12.15.19 – inc.com –
Ring blames it all on customers re-using passwords.
It seems ironic that a product purchased to peace of mind could make you vulnerable to malevolent hackers, but apparently that’s exactly what’s been happening to some Ring camera owners. Several have recorded strangers’ voices taunting them inside their homes using Ring devices. There was even a podcast devoted to hacking into both Ring and Nest devices for entertainment value. In one case, a hacker used a Ring device to demand a 50 bitcoin ($400,000) ransom.
In a particularly disturbing event, a family in Mississippi heard a hacker playing Tiny Tim’s “Tiptoe Through the Tulips” in their eight-year-old daughter’s bedroom. When the little girl asked who was there, the hacker replied, “I’m your best friend! I’m Santa Claus. Don’t you want to be my best friend?” The camera had only been in place for four days at the time.
This past week, a couple in Grand Prairie, Texas were awakened late at night when their Ring intruder alarm began going off in their bedroom. This was followed by a hacker’s voice saying, “We would like to notify you that your account has been terminated by a hacker. Pay this 50 bitcoin ransom or you will get terminated yourself.” Accessing the couple’s front door camera, the hacker added, “I’m outside your front door.” The sleepy couple found a simple solution to the problem: They pulled the batteries out of their Ring devices.
Attacks such as these are so popular, there is or was a podcast called NulledCast, in which hackers would take control of both Ring and Nest devices during the podcast for entertainment purposes. Software specifically created to break into Ring cameras is being passed around in these circles. According to a report this week by Vice, the podcast’s creators have recently announced that they need to “calm down” the Ring hacking because of law enforcement investigations. “It will still happen just on a much smaller scale,” they promise.
“In no way related to a breach of Ring’s security.”
The company went on to describe a common scenario in which credentials stolen during a data breach are sold on the black market and used for hacking into accounts. Many large companies with millions of user accounts have suffered major data breaches in the past few years, with Marriott and CapitalOne only among the most recent. When large stores of user data get stolen, the data often goes up for sale on the open market. With today’s ultra-fast processors, purchasers of that data can use it for “brute force” attacks, in which malware simply tries millions of username/password combinations in very rapid succession, looking for a match. Customers who use the same combo for more than one account are at risk.
Ring also said this: “As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords.”