Hand holding Amazon's Ring video doorbell showing ransomware gang data breach

Ransomware Gang Threatens Amazon’s Ring With Data Leak

A ransomware gang is threatening the largest system of doorbell cameras in the US, claiming that it has some amount of stolen data. The group claims to have broken into Amazon’s Ring system, though Amazon has yet to confirm the incident and details are mostly coming from anonymous sources speaking to the media.

This would not be the first time Amazon’s Ring cameras have been breached, though prior incidents focused on systemic weaknesses to compromise cameras at individual residences and businesses rather than the central network. Thus far Amazon will only say that a third party vendor was hit with BlackCat ransomware; there is no indication as to exactly what (if any) data was stolen.

Possible breach of Amazon’s Ring may have stemmed from vendor compromise

The ransomware gang ALPHV has claimed to have breached Amazon’s Ring on the underground site it uses to extort victims, though it has yet to provide any evidence. The group has thus far done nothing more than post a simple message alluding to leaking company data.

Known for using the BlackCat ransomware, ALPHV became prominent in 2021 and is thought to have incorporated former members of REvil after that group scattered under law enforcement pressure. An FBI warning about the group published in April 2022 indicated it had racked up at least 60 victims at that point, and has since added some prominent businesses such as Bandai Namco, NextGen Healthcare and PharmaCare Services. The Russian ransomware gang has also demonstrated that there is apparently no low point it will not sink to, publishing intimate pictures of breast cancer patients as a pressure tactic after breaching the Lehigh Valley Health Network of Pennsylvania.

Amazon would only confirm that an unnamed third party vendor was breached, and said that this vendor does not have access to customer records. Reporters with Vice claim to have seen an internal Slack channel at Amazon’s Ring that indicates the company has issued instructions to not speak to the media about the incident and that security teams are engaged.

Jordan Schroeder, Managing CISO at Barrier Networks, elaborates on the potential risks at this point: “This is a highly worrying incident that puts critical consumer data at risk. It is not yet known what data, or if any data, was obtained by the attackers but given the type of information Ring will have access to, it could range from PII, financial information, to even data relating to the physical locations of people and how they control their home security. Furthermore, with Ring being owned by Amazon, it is unlikely the company will give into payment demands.”

Lior Mazor, Global Head of Information & Security at Perimeter 81, provides some insight into possible breach causes: “Previous reports mentioned there may have been a misconfiguration, which inherently weakens the device’s security. There are a few ways this breach could have been executed. The Ring device is a poorly configured IoT device and it is possible the attackers may have discovered a Back Door or a Zero Day vulnerability in the device itself. It is also possible that the traffic of these device-cloud communications may have been unencrypted or encrypted with a weak key, or that a vulnerability in the cloud itself may have been exploited. To best avoid these situations, all devices should meet the highest security standards, such as Soc2 certification, ISO/IEC 2700, etc. Make sure the security protocol is encrypted and secure by using a strong password and two-step verification. Working with a third-party cloud provider can mean not knowing where their data is stored, but you can still check to see if this cloud meets the highest levels of security regulation.”

Major questions swirl as ransomware gang makes vague claims about breach

With 10 million people in the US alone using Amazon’s Ring doorbells and video cameras in their homes, there is a natural wave of concern about what the ransomware gang might be sitting on. Amazon said that “customer data” was not taken, but if that is the case, what was?

Much could be answered by learning the identity of the vendor that the ransomware gang breached, but there are no clues as of yet. While Amazon may feel it is in their best interests to clam up about the incident, at least until an internal investigation uncovers more solid information, any refusal to communicate immediately calls to mind the recent LastPass situation. Customers of the password sharing service were first told that sensitive data had not been stolen, only to have that revised months later to finding out that their password vaults had indeed been taken and that hackers might have been running brute force attacks against them the entire time they had been in the dark.

If personal data is in fact safe, customers may not have much to worry about from this breach. Amazon’s Ring products offer end-to-end encryption, though it must be enabled as an option. That would at least secure any sensitive video; it might be that the ransomware gang is only sitting on less interesting corporate data, which could explain why it is threatening a leak yet playing extremely coy with what it actually has. The ransomware gang may want to create the public perception that it stole customer video when it actually has none to offer.

There was a major breach of Amazon’s Ring system in the recent past, but it focused on taking over cameras at individual locations instead of attacking the corporate network. In 2019, a number of hackers gathered on a private Discord channel to share credentials that they had found for Ring cameras in homes throughout the country. Most of these credentials appeared to be gathered from prior data breaches at other companies. Before the Ring ring was broken up, the hackers got so bold as to create a regular podcast in which they did live takeovers of cameras located in homes and businesses.

Amazon’s Ring security and privacy issues have thus far been focused more on its relationship with law enforcement departments throughout the country, and the level of access it grants to the footage taken by private citizens on their private property. Much of the controversy has been centered on the Neighbors app, which allows Ring owners to share footage with people who live near them for the purposes of tracking suspicious activity. Police departments have pushed for Neighbors access, and have thus far convinced Amazon to allow them to maintain a presence on these apps and ask users to give them access to private footage.

The #ransomware gang ALPHV has claimed to have breached Amazon's Ring on the underground site it uses to extort victims, though it has yet to provide any evidence. #databreach #cybersecurity #respectdataClick to Tweet

Another controversy of this nature recently erupted when an Ohio man was served a warrant for footage from his home Ring cameras, including one inside his home, as part of an investigation of suspected drug traffic at a neighbor’s house. After the homeowner rejected the request, the police served Amazon directly with a warrant for the footage, which it complied with.