Amazon) and Arlo

Date
Incident

March 2020

Blink and Arlo now require two-factor authentication to protect user data.

Source: Thomas Ricker, The Verge, "Arlo and Blink Cameras are Boosting Security to Beat Hackers," March 2020. Accessed July 30, 2020.

Google Nest

Date
Incident

February 2020

Google Nest now requires two-factor authentication to protect user data.

Source: Allison Matyus, Digital Trends, "Nest Makes Two-Factor Authentication Mandatory for its Smart Home Devices," February 2020. Accessed July 30, 2020.

Related articles

John Carlsen
Written by
John Carlsen
John is a technology journalist specializing in smart home devices, security cameras, and home security systems. He has over eight years of experience researching, testing, and reviewing the latest tech—he was the Smart Home Editor for Top Ten Reviews and wrote for ASecureLife before joining SafeWise as a Staff Writer in 2020. John holds a Bachelor's degree in Communications, Journalism emphasis from Utah Valley University. In his spare time, he enjoys hiking, photography, cooking, and starting countless DIY projects he has yet to complete.
Read More
No Comments