In the world of IoT home cameras, Ring cameras by Amazon are most popular. There can be many benefits of using the cameras for monitoring or as a security device, but it’s been a bad few weeks for the Ring camera. We now have reports of a hacker taunting a child in Mississippi, in another report someone hurled racist insults at a Florida family. A Tennessee family reported that a man hacked their camera to talk to an 8-year-old girl in her bedroom. Yesterday, a Ring camera was hacked to make inappropriate comments toward a California woman.
Are these really hacks, or simply user errors? Ring seems to have put much of the blame for these hacks on its users. A Ring spokesperson said that the California incident was not a result of Ring’s network or systems being compromised. A Ring spokesperson also said that the incident in Tennessee was isolated and that it wasn’t because of a security breach. But there have been two claims of exposed Ring data. The first, reported by Buzzfeed, claimed 3,672 Amazon Ring cameras were compromised potentially exposing the login credentials of users; security experts noted the data was most likely taken from another company’s database. Tech Crunch reported that about 1,500 Ring customers’ passwords were also compromised in a separate leak and the passwords and email addresses were uploaded to a dark web site DeepPaste.
Motherboard found “hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring
Zerocleare abuse on their own so-called podcast dubbed ‘NulledCast.’ " Users are not without blame here. As motherboard pointed out, reused passwords can lead to compromise and may have been the case in several incidents. Ring however is not without blame either. Last month a flaw was identified in Ring Video Doorbell Pro cameras' software that made it possible for wireless eavesdroppers to grab the WiFi credentials of customers during the device's setup. Ring does not currently offer some basic security precautions, such as double-checking whether someone logging in from an unknown IP address different from the legitimate user, or providing identification of how many users are currently logged in. Ring doesn't appear to check a user's chosen password against known compromised user credentials nor does Ring appear to provide users a list of previous login attempts.
What can one do? Ring does offer twofactor authentication, and although not required, it should be implemented. As always don’t reuse passwords, go change it now if you did reuse one. Even if someone is actively watching though one of your devices, Ring will log everyone out after the password change. Look at the blue light, we know it’s not a guarantee if the camera is on but it’s an indication. And finally, you can always cover or unplug a camera if you want your privacy assured, otherwise smile – you might be on camera.