07 Apr Amazon Bakes Security And Privacy Into Ring’s Video Doorbell
As tech pervades our homes, Lillian Ablon helps protect us
Melbourne, Australia – Apr. 7, 2021
In the pantheon of Internet of Things (IoT) technologies, there are few more potentially intrusive than the new breed of smart security cameras, video doorbells, and personal assistants whose very utility stems from being brought into our personal spaces.
As the recent hack of security-monitoring giant Verkada and its nearly 150,000 surveillance cameras highlighted, the consequences of a security breach of such devices can be intrusive — and potentially damaging.
Avoiding such a breach has naturally been front-of-mind at Ring, the upstart home-security device maker and ‘Shark Tank’ reject that was acquired by Amazon for more than $1.2 billion three years ago.
That deal may have ensured Ring’s future, but it also put the device-driven company near the center of an evolving ecosystem — driven by Amazon’s Alexa family of home hubs — that intrinsically relies on the security of its devices.
New innovations, such as the introduction of end-to-end data encryption for Ring devices, reflect the company’s ongoing focus on security — and Lillian Ablon built the team that continues to fly the security banner in a company whose fast-moving, innovative culture has become the stuff of legend.
Cybercrime Radio: You Can Ring My Bell
Cybersecurity expert Lillian Ablon on DevSecOps
“Ring really prioritizes security and privacy,” Ablon told Cybercrime Magazine, explaining that — for someone who cut her teeth on advanced mathematics theory and spent nearly seven years as a cryptanalyst and developer with the Department of Defense — the opportunity to apply mathematical security to an everyday consumer device was irresistible.
“Ring is at the center of the emerging technology ecosystem and it’s a really exciting place to be,” she said. “It sounds very feel-good — but Ring is committed to its mission, which is empowering consumers and making communities safer.”
For all its good intentions, however, that’s a tall order for a company whose very viability is based on capturing intimate scenes of people’s homes and audio of their conversations, broadcasting that data to other devices, and linking it with a broad range of other IoT devices that each have their own security strengths and weaknesses.
Maintaining a high degree of security across its devices lies at the core of Ring’s Vulnerability Management Program (VMP), an internal security group that Ablon established over two years ago, shortly after joining Ring.
The construction and execution of that team was heavily influenced by Ablon’s work at the RAND Corporation, a non-profit where she spent eight years working with a team researching areas including national security issues, cyber supply chain risks, cybersecurity skills development, and the data breach ecosystem from what she called “all perspectives — the victim’s, the attacker’s, and the defender’s.”
This included research into the motivations of dark-web cyber threat actors, and how they monetize stolen data and exploit zero-day software vulnerabilities.
“From that,” Ablon explains, “I was able to do a deep dive into that data and create some baseline metrics on the characteristics of zero-day software vulnerabilities, to help inform policy discussions. That was one of the studies that I think I’m most proud of.”
Building security culture — inside Ring and outside of it
As a woman who “just wasn’t around the narrative” that girls aren’t good at mathematics, Ablon recalls an awakening when she left academia — where a Bachelor of Pure Mathematics at the University of California Berkeley led to a Master of Science in Applied and Computational Mathematics from Johns Hopkins University — and found the old ideas were alive and well.
Years of progress have driven “an increase in parity,” she noted, but “there is still a long way to go” — hinting at her professional interest in exposing more young girls to cybersecurity’s challenges and opportunities.
Involvement in school programs like CyberGirlz and Expanding Your Horizons has helped her give back — and, she hopes, sparked a flame in “some very brilliant, capable, talented young women who I really hope continue with STEM fields…. Sparking that interest early, and then helping carry it forward, is so important.”
Bringing so much background knowledge to the table, Ablon already understands how cybercriminals might go about targeting Ring devices and other elements of Amazon’s expanding, Alexa-driven IoT ecosystem.
That has allowed her team to build rigorous processes for protecting company infrastructure as well as scrutinizing new Amazon products, identifying and remediating potential vulnerabilities before they ship.
The “amazing” team works on everything from “finding vulnerabilities, organizing and being able to view them in a comprehensive format, remediating them and then verifying that fix is done for the entire lifecycle.”
“Trying to bring in the application security, infrastructure security, and all different aspects of security into the VMP,” she says, “has been an effort and continues to be an effort — and it really is rewarding.”
And while “under-resourced” security teams are gaining traction as they work to foster DevSecOps practices across product-development organizations, issues of scale create challenges that are increasingly driving them towards machine-learning technologies that can offload some of the burden.
“The way to win at DevSecOps is to automate and scale,” she explained, “and machine learning is an obvious place to go when we think about automation and scale. We’re going to need more focus there — not only to help build those technologies but also to see what might be security issues in those technologies.”
Her evolving understanding of the dynamics of the IoT ecosystem has given her some clear ideas about how IoT vendors can maximize the security and privacy of their products — but she also has some advice for consumers to make sure they don’t stumble blindly into a dark corner of IoT’s new privacy normal.
“IoT devices should have an easy way for consumers to see how their data is being stored and processed,” she said, “and what they can do to secure it, encrypt it, save it, delete it, and share it.”
“Get to know your device, and get to know the privacy and security settings — and use them.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.