Blog: Consumer Advice
Smart home security advice. Ring, SimpliSafe, Swann, and Yale
Introduction
This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or see who’s at the front door, this guide will provide you with valuable insights. We have assessed the security characteristics of each brand and identified potential vulnerabilities and best practices, so you don’t have to.
Manufacturers:
- Ring doorbell security
- SimpliSafe smart home security
- Swann smart home security
- Yale smart home security
Ring doorbell security: What do you need to know?
TL;DR
- Ring Basics: Ring started with video doorbells and now offers various home security products. Amazon bought Ring in 2018.
- Early Issues: Early problems included exposed Wi-Fi keys and database errors, which were quickly fixed.
- Recent Vulnerabilities: Issues like session cookie theft and Wi-Fi key exposure have been resolved.
- Automatic Updates: Ring updates itself automatically, which is good for security.
- Encryption: End-to-end encryption isn’t enabled by default for doorbells but should be activated.
- Privacy and Passwords: Two-step verification is done by default, but multi-factor authentication (MFA) is recommended.
Who is Ring?
Ring started in 2013, offering video doorbells that let you see and talk to visitors from your phone. Over time, they expanded into CCTV cameras and home alarms. Amazon bought Ring in 2018.
Inside the Ring doorbell
Security issues in the early days
In 2016, Ring encountered a significant security flaw with its doorbell devices. If an attacker physically removed the doorbell, they could access a setup mode that exposed the home’s Wi-Fi key. This vulnerability allowed unauthorised individuals to potentially connect to the home network and monitor network traffic, posing a serious security risk. Since then, Ring has made substantial improvements to address this issue. Enhanced encryption protocols now provide better protection against unauthorised access to Wi-Fi credentials.
Ring has not only fixed the Wi-Fi key exposure issue but also proactively addressed other security challenges. For instance, they resolved database errors that previously led to incorrect footage being sent to users. These measures reflect Ring’s proactive commitment to improving the security and reliability of their devices, ensuring a safer experience for their customers.
Security fixes
Since Amazon acquired Ring, a few vulnerabilities have been found and resolved:
- Session Cookie Theft (2019): A flaw in the app allowed some users to access their camera footage. This was fixed promptly.
- Wi-Fi Key Exposure (2019): An issue similar to the 2016 problem but required the attacker to be physically present during setup. This was also resolved quickly.
Ring’s swift response to security vulnerabilities demonstrates its commitment to maintaining the security of its devices, providing you with peace of mind.
Automatic updates
One of Ring’s strengths is its automatic update system. Unlike many smart devices that require you to check for updates manually, Ring doorbells do this automatically. This helps keep your device secure without needing you to take extra steps.
Encryption: What’s the deal?
To enhance the security of your Ring doorbell, it is important to manually enable end-to-end encryption (E2EE) through the Ring app, as this feature is not turned on by default. E2EE ensures that only you can view your video footage, providing an added layer of protection. Additionally, regularly review your device settings and stay informed about any new security updates from Ring to keep your data secure. If encryption is a top priority and you prefer devices with built-in security features, consider using Ring’s CCTV cameras, which come with encryption enabled by default. Taking these steps will help ensure that your Ring doorbell offers the highest level of security.
Privacy concerns
Ring has faced privacy issues, including:
- Community Alert Program: They used to share video footage with some US police forces, raising privacy concerns.
- Neighbours App: Similar privacy issues were raised due to data-sharing practices.
- FTC Settlement (2023): The FTC addressed problems where Ring staff could access user footage without proper controls.
Ring has since improved privacy controls and resolved issues where users couldn’t remove access for ex-partners.
Password security
Ring requires two-step verification (2SV) by default, which adds an extra layer of security by requiring a second form of identification in addition to your password. While 2SV is a valuable security measure, it is less robust than multi-factor authentication (MFA). MFA involves using multiple different types of authentication factors, such as something you know (a password), something you have (a mobile device), and something you are (biometrics), providing a higher level of security.
Enabling MFA in the Ring app is recommended for enhanced account protection. This additional layer of security significantly increases the difficulty for unauthorised individuals to access your account, even if they manage to obtain your password.
In addition to using MFA, Ring enforces certain password requirements to help ensure that passwords are not easily guessed. However, creating passwords that are complex and unique to your Ring account is still crucial. A strong password—one that combines letters, numbers, and symbols and is not used for other accounts—adds an additional layer of defence against potential security breaches. For better security, use a password manager to generate and store longer, random passwords.
Is Ring secure for UK users?
Ring is now generally considered secure. Their prompt response to security issues and the commitment to privacy and regular updates make it a strong choice for smart home security in the UK. It’s still important to keep software updated though, and use strong passwords. While no system is completely invulnerable, Ring’s ongoing efforts to enhance security make it a good option for smart home enthusiasts.
SimpliSafe smart home security: What do you need to know?
TL;DR
- Overview: SimpliSafe offers smart home security including cameras, doorbells, and alarms, with 24/7 monitoring.
- Past Issues: Vulnerabilities included the ability to disable alarms, jamming signals, and PIN code manipulation.
- Updates: Devices update automatically, but base station and keypad require manual approval.
- Encryption: Products are encrypted, but true end-to-end encryption is not provided. SimpliSafe staff can access footage for monitoring.
- Privacy Concerns: Monitoring staff have access to footage, raising privacy concerns. Cameras have a physical shutter for added privacy.
- Password Security: Multi-factor authentication (MFA) is required for new accounts and can be enabled for existing ones. Strong password practices are advised.
What is SimpliSafe?
SimpliSafe is an American company that provides a range of smart home security products. They offer cameras, video doorbells, keyless entry systems, alarms, and environmental sensors. A unique feature of SimpliSafe is their 24/7 monitoring service, which alerts them if an alarm is triggered, so they can respond even if you’re not home.
Early security concerns
SimpliSafe has had several security issues over the years:
2015: Researchers found that the command to disable SimpliSafe’s alarms could be recorded and replayed. This flaw was significant but required a highly skilled attacker. SimpliSafe downplayed the risk and did not address the issue with a simple firmware update, suggesting that a full device replacement might be needed.
2019: The Lock Picking Lawyer discovered that cheap hardware could jam signals sent to the base station, preventing alarms from sounding. SimpliSafe claimed that while jamming was theoretically possible, it would be difficult in real-world conditions. Other companies have addressed this issue by having alarms sound if the base station loses communication.
2020: Tenable found that someone inside a home could add a new PIN to the alarm keypad without knowing the existing one. Both Tenable and SimpliSafe agreed that the attack required more time than allowed by the system before triggering an alarm. SimpliSafe quickly fixed this with a firmware update.
Other security fixes have been made in past firmware updates, though no details have been provided in the changelogs.
Like Yale, SimpliSafe has a well-defined disclosure policy and encourages collaboration with security researchers.
Update process
SimpliSafe’s cameras and video doorbells update automatically. For base stations and keypads, updates require user approval through the companion app. While not perfect, this process is largely automated and reduces the need for users to manually check for updates.
Encryption
SimpliSafe advertises its products as having “end-to-end encoding,” but this term is not entirely accurate. Although all communications are encrypted, SimpliSafe staff can decrypt footage if necessary for their 24/7 monitoring service. This means that while data is secure in transit and at rest, it is not true end-to-end encryption, and insider threats or leaked encryption keys could compromise footage.
Privacy concerns
The ability of SimpliSafe staff to access stored video footage for monitoring purposes raises privacy concerns. SimpliSafe guarantees that monitoring agents can only view footage related to specific alarms and that their access is temporary. However, there is no absolute assurance that insiders cannot bypass these controls.
To mitigate privacy concerns, SimpliSafe cameras include a physical shutter. This feature should be used to block the camera when not in use, such as when you leave the house or when privacy is needed during sensitive activities.
Password security
SimpliSafe requires multi-factor authentication (MFA) for new accounts, which enhances security. Existing accounts with only two-step verification can also enable MFA, though ideally, this should be mandatory for all users. Password requirements include a minimum of eight characters with a mix of lowercase, uppercase, numbers, and special characters. For better security, use a password manager to generate and store longer, random passwords.
Conclusions
SimpliSafe’s 24/7 monitoring service, while helpful, raises significant privacy concerns due to the ability of staff to access footage. Despite having policies to limit access to incident-related footage, the potential for insider threats cannot be entirely ruled out. Additionally, SimpliSafe’s response to past vulnerabilities has sometimes been slow, which could indicate room for improvement in their security practices.
Overall, while SimpliSafe offers strong security features and automation, the privacy concerns associated with their monitoring service and the handling of past vulnerabilities suggest a need for caution. Users should weigh these factors carefully and consider using additional privacy measures to protect their home security system.
Swann smart home security: What do you need to know?
TL;DR
- Overview: Swann specialises in CCTV, video doorbells, and alarms, with local storage as the default option.
- Early Security Issues: In 2018, vulnerabilities led to unintended access to others’ footage due to issues with their cloud provider, OzVision. Swann has since moved to AWS and addressed these issues.
- Update Process: DVR/NVR boxes update automatically, but cameras require manual updates via USB.
- Encryption: Swann claims AES-128 encryption for data, but there’s no assurance against decryption by employees or law enforcement.
- Privacy: Local-only storage is available, offering better privacy but fewer remote features. Cloud backup options are available but may raise privacy concerns.
- Password Security: Two-factor authentication is supported; passwords should be complex and at least ten characters long.
What is Swann?
Swann is a home security company that provides a range of products including CCTV cameras, video doorbells, and alarms. A notable feature of Swann’s system is its local storage option for video footage, meaning users can choose to keep their data on-site rather than in the cloud.
Swann camera
Early security issues
In 2018, a significant vulnerability was discovered that allowed users to access others’ video footage accidentally. This issue was linked to Swann’s then-cloud provider, OzVision, which has since gone out of business. Following this, we identified another vulnerability in the same cloud service. Swann took swift action, collaborating with us to implement effective fixes and has since transitioned to using Amazon Web Services (AWS) for cloud storage. No further vulnerabilities have been publicly disclosed.
Update process
Swann’s Digital and Network Video Recorders (DVR/NVR) support automatic over-the-air updates, which is excellent for ensuring that security patches are applied quickly. However, updating individual cameras requires users to install firmware updates via a USB flash drive manually. This can be inconvenient and may lead to outdated firmware if users neglect to perform updates. Since the cameras lack direct internet access, they are less exposed to online threats, but users should still check Swann’s support site regularly for new firmware.
Encryption
Swann advertises that all data transmitted between their devices, cloud services, and apps is encrypted using AES-128 bit encryption, which is considered bank-grade. However, they do not explicitly state that footage cannot be decrypted by Swann employees or law enforcement. Therefore, while encryption is robust, there’s no guarantee against potential access by these parties.
Privacy concerns
Swann offers the option to operate entirely locally, meaning all video footage is stored on-site rather than in the cloud. This setup enhances privacy by preventing Swann, law enforcement, and other third parties from accessing your video feeds. However, local-only systems lack remote access features and automatic updates, and users need to manage security updates manually.
For those who prefer cloud storage, Swann offers the ability to back up footage to a user’s own Dropbox account, which is a good option for privacy-conscious users who still want automated backups. Swann’s premium plan includes cloud storage on their AWS platform, which is secure but may not offer the same level of privacy as local storage.
Password security
Swann supports two-factor authentication (2FA), which adds an extra layer of security to prevent unauthorised access if your password is compromised. Their DVRs require a minimum password length of six characters, which is insufficient by modern standards. Users should set passwords that are at least ten characters long and ideally use a passphrase of three random words, following the National Cyber Security Centre’s guidelines.
Conclusions
Swann may be a smaller player in the home security market, but they have shown a strong commitment to addressing security vulnerabilities effectively. Their local storage option provides significant privacy benefits, and the ability to back up footage to a personal Dropbox account further enhances privacy.
However, the need for manual updates on cameras is a notable drawback, and users should make an effort to regularly check for firmware updates. Overall, Swann’s approach to security and privacy is commendable, making them a solid choice for those who value local data storage and proactive security measures.
Yale smart home security: What do you need to know?
TL;DR
- Overview: Yale, known for mechanical locks, expanded into smart home security in 2011 and acquired August Home in 2017.
- Early Security Issues: Early contactless locks were vulnerable to keycard cloning. Smart burglar alarms had issues with encryption and hardcoded passwords, but Yale responded with updates.
- Update Process: Firmware updates are applied automatically via the companion app, which is more streamlined than some competitors.
- Encryption: End-to-end encryption is available but not enabled by default.
- Privacy: No major privacy concerns have been identified.
- Password Security: Supports 2-step verification but lacks multi-factor authentication. Passwords should be long and complex.
What is Yale?
Yale, traditionally known for its mechanical locks, ventured into smart home security with a smart lock introduced in 2011. By 2016, Yale expanded its smart home lineup, and in 2017, it acquired August Home, a leading smart lock manufacturer. This move broadened Yale’s portfolio and expertise in smart home security.
Yale smart lock hack 2018
Early security concerns
Keycard cloning
Early versions of Yale’s contactless smart locks were vulnerable to keycard cloning. While Yale downplayed the risk, claiming that successful attacks would be highly targeted and require close proximity, the issue was significant. Yale has since addressed this in newer models, but some vulnerable devices might still be in circulation.
Smart burglar alarms
In 2015, Context IS (now part of Accenture) identified vulnerabilities in Yale’s smart burglar alarms, including a lack of network traffic encryption and hardcoded admin passwords. Yale responded promptly with a firmware update but stated that they would not disclose specific vulnerabilities publicly to avoid aiding potential criminals. This cautious approach was also applied when vulnerabilities were found in their companion app.
“Our policy is neither to confirm nor deny any reports about the security of Yale products, as any comment could inadvertently disclose information which might aid criminal activity.”
This response was also used when MWR InfoSecurity (now WithSecure) found that the companion app was vulnerable to man-in-the-middle attacks.
Signal jamming and replay attacks
In 2016, we highlighted issues similar to those found in SimpliSafe’s systems, such as the potential for signals to be jammed or replayed. Yale has since developed a well-defined responsible disclosure policy and encourages collaboration with security researchers.
Update process
Yale’s update process for firmware is relatively user-friendly. Updates are applied automatically when the companion app is open and connected to the device. If the user walks out of range, the update may be paused but not cancelled, which ensures that most security patches are applied without requiring manual intervention. This approach is more convenient than some competitors but not as seamless as Ring’s system.
Encryption
Yale supports end-to-end encryption for video and audio streams through a “customised encryption” option in their companion app. However, this encryption is not enabled by default. Users need to manually select this option to ensure their data is fully encrypted.
Privacy concerns
No significant privacy issues have been identified with Yale’s smart home products. The option to use end-to-end encryption, while not default, provides an additional layer of security for video footage. Yale’s systems are designed to ensure that user data remains secure and private.
Password security
Yale’s Home app supports 2-step verification, which enhances security by sending a code to the user’s phone or email upon login. While 2-step verification is better than nothing, multi-factor authentication (MFA) would offer stronger protection by requiring an additional authentication factor. Users should ensure their passwords are long, complex, and unique. The recommended minimum is ten characters, with a preference for using a password manager to generate and store longer, random passwords.
Conclusions and opinion
Yale has demonstrated a strong commitment to addressing security issues and maintaining a reputable brand. While there are no current critical security or privacy concerns with Yale’s smart home products, the lack of default multi-factor authentication is a drawback. Users should employ long, complex passwords for both their Yale accounts and associated email addresses to enhance security.
Yale’s offering of end-to-end encryption for video footage is a notable feature, though it requires manual activation. Overall, Yale’s smart home security products are robust and offer good privacy protection, making them a reliable choice for many consumers.
Smart home security summary and advice
The security characteristics of the following smart home CCTV and doorbell suppliers has been compared:
- Ring
- Yale
- Swann
- SimpliSafe
No critical concerns were raised. A summary is provided below.
Ring
Ring has faced lots of privacy and security issues in the past, largely due to its popularity. Those issues have been fixed, and consumers now benefit from their mature and well-funded security programme.
Ring devices support end-to-end encryption, automatic updates, and multi-factor authentication.
SimpliSafe
SimpliSafe did not support end-to-end encryption, and suspicion was raised regarding their 24/7 remote monitoring solution, which we recommend remains disabled. New accounts have multi-factor authentication enabled by default, which is recommended.
Swann
Swann was the only vendor without automatic firmware updates. They have also handled few security disclosures, though their authorisation issues in 2015 were responded to quickly and effectively.
Swann’s most significant benefit is the ability to store all footage locally or back it up to the user’s own cloud provider.
Yale
Yale did not offer multi-factor authentication, only 2FA. This makes using a strong, unique, and complex password hugely important.
No public privacy concerns surrounding Yale were documented. Additionally, Yale and Ring were the only providers to offer end-to-end encryption.
Final thoughts and advice
Many suppliers will be sent vulnerability disclosures, and it’s important that they deal with them proactively and with transparency.
Ring has shown the most consistent and effective attitude to security. Their products support end-to-end encryption, automatic updates, and multi-factor authentication.
Regardless of the product or manufacturer we recommend that all users enable end-to-end encryption. If the product has a service that allows remote agents to review live or recorded video footage (as offered by SimpliSafe) you should opt out ASAP.
Indoor-facing cameras should be avoided. If you feel they are absolutely you never point them where personal or work device screens can be seen. This is to avoid the risk of confidential information being leaked.
Passwords for user accounts, Wi-Fi routers, smart home base stations, and individual devices should be unique, random, and suitably complex. We recommend using a password manager to create and store them.
Multi-factor authentication must be used when it’s available. It offers greater protection against account compromise than a strong password alone.