Hackers Are Taking Control of Ring Cameras and Using Them to Taunt Both Adults and Children

12.15.19 – inc.com –

Ring blames it all on customers re-using passwords.

It seems ironic that a product purchased to peace of mind could make you vulnerable to malevolent hackers, but apparently that’s exactly what’s been happening to some Ring camera owners. Several have recorded strangers’ voices taunting them inside their homes using Ring devices. There was even a podcast devoted to hacking into both Ring and Nest devices for entertainment value. In one case, a hacker used a Ring device to demand a 50 bitcoin ($400,000) ransom.

In a particularly disturbing event, a family in Mississippi heard a hacker playing Tiny Tim’s “Tiptoe Through the Tulips” in their eight-year-old daughter’s bedroom. When the little girl asked who was there, the hacker replied, “I’m your best friend! I’m Santa Claus. Don’t you want to be my best friend?” The camera had only been in place for four days at the time.

How are hackers doing this? For one thing, Ring offers, but does not require, two-factor authentication, in which users enter a password and then confirm their identity after receiving a message on their smartphones. Two-factor authentication would make executing hacks like these much more difficult, and the family in Mississippi said they had not set it up.

This past week, a couple in Grand Prairie, Texas were awakened late at night when their Ring intruder alarm began going off in their bedroom. This was followed by a hacker’s voice saying, “We would like to notify you that your account has been terminated by a hacker. Pay this 50 bitcoin ransom or you will get terminated yourself.” Accessing the couple’s front door camera, the hacker added, “I’m outside your front door.” The sleepy couple found a simple solution to the problem: They pulled the batteries out of their Ring devices.

Attacks such as these are so popular, there is or was a podcast called NulledCast, in which hackers would take control of both Ring and Nest devices during the podcast for entertainment purposes. Software specifically created to break into Ring cameras is being passed around in these circles. According to a report this week by Vice, the podcast’s creators have recently announced that they need to “calm down” the Ring hacking because of law enforcement investigations. “It will still happen just on a much smaller scale,” they promise.

“In no way related to a breach of Ring’s security.”

As for Ring, it’s blamed the problem on poor security practices by users. In a statement Ring sent to the Mississippi family, the Grand Prairie Couple, other families whose devices were hacked, and an ABC affiliate, the company said: “During an investigation by our security team, we identified that the email address and password of one of your external accounts were exposed in a data breach. The incident we emailed you about is in no way related to a breach or compromise of Ring’s security.”

The company went on to describe a common scenario in which credentials stolen during a data breach are sold on the black market and used for hacking into accounts. Many large companies with millions of user accounts have suffered major data breaches in the past few years, with Marriott and CapitalOne only among the most recent. When large stores of user data get stolen, the data often goes up for sale on the open market. With today’s ultra-fast processors, purchasers of that data can use it for “brute force” attacks, in which malware simply tries millions of username/password combinations in very rapid succession, looking for a match. Customers who use the same combo for more than one account are at risk.

That’s what Ring says happened in all these cases. “Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services,” the company explained. But Tania Amador, whose Ring camera issued the bitcoin ransom demand, questions that assessment. She says that her Ring password is 21 characters long and only used for that account.

Ring also said this: “As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords.”

That’s advice everybody should follow. But as for Amador and the Mississippi family, they say they are getting rid of Ring altogether.