The Amazon-owned smart home product manufacturer Ring recently announced that it’s strengthening the security of its Internet of Things (IoT) motion-detecting doorbell cameras by offering end-to-end encryption (E2EE) for streaming video footage. There’s a catch, though. Users who opt to turn on E2EE will find that they need to make major tradeoffs. Convenience and usefulness drop if they want to enjoy the privacy benefits of E2EE. That highlights one of the problems with IoT security — balancing privacy with the device’s purpose.

That tradeoff is familiar for the people tasked with protecting IoT environments, especially in industrial settings. Today, manufacturers gather new data streams (such as audio and video content) on the factory floor. They can also insert new control tools (such as voice control and wireless headsets) into processes. As they do so, they need to keep this data close at hand for processing. But it must also be kept safe.

Ring Doorbell Highlights IoT Risks

Ring has a long history of IoT security and privacy issues. In some of those incidents, threat actors used the camera’s two-way talk function to harass customers. In the best-known of these incidents, a widely-shared video shows a faceless man taunting an eight-year-old girl from the Ring security camera that her family had installed in her bedroom.

The company insisted that these incidents were the result of customers’ credential re-use. Ring stated that bad actors used username and password pairs from third-party data breaches, not from a breach of Ring’s own network. Nonetheless, the company later added two-factor authentication to its account sign-in procedures after security experts found that it had no way of preventing so-called brute force attacks — in which attackers simply test out large numbers of possible passwords in an attempt to guess correctly. It also rolled out a new Control Center feature that enables users to better manage their privacy and security settings within the Ring app.

Now, Ring is putting E2EE in place for streaming video data.

Why IoT Security Comes at a Cost

According to Ring, the company’s new E2EE option is an “additional security- and privacy-centric feature [designed to provide] users with even more peace of mind”. To protect their customers’ streaming video data, Ring uses a technology called asymmetric key encryption. In this type of cryptography, the streaming data is encrypted when the device creates it. To decrypt it, you need a unique private key. This key works only on the local mobile device where the customer can view their video. In this case, the paired phone app generates the key, a unique 10-word passphrase. The system randomly selects each word of the passphrase from 7,776 words. To further protect the video stream, the phone app doesn’t store the passphrase locally. Instead, the user must enter it each time they want to view their videos.

What does relying on asymmetric key encryption mean for the user? Surprising few, the answer is nothing good.

First, customers using E2EE need to retype their 10-word passphrase every time they want to check their video stream. The phrase won’t make any sense, making it harder to remember. What if a user should happen to forget their passphrase? They’ll lose access to their device’s video content — forever. After all, the Ring doesn’t retain the decryption key or store it elsewhere.

Balancing Safety and Function

Secondly, because asymmetric key decryption is somewhat computationally intensive, it can’t be performed on any device. Only mobile phones running recent versions of iOS or the Android operating system can run Ring’s E2EE encryption feature.

And, crucially, the asymmetric key encryption that Ring relies on is a one-to-one encryption protocol. This is typical of the cryptographic techniques that have been used most often in computing to date. However, it doesn’t work well for securing cyber-physical systems and IoT devices. Smart buildings, smart factories and smart cities rely on geographically distributed sensor networks. Their data flows between systems that interact via multiple intermediaries. This means that IoT streams often have more than one recipient. Therefore, the device must encrypt, decrypt and re-encrypt the data multiple times if they are to remain secure.

For Ring customers who turn on E2EE, one-to-one encryption means a loss of function. E2EE users can no longer share their videos with other users. Nor can they view them online, or through Ring’s Windows and Mac desktop apps. What’s more, any Ring features that rely on external processing and analysis of video content will no longer work. So E2EE users can no longer access features such as automatic Motion Verification or People-Only mode.

Tomorrow’s IoT Security Solutions Need Many-to-Many Encryption

Ring’s E2EE is an opt-in feature. By default, the device comes with this feature turned off unless users opt to use it. Many users won’t. Large numbers of Ring customers bought their devices because they wanted to be able to view their videos from multiple devices, to share their data with others or to use popular social networking sites like Ring’s own Neighbors forum. For these users, the benefits of the enhanced privacy that E2EE brings aren’t worth the drawbacks.

For IoT security leaders tasked with protecting streaming sensor data in smart factories, the tradeoff is even more challenging. Making IoT data available for analysis both in the cloud and at the edge is the primary purpose of industrial IoT solutions. If the user can’t use streaming sensor data because it can’t be decrypted, the devices involved lose their value.

At the same time, leaving streaming sensor data unencrypted (and thus vulnerable to compromise) isn’t an option, particularly in the face of today’s more prevalent threats against manufacturing and critical infrastructure. Instead, it’s crucial that the industry adopt lightweight many-to-many E2E encryption algorithms as an industry-wide standard. While emerging tech such as Attribute-Based-Encryption (ABE) and object security frameworks show promise, many-to-many encryption must become the norm if IoT security issues are to be resolved in industrial settings.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today