Serious security holes in the Ring smart doorbell have been uncovered, according to a new investigation. For instance, Ring owners aren’t notified of suspicious login alerts when devices are accessed on various IP addresses — and there are seemingly no limitations for incorrect login attempts.
The new findings, based on Motherboard’s security tests on the Amazon-owned connected doorbell, come on the heels of several privacy and security incidents relating to Ring this past year. That includes several disturbing stories emerging over the past week of hackers hijacking Ring devices and stalking to strangers through them.
In response to the recent hacks and the security tests, Ring said that many customers were reusing credentials for their accounts from other services, allowing bad actors to gain access.
“Customer trust is important to us and we take the security of our devices seriously,” a Ring spokesperson told Threatpost. “Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network. Recently, we were made aware of incidents where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts. Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts.”
Ring Security Holes
As part of their security testing, Motherboard logged into a Ring account (both on the app and the website) with its corresponding email and password from various IP addresses worldwide. No alert was triggered notifying the Ring owner about the suspicious login attempts – even with simultaneous logins occurring.
Motherboard also said that once people logged into the test Ring’s app, they were able to access an array of information – including camera footage, the owner’s Wi-Fi network details that the device is connected to and the owner’s home address (which Ring requires users to input).
This is troubling because, as the spokesperson pointed out, email addresses and passwords for Ring can be easily obtained by hackers in underground forums – or at least guessed based on other credentials utilized by the Ring user that could be found on the Dark Web.
“It’s a relatively trivial task for hackers to gain large sets of breached usernames and passwords and test them out on a vast number of online services in the hope that people have reused the same password in multiple places,” Matt Walmsley, EMEA director at Vectra, said in an email to Threatpost.
Ring also did not appear to limit an amount of incorrect attempts that a user can make for logging into their app, according to Motherboard. While Ring has two-factor authentication (2FA), Motherboard found in multiple tests that people who were already logged into the app didn’t need to log back in after 2FA was already enabled (though Ring did log users out after password changes).
Device Hijacks
These security findings are coming to the forefront just as a slew of attacks against Ring devices have been launched, including in just the past week.
Earlier in December, a man hacked into a Mississippi family’s Ring device and talked to an 8-year-old girl. Just days earlier, a man started harassing a Florida family with racial slurs through their Ring devices. And last week, a Texas woman was awoken by hackers who had hijacked her Ring device and told her to pay them a 50 Bitcoin ransom or she would “get terminated.”
Hackers have even created their own podcast, NulledCast, where they take over people’s Ring devices and harass the unsuspecting device users.
The Ring spokesperson told Threatpost that upon learning of these incidents, Ring “took appropriate actions to promptly block bad actors from known affected Ring accounts and affected users have been contacted.”
Ring said that users can protect themselves by enabling 2FA, using strong passwords and regularly updating passwords, and avoid providing login information to others.
“Consumers should always practice good password hygiene and we encourage Ring customers to change their passwords and enable two-factor authentication,” the spokesperson said.
Joseph Carson, chief security scientist at Thycotic, agreed that these are the best security practices for Ring users, telling Threatpost that users should choose a strong unique password such as a passphrase and using a password manager to help ensure all accounts have unique passwords.
“There are no surprises here and when you don’t prioritize cybersecurity for your home, then you are going to be letting any script kiddie or simply anyone with basic computer skills have the ability to get into your home abusing your internet-connected devices,” Carson said.
Ring’s Bad Year
2019 saw an explosion of privacy issues and scandals for Ring. Researchers found a slew of vulnerabilities in the IoT device, including one that allowed attackers to spy on families’ video and audio footage, or one that left Wi-Fi network passwords exposed.
Ring’s privacy policies also brought the device under fire: Ring has acknowledged that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners, drawing concern from privacy and consumer advocacy groups. In November, several U.S. Senators demanded that Amazon disclose how it’s securing Ring home-security device footage – and who is allowed to access that footage.
“Maintaining password integrity seems to be a significant factor in these disturbing breaches,” said Vectra’s Walmsley. “A compromised Ring account would allow the hacker to remotely use Ring’s built-in two-way chat feature and access all Ring devices associated to that account. We should all be using unique, complex passwords, or ideally passphrases, on our accounts, and where available, multi-factor authentication.”