In late December, an Alabama man filed a class-action lawsuit against Amazon after a hacker harassed his children through the Ring camera installed in their driveway.
This is one of several recent security incidents in the past few weeks involving Ring cameras that have gotten Amazon in hot water. In another case, a family in Desoto, Mississippi reported that a hacker had accessed the home security camera installed in their eight-year-old daughter’s bedroom to watch her and taunt her with racial slurs.
Meanwhile, user names and passwords for thousands of Ring cameras have cropped up on cybercrime forums, and software for breaking into Ring accounts has been switching hands in dark web markets.
Users are outraged at Amazon for not protecting their data and privacy. But Amazon blames users for not activating the security features on their Ring cameras.
In reality, both are to blame. But Amazon should take the lion’s share for having disappointing security measures and not doing enough to prevent hackers from accessing the sensitive data of its customers.
Here’s why so many Ring cameras are getting hacked.
Lax security practices by Ring users
Ring has all the basic security features that can prevent the kind of hacks reported in the past month. The victims who had found hackers accessing their cameras could have prevented the incidents had they enabled Ring’s two-factor authentication (2FA) option.
2FA requires users to go through an extra verification step when they log into their account with their username and password. When you enable 2FA on your Ring camera, you tie a mobile phone number to your account. After that, when logging into your account from a new mobile device or computer, the service will require you to enter a randomly generated SMS code sent to your phone.
If a hacker discovers the password to your Ring account, they won’t be able to access it without having possession of your mobile phone and receiving the verification SMS. Even though SMS 2FA is not very secure, enabling it would have made it considerably harder for hackers to break into the victims’ accounts.
Also concerning was poor password practices by the hacked users. Most of the hacked accounts were using passwords that had been leaked in data breaches at other sites. There are thousands of online articles that warn against reusing passwords across multiple accounts or using “dumb” passwords such as “passw0rd” and “123456.” They also tell you to enable 2FA wherever possible.
Yet, as the Ring security incidents show, users still choose convenience over security in 2020.
“No one expects their security cameras to get hacked when they install them, but recognizing the fact that anyone can become a target and knowing how to minimize the risks is crucial for anyone considering internet-connected smart home surveillance,” says Attila Tomascheck, digital privacy advocate at ProPrivacy. “It is important to note that internet-of-things (IoT) devices are generally not very secure pieces of equipment, so it is vital that consumers take steps themselves to secure their networks and the devices on them.”
Even worse security practices by Ring
But the bigger disappointment comes from Ring itself, a “security” company that promises to protect every corner of your home.
Knowing that consumers often neglect basic security recommendations, Ring could have taken many measures to protect its customers and prevent the hacking of its security cameras.
First, it could have enabled two-factor authentication by default. Sure, it might have caused complaints by a few users who were irritated by the extra authentication steps. But it would have increased the adoption rate of 2FA.
Second, it could have warned users if their chosen password had turned up in repositories of publicly known data breaches such as Troy Hunt’s Have I Been Pwned. This is a measure that an increasing number of online services are adopting.
But even worse was Ring’s lack of defense against automated attacks. Most online services set limits to the frequency and number of failed login attempts from a single device or IP address. They also use CAPTCHAs and other verification methods to make sure a human is logging into the account. But Ring did not implement such safeguards. This allowed hackers to develop a credential stuffing tool that automatically rapidly attempts to log into Ring accounts using different username/password combinations obtained from previous data breaches until one of them works.
Ring also doesn’t warn users when someone from a new device or IP address logs into their account, a basic security feature present on most online services. There’s also no way for Ring users to see a list of open sessions and activity logs.
Even before the leaked account credentials, Ring was struggling with privacy woes because of its policy of sharing user videos with law enforcement. Its recent security debacle has made things worse for the company, and now privacy experts and digital rights advocates are warning users not to buy Ring cameras if they value their privacy.
“It’s finally time for device manufacturers to do more to ensure the security of the devices they develop. Adopting a secure-by-design approach and building security into the design phase of device manufacturing is becoming increasingly essential not only for protecting user privacy and helping prevent such incidents from occurring in the future, but also for building user trust in the product. Device manufacturers can absolutely do better, and they need to finally start doing so,” ProPrivacy’s Tomascheck says.
Surely, implementing full security features does not come for free, and it’s tempting for companies to cut corners on security to slash costs and beat competitors to market. But perhaps Ring’s episode will serve as a warning and lesson for other companies that think they can overlook their customers’ security and privacy.