Ring Sued in Class Action for Hacking Vulnerability

On December 26, plaintiff John Baker Orange filed a class action complaint against Ring and its parent company Amazon (John Baker Orange v. Ring LLC and Amazon.com, Inc. 2:19-cv-10899). The suit was filed in the California Central District Court. Plaintiff is represented by the Law Office of Francis J. Flynn Jr. and Morgan & Morgan Complex Litigation Group. The complaint is for negligence, invasion of privacy, breach of the implied warranty of merchantability, breach of implied contract, unjust enrichment, and violation of unfair competition law in California.

Ring, a security technology company, allegedly left their products open to hacking. The complaint stated that “Ring promises its customers ‘peace of mind’ with its Wi-Fi enabled smart security systems. Unfortunately, Ring’s cameras fail to deliver on its most basic promise. Lax security standards and protocols render its cameras vulnerable to cyber-attack.” The relaxed security has caused Ring users to have their Ring camera systems “hacked by malicious third parties who gained access to the video and two-way speaker microphone system which they used to invade the privacy of customers’ homes and terrorize unsuspecting occupants, many of whom are children.” Ring stated that the customers who were hacked failed to create strong passwords and use two-factor authentication.

Orange purchased a Ring outdoor camera for his house in July, the camera was installed over his garage with a view of his driveway. His children, aged 7, 9, and 10, were playing basketball on the driveway when an unrecognized voice came through the camera’s two-way speaker. The unknown person engaged with Orange’s children, commenting on their basketball plays and encouraging the children to get closer to the camera. After the incident, he changed the password and enabled two-factor authentication. He previously had a medium strength password. Orange was not aware that two-factor authentication was available and did not think that Ring provided users with sufficient security measures to prevent system hacking. Other hacking incidents across the country have left users terrorized by hackers and their privacy invaded while hindering their sense of safety in their homes. While some hackers have chosen to interact with occupants, many hackers have not, thus leaving them unnoticed by Ring users. The unannounced hackers were free to collect a variety of private information that could be sold and used for criminal purposes. For instance, the complaint uses the example of a pedophile that hacked a camera in an 8-year-old girl’s bedroom and told her that he is Santa Claus. Other examples have involved hackers using racial slurs against occupants.  One hacker even demanded $350,000 in Bitcoin from a couple in Texas.

After these incidents, Ring said it investigated and determined that users’ credentials were used on other separate non-Ring devices and were reused for Ring accounts. Ring suggested that users had weak passwords and did not use two-factor authentication. The complaint stated that Ring did not take any precautions to make its devices not susceptible to hacking.  Ring products must be Wi-Fi connected and are connected to their app. “The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use.” Ring failed to ensure that its cameras were safe from cyber-attack. Ring only required a basic password and did not offer or encourage two-factor authentication. Further, the complaint alleged that “Ring aware that the hacking community developed dedicated software for breaking into Ring security cameras. Indeed, several posts on different crime forums where hackers discuss creating tools for breaking into the Ring accounts which are connected to cameras.” The complaint stated that there is even a podcast that is solely live and recorded hacking incidents for entertainment. Additionally, the complaint stated that due to the nature of Ring as a camera security system, more measures should have been taken by Ring to prevent hacking and encourage users to utilize security features, such as two-factor authentication. “Ring does not alert users of attempted log-in from an unknown IP address or how many others are logged into an account at one time.” This means that someone could be unaware that their system has been hacked.

Some consumer advocacy groups have issued a warning against Ring’s products and services.

Plaintiff has sought an award for damages, as well as equitable, declaratory and injunctive relief.