Amazon-owned home security company Ring is not doing enough to stop hackers breaking into customer accounts, and in turn, their cameras, according to multiple cybersecurity experts, people who write tools to break into accounts, and Motherboard's own analysis with a Ring camera it bought to test the company's security protections.
Last week a wave of local media reports found hackers harassed people through Ring devices. In one case a hacker taunted a child in Mississippi, in another someone hurled racist insults at a Florida family. Motherboard found hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring abuse on their own so-called podcast dubbed "NulledCast."
In response to the hacks, Ring put much of the blame for these hacks on its users in a blog post Thursday.
"Customer trust is important to us, and we take the security of our devices and service extremely seriously. As a precaution, we highly encourage all Ring users to follow security best practices to ensure your Ring account stays secure," it said. To be clear, a user who decides to use a unique password on their Ring device and two-factor authentication is going to be safer than one who is reusing previously hacked credentials from another website. But rather than implementing its own safeguards, Ring is putting this onus on users to deploy security best practices; time and time again we've seen that people using mass-market consumer devices aren't going to know or implement robust security measures at all times.
Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged inentirely common security measures across a wealth of online services.
"They are worth billions so where is the investment in security," Daniel Cuthbert, who is on the committee for annual cybersecurity conference Black Hat, and who is also a Ring owner, told Motherboard.
A Ring account is not a normal online account. Rather than a username and password protecting messages or snippets of personal information, such as with, say, a video game account, breaking into a Ring account can grant access to exceptionally intimate and private parts of someone's life and potentially puts their physical security at risk. Some customers install these cameras in their bedrooms or those of their children. Through an issue in the way a Ring-related app functions, Gizmodo found these cameras are installed all across the country. Someone with access can hear conversations and watch people, potentially without alerting the victims that they are being spied on. The app displays a user-selected address for the camera, and the live feed could be used to determine whether the person is home, which could be useful if someone were, for example, planning a robbery. Once a hacker has broken into the account, they can watch not only live streams of the camera, but can also silently watch archived video of peopleand familiesgoing about their days.
Or a hacker can digitally reach into those homes, and speak directly to the bewildered, scared, or confused inhabitants. That level of sensitivity should arguably encourage more robust security practices than an ordinary account.
Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password.
Other steps Ring could take to better keep hackers out includes checking whether someone is logging in from an IP address Ring has never seen before, and if so, carrying out additional checks, Cuthbert said. Another is checking for concurrent sessions, such as seeing whether the user is simultaneously logged in from, say, both Germany and the U.K., Cuthbert added, in case one of those may be a hacker accessing the account.
One member of a hacking forum who codes cracking tools, and who Motherboard granted anonymity so they could speak more openly about the process, said, "just enabling SMS verification if there is a connection from an unknown IP would instantly kill each checker." A checker is a piece of software that grinds through credentials to see if they work on a particular site or service.