Seems unlikely? But you’ll be surprised to know how easy it is to hack into Amazon Ring services.
So, if you are thinking of installing Ring devices or gifting them to someone, maybe you need to read this piece.
Let’s start with a basic example. If you have a Gmail account and if you are logging in to it through a different system or from different IP addresses, you get a text message warning on your mobile device and get emails telling you about the gained access.
Ring does not do that. Suppose if I have your email ID and Ring password, I can get inside your camera system and watch you without you knowing about it. It doesn’t identify the unknown IP addresses of unidentified systems, and most importantly, the user does not have any idea what they are being watched.
These devices not only share the live recording but also share the saved video footage, usernames and password, location of the system, etc.
If someone is changing the password of your account, Ring does not ask if it’s a legitimate swap or not. The Ring never sends you a message to notify you about login in the system, nor will it ask your permission for the same.
So, if you have the Ring home security system, it is possible that somebody is looking at you right now, and you might not even know about it. These are very fundamental yet very important measures that not only Ring, but all security systems need to implement, but they choose not to.
Hackers are posting thousands of these Ring camera credentials on the dark web and forums frequented by cybercriminals.
According to reports, in some cases, hackers hack these internet-connected cameras just for fun. They hope that someone else will hack into the camera feed of that particular house and then prank people, hijack their account, or record users in their homes.
What do hackers do to hack into these accounts?
The criminals use breached access credentials from other non-ring platforms and then reuse this data for logging into the Ring account. If the data matches, they post these credentials on the hackers’ forums or the dark web.
This technique is called credential stuffing. That is, if the data matched with the Ring account, it is posted on different networks to exploit the user or just for fun.
Have you ever used the same login credentials for different systems? If yes, then you might be the next victim of this whole scandal. Unfortunately, the majority of people use the same credentials to get into the security of a system, and it benefits the bad actors to gain credentials of different Ring accounts.
According to one of the lists published on hacker forums, information of around 100,000 Ring user information with all the credentials required to log in the system is available.
According to Ring, out of these 100,000 Ring accounts, only 4,000 were valid. But it still confirms that Ring users can be compromised.
The recent Ring data breach
Ashley LeMay and Dylan Blakeley got the Ring system installed in the room of their three daughters, to keep an eye on them. Little did they know that the eye was truly one extra set of eyes.
Around four days after the installation of the system, the speaker started playing the song “Tiptoe Through the Tulips” in their daughter’s empty bedroom.
When the 8-year old daughter of the couple checked the system and turned the lights on, a man started speaking to her through the speaker, calling her racial slurs, saying he was Santa Claus.
Due to the incident, the 8-year old screamed for her mother. The family’s Ring security camera was hacked according to the family. This incident was one of several incidents that occurred due to data breach involving the same security system, which is a part of Amazon.
There were around three similar cases reported last month in Connecticut, Georgia, and Florida, respectively.
According to Ms LeMay, this incident has terrified her family, especially her daughter, who denied sleeping in her room after the incident. “She spent the night at her friend’s house because she didn’t want to be here,” she added.
According to Ms LeMay, she and her husband disconnected the camera immediately and reported the incident to Ring as well as the police in Southaven, Mississippi.
She was then contacted by the FBI as well as Ring’s chief operating officer Jon Irwin. But according to her, the company was trying to deflect the responsibility of breach on the customer.
A Ring spokesperson then confirmed that the company took the security of their devices seriously and gave a statement regarding the hackers gaining access to a user’s credentials.
“Our security team has investigated this incident and we have no evidence of an unauthorized intrusion or compromise of Ring’s system or network.” The statement said. “Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials from a separate, external, non-Ring services and used them to log into some Ring accounts,” the statement further specified.
What can we do to ensure the security of our devices?
Ring users can monitor their houses by using these cameras as well as can communicate two ways with the people inside the house. It’s important that the system is secure otherwise it can give the bad actors complete access to your house.
As a takeaway for both consumer uses and enterprises, Sudhakar Ramakrishna, CEO at Pulse Secure noted that, “IoT devices have improved their built-in security measures, but activating them requires some extra effort on the part of the buyer. A number of reported compromised Ring devices, for example, were still set to the default passwords that come with the device. Other consumers relied on using the same password for their Ring device as their Wifi network – the digital equivalent to leaving your front door unlocked and valuables lying in plain sight.”
These security breaches can be avoided by doing a few simple things. It would help if you had a very unique username and password for your Ring account. Don’t reuse any password or username you are already using to access any other system. And you may want to enable the two-factor authentication option.
“And just like updating their smartphone, keep IoT devices up-to-date with new firmware and software releases,” adds Ramakrishna.
This issue gets more crucial for enterprises. Ramakrishna recommends that, “Any device that connects to the corporate network should be identified and segregated until verified as sanctioned.”