Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

There's been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. News reports this week are raising a different issue: hackers are breaking into users' Ring accounts, which can also be connected to indoor Ring cameras, to take over the devices and get up to all sorts of invasive shenanigans.

In Tennessee, a local news channel reported on Tuesday about a case where hackers hijacked an indoor Ring camera one family had placed in a bedroom and used it to talk to three young girls. And as Motherboard first showed, there are tools available online for breaking into Ring accounts by strategically guessing the login credentials. When account thieves record enough juicy audio from people's Ring feeds, there's even a podcast where they can broadcast it.

Though it sounds shocking, the situation with Ring is far from unique. At the beginning of the year, for example, hackers launched similar attacks against Nest cams, complete with incidents where hackers were creepily talking to children through the devices. The manufacturers behind these devices—Amazon and Google, respectively—are both billion-dollar tech giants with massive development resources. The fact that their cameras regularly feature in these kinds of cases reflect a broader industry failure to produce trustworthy IoT devices that are easy for consumers to set up in a secure and private way.

"We have ways of preventing attacks like this," says Ang Cui, founder of the IoT analysis and security firm Red Balloon. "We've been thinking about securely allowing people to access computers remotely for decades. So if we insist on making our doorbells a computer that connects to the internet, then we have to put the same level of care into securing those computers."

Turn It On

Basic security measures like good password hygiene and enabling two-factor authentication are enough to stop most attacks. Right now it’s the user who ultimately has to take those steps. But it’s also true that the companies making and selling these devices could do much more to educate people about these methods and encourage them to do it.

"IoT vendors emphasize, often rightly, that their products improve quality of life, but they often neglect to disclose the risk of these devices to consumers," says Jake Williams, founder of the security firm Rendition Infosec. "The onus of understanding how an IoT device might impact security should not be purely on the consumer. The vendor shares this responsibility."

When it comes to something like a Ring doorbell or camera, the devices can be genuinely useful, but they also generate sensitive data that would be valuable to many parties—from law enforcement to criminals or even nation state hackers. Which makes security that much more important. And while Ring does provide instructions for enabling two-factor authentication, Amazon doesn't require it or turn it on by default. If you're a Ring user, you definitely should if you haven't already.

To enable two-factor authentication on your account, open the Ring app, tap the three-lined icon in the upper left corner of the screen and go to Account > Enhance Security > Two-factor Authorization > Turn on Two-factor. Then enter your password and the mobile number where you'll receive the SMS messages with one-time login codes. Then enter the first test code and hit Continue. Keep in mind that you need to add two-factor individually to every "Shared" and "Guest User" account that branches off a main account.

Not One IoTa

Amazon did not return a request for comment from WIRED about the rash of recent Ring account comprises. It said in a statement to other outlets that, "While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring’s security."

Comments are closed.