There’s been a lot of disturbing and concerning news about how Amazon’s Ring smart doorbells are getting surveillance to suburbia and igniting data-sharing relationships between law enforcement and Amazon. News reports this week are building a different issue: hackers are breaking in users’ Ring accounts, which can also be joined to indoor Ring cameras, to control the devices and get up to all sorts of invasive mischief.
In Mississippi, a Tennessee news channel informed on Tuesday about an instance where hackers seized an indoor Ring camera one family had positioned in a bedroom and used it to chat with three young girls. And as Motherboard first revealed, there are tools available online for breaking in Ring accounts by deliberately guessing the login identifications. When account hackers record sufficient juicy audio from people’s Ring feeds, there’s even a podcast where they can air it.
Although it sounds dreadful, the situation with Ring is far from exceptional. At the start of the year, for instance, hackers unleashed similar attacks against Nest cameras, ending with incidents where hackers were talking to children via the devices. The makers behind these devices—Google and Amazon, respectively—are both billion-dollar tech giants with enormous development resources. The point that their cameras regularly feature in these types of cases mirrors a broader industry failure to make reliable internet-of-things devices that are easy for consumers to set up securely and privately.
“We have techniques of preventing attacks like this,” says Ang Cui, founder of the IoT analysis and security firm Red Balloon. “We’ve been thinking about securely letting people access computers distantly for decades. So if we claim on making our doorbells a computer that connects to the internet, then we have to put the same standard of maintenance into securing those computers.”
Turn It On
Fundamental security measures like good password hygiene and allowing two-factor authentication are sufficient to stop most attacks. Till now, it’s the user who eventually has to take those steps. But it’s also true that the companies creating and selling these devices could do much more to teach people about these techniques and support them to do it.
“IoT vendors highlight, often rightly, that their products advance the quality of life, but they often overlook to reveal the risk of these devices to consumers,” says Jake Williams, founder of the security firm Rendition Infosec. “The responsibility of understanding how an IoT device might influence security should not be entirely on the consumer. The seller shares this duty.”
When it comes to something like a Ring camera or doorbell, the devices can be honestly useful, but they also produce sensitive data that would be useful to many parties—from criminals to law enforcement or even nation-state hackers, which makes security that much more significant. And while Ring delivers instructions for enabling two-factor authentication, Amazon doesn’t necessitate it or turn it on by default. If you’re a Ring user, you certainly should turn it on.
To allow two-factor authentication on your account,
- open the Ring app
- tap the three-lined icon in the upper-left corner of the screen
- Open Account > Enhance Security > Two-factor Authorization > Turn on Two-factor.
- Type your password and the mobile number where you’ll receive the SMS messages with one-time login codes.
- Enter the first test code and press Continue. Keep in mind that you are required to add two-factor separately to every “Shared” and “Guest User” account that splits off a main account.
Not One IoTa
A Ring spokesperson said in a statement that, “Our security team has inspected this incident and we have no proof of an unauthorized invasion or compromise of Ring’s systems or network. … After learning of the incident, we took suitable actions to quickly block bad actors from known affected Ring accounts and involved users have been contacted. Consumers should always follow good password hygiene and we encourage Ring customers to change their passwords and enable two-factor authentication.”
Similar to almost all connected-device manufacturers; however, Amazon seems to have hesitations about deeply promoting enhanced account protections like two-factor authentication that might produce friction or make devices slightly difficult to use in any way. In one informational page about account safety, Amazon pens,
“Won’t two-factor authentication make it troublesome to access my devices or account? Two-factor authentication will add a step to gain access to devices. The added step is worth it, however, for the added security it carries.”
For years, critics have hinted negligent security and thoughtlessness in how IoT devices are conceived, as attackers have escalated mass-scale misuse of embedded devices. Developers have started to take IoT security more seriously in response, but researchers say that it’s off-putting to see even the most prominent players still making simple errors. Ring cameras have had their share of security weaknesses, and just this week, Amazon issued repairs for a slew of susceptibilities in its Blink home cameras that could have allowed device takeovers. Combined with a continuing lack of stress at white-label companies and startups, industry progress mainly is still slow.
“We’ve worked with several sellers that claim they can’t both apply security and be lucrative at early stages,” Williams says. “In many instances, the vendors themselves haven’t done the risk modeling.”
By not thinking about the risks, vendors leave consumers unprotected to them. In philosophy, IoT security could be much more robust and nuanced, but researchers call attention to that it’s hard to go deeper until the most simple IoT security issues are decided.
Amazon has sold more than 100 million Americans on the benefits of paying for Prime accounts. It’s the right time to use that power of encouragement to promote basic security protections.