Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis
Credit to Author: Lily Hay Newman| Date: Thu, 12 Dec 2019 21:21:40 +0000
A new wave of reports about the home surveillance cameras getting hijacked by creeps is painfully familiar.
There's been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. News reports this week are raising a different issue: hackers are breaking into users' Ring accounts, which can also be connected to indoor Ring cameras, to take over the devices and get up to all sorts of invasive shenanigans.
In Mississippi, a Tennessee news channel reported on Tuesday about a case where hackers hijacked an indoor Ring camera one family had placed in a bedroom and used it to talk to three young girls. And as Motherboard first showed, there are tools available online for breaking into Ring accounts by strategically guessing the login credentials. When account thieves record enough juicy audio from people's Ring feeds, there's even a podcast where they can broadcast it.
Though it sounds shocking, the situation with Ring is far from unique. At the beginning of the year, for example, hackers launched similar attacks against Nest cameras, complete with incidents where hackers were creepily talking to children through the devices. The manufacturers behind these devices—Amazon and Google, respectively—are both billion-dollar tech giants with massive development resources. The fact that their cameras regularly feature in these kinds of cases reflects a broader industry failure to produce trustworthy internet-of-things devices that are easy for consumers to set up in a secure and private way.
"We have ways of preventing attacks like this," says Ang Cui, founder of the IoT analysis and security firm Red Balloon. "We've been thinking about securely allowing people to access computers remotely for decades. So if we insist on making our doorbells a computer that connects to the internet, then we have to put the same level of care into securing those computers."
Basic security measures like good password hygiene and enabling two-factor authentication are enough to stop most attacks. Right now it’s the user who ultimately has to take those steps. But it’s also true that the companies making and selling these devices could do much more to educate people about these methods and encourage them to do it.
"IoT vendors emphasize, often rightly, that their products improve quality of life, but they often neglect to disclose the risk of these devices to consumers," says Jake Williams, founder of the security firm Rendition Infosec. "The onus of understanding how an IoT device might impact security should not be purely on the consumer. The vendor shares this responsibility."
When it comes to something like a Ring doorbell or camera, the devices can be genuinely useful, but they also generate sensitive data that would be valuable to many parties—from law enforcement to criminals or even nation-state hackers. Which makes security that much more important. And while Ring provides instructions for enabling two-factor authentication, Amazon doesn't require it or turn it on by default. If you're a Ring user, you definitely should turn it on.
To enable two-factor authentication on your account, open the Ring app, tap the three-lined icon in the upper-left corner of the screen, and go to Account > Enhance Security > Two-factor Authorization > Turn on Two-factor. Then enter your password and the mobile number where you'll receive the SMS messages with one-time login codes. Then enter the first test code and hit Continue. Keep in mind that you need to add two-factor individually to every "Shared" and "Guest User" account that branches off a main account.
A Ring Spokesperson told WIRED in a statement that, “Our security team has investigated this incident and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network. … Upon learning of the incident, we took appropriate actions to promptly block bad actors from known affected Ring accounts and affected users have been contacted. Consumers should always practice good password hygiene and we encourage Ring customers to change their passwords and enable two-factor authentication.”
Like almost all connected-device manufacturers, though, Amazon seems to have reservations about heavily promoting enhanced account protections like two-factor authentication that might create friction or make devices slightly harder to use in any way. In one informational page about account security, Amazon writes, "Won't two-factor authentication make it inconvenient to access my devices or account? Two-factor authentication will add an extra step to accessing devices. The extra step is worth it, however, for the added security it brings."
For years, critics have pointed out lax security and thoughtlessness in how IoT devices are designed, as attackers have ramped up mass-scale exploitation of embedded devices. Developers have begun to take IoT security more seriously in response, but researchers say that it's disheartening to see even the biggest players still making basic mistakes. Ring cameras have had their share of security vulnerabilities, and just this week Amazon issued fixes for a slew of vulnerabilities in its Blink home cameras that could have allowed device hijacks. Combined with an ongoing lack of emphasis at white-label companies and startups, industry progress overall is still slow.
"We've worked with several vendors that claim they can't both implement security and be profitable at early stages," Williams says. "In many cases the vendors themselves haven't done the threat modeling."
By not thinking through the risks, vendors leave consumers exposed to them. In theory, IoT security could be much more nuanced and robust, but researchers point out that it's hard to go deeper until the most basic IoT security issues are resolved.
Amazon has sold more than 100 million Americans on the benefits of paying for Prime accounts. It’s time to use that power of persuasion to promote basic security protections.
Updated December 12, 2019 10:15pm ET with comment from Ring and to clarify that the family whose Ring account was compromised lives in Mississippi.