Earlier this month, some owners of a smart doorbell -- a security camera and intercom device for the front door -- found out that their gadget was sending tiny packets of data to somewhere it shouldn't: China.
The doorbell, made by Los Angeles-based startup Ring, is supposed to send user video and audio data to Amazon Web Services servers. But, unknown to even the company, tiny packets of audio data were also being routed to a server in China run by Chinese internet giant Baidu at seemingly random intervals.
A Reddit user discovered the strange traffic coming off their device and put up a post about it. Users were concerned. A week later, a post on the website IoT For All stoked the flame with a piece called "Huge Vulnerability Discovered in the Ring Doorbell."
Ring tried to move fast. Within five days of the Reddit post, the company's chief technology officer, Joshua Roth, responded to the original thread, explaining the data being sent to China is only 20 milliseconds of audio data and that it doesn't represent any security vulnerability. It promised a firmware update to all Ring Video Doorbell Pro devices -- the only Ring device affected with the bug -- to stop the connection to the Chinese server.
Last week, Ring hired consulting firm Tevora to audit the device and make sure nothing was wrong. In the report seen by Forbes, the consultancy confirmed that the device was secure and now no longer communicating with Chinese servers. The flaw existed in firmware version 1.4.26, but was no longer present in updated version 1.4.29. Tevora said it classified the issue not as a vulnerability but as simply a harmless bug.
"There is no evidence to suggest there is any risk to the consumer," the report concluded.
Security researchers agree that the bug posed no significant risk to Ring users. The device was sending data over an internet protocol that threw data one way; there was no way for some hidden agent to sneak into the device from the other end and load malicious code onto it, despite what concerned users suspected.
Nevertheless, the episode highlights a heightened sense of paranoia around these devices. The emerging world of the Internet of Things — where everything from household appliances to streetlights to cars will be networked and computing — has brought with it worries that they're all secretly spying on us. And there are real reasons to be worried about these devices. Security is often lax or nonexistent. In October, the so-called Mirai botnet caused a massive internet outage through hacked internet-connected cameras and DVRs.
U.S. companies like Ring may find consumers wary of any hint of malicious outsiders getting in. There is a stigma associated with sending any data outside the country to places like China, despite it likely representing no real threat, security researchers said.
"The problem is defined by what the consumer likes," said Zach Wikholm, a research developer at security intelligence firm Flashpoint. "In this case, consumers didn't feel safe and Ring patched it."
It now seems like it's no longer enough to make sure the gadget is secure. Device makers need to do a better job making sure their devices are locked down.
Founded in 2012, Ring is the biggest player in the smart doorbell business. It's raised a total of $209 million in venture funding, with the most recent $109 million Series D round bringing its valuation to $445 million, according to PitchBook. The company's annual sales have more than doubled in 2016 over the previous year.
What Ring is guilty of is not locking down the device and knowing what was going with it -- a problem all too common with these sorts of new Internet of Things devices. Startups are often rushing through product development and may not take the time to figure out the inner working of every component they're putting into these devices. (Last year, it was also discovered that Ring doorbells stored WiFi passwords in plain text on the device, allowing hackers to potentially gain access to a Ring user's WiFi network. Ring has since patched that vulnerability.)
Wikholm estimated that this kind of unintended communication, like with Chinese servers, occurs in about one in every ten smart device. It shows a certain degree of sloppiness. Off-the-shelf components and firmware purchased from Chinese companies is the cause, more often than not.
"It's quite typical for off-the-shelf IoT components to 'phone home' to the upstream manufacturer periodically to check for connectivity and updates," Tod Beardsley, research director at Rapid7, said in an email. "I expect that's what happening with the Ring device. So, while it's basically harmless traffic, it does indicate that the firmware on the Ring products are being shipped largely as-is, without a thorough security review by the downstream vendor."
Ring denies the charge that it uses any off-the-shelf systems from China, which usually indicates a lower-quality device. "We take extensive measures to build quality products that are secure," Ring CTO Roth said in his statement first posted on Reddit. Ring didn't respond to further questions about why the traffic to China was happening in the first place beyond that it was only a bug. Wikholm suspects it might have been some leftover test code from a Chinese chip vendor.
“There’s a stigma of anything going to China is bad,” Wikholm said. “But a lot of this stuff is made and maintained in China.”
