Why Ring Security Cameras Are So Easy to Hack

Ring surveillance cameras are intended for security, but a spike in recent hack attacks shows the devices can also be exploited to terrorize users in their homes.

In recent weeks, products sold by the Amazon-owned company have been the focus of several viral stories. In Florida, a system was tampered with to blare an alarm and spew racial slurs to a family in their living room. In Mississippi, a hacker taunted an 8-year-old child.

Now, Ring is urging customers to enable security features and change passwords "out of an abundance of caution."

How these hacks were possible

Last week, as local media reports of a hacking surge started to spread, it emerged that a type of automated password-cracking software that could be used to break into Ring user accounts was being offered on one crime forum for just $6, Motherboard reported.

A source claiming to have knowledge of Ring hacks told Newsweek accounts were accessed by a "very basic attack" known as credential stuffing, a brute force method that tries to access an account using a list of compromised login details.

"The amount of accounts that are exposed [is] insane," the person said via email. "The purpose of Ring is to have security but they leave all their users exposed."

Any Ring users who reuse credentials across multiple online services, don't enable two-step authentication or set a unique password on their account are at greater risk of being hacked.

In statements, Ring has indicated that was indeed the cause of recent attacks. The company has been contacted for comment asking if it plans to update its security policies.

A Ring spokesperson said: "Recently, we were made aware of an incident where malicious actors obtained some Ring users' account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts.

"Unfortunately, when people reuse the same username and password on multiple services, it's possible for bad actors to gain access to many accounts. Upon learning of the incident we took appropriate actions to promptly block bad actors from known affected Ring accounts."

Ring
A "Ring Stick Up Cam" is pictured at the Amazon Headquarters, following a launch event, on September 20, 2018 in Seattle Washington. Stephen Brashear/Getty

Multiple hacking incidents

Ring is an increasingly popular product in American households. Its internet-connected devices hook up to a home WiFi connection and can be managed via a mobile application.

If a hacker gains access, they would be able to watch the camera output in real time, while also take control of other features, such as floodlights, alarms and a two-way voice chat.

The company has an application used by millions of Americans called Neighbors that is used to obtain crime alerts and share camera footage with law enforcement. U.S. senators have raised data privacy and security concerns about the burgeoning surveillance network.

But it is the Ring camera hacks that dominated the headlines in the past week, with outlets detailing the ordeals of families who found themselves being harassed by strangers.

In Desoto County, Mississippi, on December 4, an 8-year-old girl was left terrified after a hacker infiltrated a bedroom device, played music and claimed to be Santa Claus, WMC5 reported. In DeKalb County, Georgia, five days later, a woman who installed a Ring camera heard a voice that said: "I can see you in the bed, come on, wake the f*** up," WSBTV reported.

In Sarpy County, Nebraska, on December 11, a man disabled a Ring device after a hacker broke into a kitchen camera and attempted to strike up a conversation with his child, WOWT reported. In Cape Coral, on December 8, a family suffered racist abuse via their camera, NBC-2 reported.

Ring has stressed that its own internal systems have not been compromised, and there is nothing to suggest a wider breach. "We have investigated this incident and have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," it noted.

Who is behind the hacks?

While the identity of the culprits behind the recent hacking cases was not immediately clear, the Florida incident, in which the hacker claimed to be "Chance on Nulled," exposed one possible link between them: a trolling podcast being live-streamed on voice chat and messaging platform Discord called "NulledCast." The existence of the Discord server, since banned, was first reported by Motherboard.

"We need to calm down on the ring trolling, we have 3 investigations and two of us are already probably f***ed," one of the Nulled members said on a forum as stories of the camera hacks hit the mainstream, Motherboard reported. The section of the server dedicated to hacking Ring devices reportedly had about 200 members. Many posts were later self-purged.

Will security improve?

Last Friday, Ring released methods for its customers to ensure accounts are better protected. It said users should enable two-factor authentication, add shared users, use different passwords for each account, create strong passwords and be sure to regularly update them.

It remains unclear if Ring will ever enforce the use of two-factor authentication, or 2FA, as default. Some experts believe that should be the case.

"While it's technically true that Ring hasn't experienced a 'hack' or a breach, it's also true that Ring's customers expect better protection by default," Elissa Shevinsky, CEO of cybersecurity company Faster Than Light told Newsweek. "Customers trust that the cameras in their homes are safe for their families. Sensitive systems, like home cameras, should require 2FA."

After two-factor authentication is turned on, users will have to enter an additional code before account access is granted. Even if a hacker was able to get a password, they would be unlikely to also have the randomly generated code that is sent to the user's trusted device.

"We will continue to introduce additional security features to keep your Ring account and devices secure," the firm said, without elaborating on what such features will be.

Joseph Carson, chief security scientist at cybersecurity firm Thycotic, told Newsweek security needs to be a priority when dealing with any internet-of-things (IoT) products.

"There are no surprises here," he said. "When you don't prioritize cybersecurity for your home then you are going to be letting any script kiddie or simply anyone with basic computer skills have the ability to get into your home abusing your internet connected devices.

"Using default passwords with [internet-connected] products is a major issue when purchasing new devices. Many users focus on getting them working versus ensuring they are secure."

The menu to activate two-step authorization is found in the the Ring app by tapping the icon in the upper-left corner, tapping account and turning it on via the Enhance Security menu. You will have to enter a phone number where the code can be sent, and enter the 6-digit number.