Ring Mandates 2FA After Rash of Hacks

ring security privacy changes

Ring outlined new security and data privacy measures, Tuesday, following backlash of the connected doorbell in the past year.

Connected doorbell-maker Ring is now requiring two-factor authentication (2FA) for all users when they sign into their accounts. The new requirement comes after Ring faced a backlash in December following a rash of disturbing hacks and security issues tied to the smart doorbell.

While Amazon-owned Ring offered 2FA as an option to customers before, now the second layer of verification will be mandatory to all users. That means that when users log into an account, they’ll receive a one-time, six-digit code (via email or phone) to verify their login attempts, which they will need to enter before receiving access to their Ring accounts.

“This added authentication helps prevent unauthorized users from gaining access to your Ring account, even if they have your username and password,” said Leila Rouhi with Ring, in a note to customers posted Tuesday.

The new measures come on the heels of a Motherboard investigation in December that discovered serious security holes in Ring doorbells. As part of the security testing, Motherboard logged into a Ring account (both on the app and the website) with its corresponding email and password from various IP addresses worldwide. While Ring offered 2FA as an option at the time, Motherboard found in multiple tests that people who were already logged into the app didn’t need to log back in after 2FA was already enabled (though Ring did log users out after password changes).

The report also found that no alert was triggered notifying the Ring owner about the suspicious login attempts – even with simultaneous logins occurring. And, Ring did not appear to limit an amount of incorrect attempts that a user can make for logging into their app, according to Motherboard.

The investigation came as Ring devices were hit by a disturbing slew of attacks over the past few months, leading to a cry for increased security measures by the internet of things (IoT) company. Earlier in December, a man hacked into a Mississippi family’s Ring device and talked to an 8-year-old girl. Just days earlier, a man started harassing a Florida family with racial slurs through their Ring devices.  Also in December, a Texas woman was awoken by hackers who had hijacked her Ring device and told her to pay them a 50 Bitcoin ransom or she would “get terminated.” Hackers even reportedly created their own podcast, NulledCast, where they take over people’s Ring devices and harass the unsuspecting device users.

On Tuesday, Ring said that in addition to mandatory 2FA, it now also has addressed issues pinpointed by Motherboard’s investigation by alerting users when someone logs into their accounts.

“Last December, we launched login notifications for Ring accounts, which alert you by email anytime someone successfully logs into your account from a new device or browser,” said Rouhi. “We will continue to send these login notifications so you can take immediate steps to protect your account if you were not the one who logged in.”

Ring also outlined new tools to prevent data abuse, which comes on the heels of a November demand by several U.S. Senators that Amazon disclose how it’s securing Ring home-security device footage – and who is allowed to access that footage. And, in January, Ring was caught by the Electronic Frontier Foundation sharing user data with Facebook and marketers, without notifying users.

Ring said it has now temporarily paused the use of most third-party analytics services in the Ring apps, while working on providing users with more abilities to opt out of these services in the Control Center. Ring said it will provide users with additional options to limit sharing information with third-party service providers in early spring. And, users can now opt out of sharing their information with third-parties, which is done to receive personalized ads.

“If you opt out, Ring will not share the information required to serve you personalized ads, though you may still see non-personalized Ring ads from time to time,” said Rouhi. “Although we believe personalized advertising can deliver a better customer experience, beginning this week we will provide you with a choice to opt out in Control Center.”

Other smart home devices are taking similar security measures. Just last week, Google made a similar announcement requiring 2FA for accounts tied to its Nest devices, including smart doorbells, smoke detectors, cameras and more. Like Ring, Google Nest offered 2FA before as an option – but starting in the spring, Google said it will require all Nest users to take the extra security step by verifying their identity via email.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles