Recently, several reports have described disturbing instances of bad actors taking controls of Ring security cameras and harassing the owners. Ring denies any security breach and blames the users for reusing passwords. While that may be true, Ring can and should do more to prevent this from happening.
Scary Reports of Camera Hacking
It’s like something out of a nightmare or horror movie. You decide you want more security for your home, so you install cameras from a well-known, trusted brand. But shortly after, you hear voices you don’t know in your home. They’re coming from the security cameras. And it’s not a nightmare or a horror movie—it’s happening in real life more and more every day.
Reports of an 8-year-old hearing voices in her room, blackmailed families, and more have been trickling out for weeks, and every story has one thing in common: Ring security cameras. Ring, for its part, says the problem isn’t on its end. The company says it has no signs or evidence of a data breach or hack. So what’s going on then?
Reused Password Are a Security Problem
Unfortunately, the age-old practice of reusing passwords is the most likely culprit. If you use the email and password combination to log into several sites, you should stop. Get a password manager and use that to set a long, complicated, unique password for every website.
Hackers don’t need to breach Ring’s servers if they’ve already stolen your usual email and password combo from somewhere else. Once they have that, they can log in to your account from anywhere.
The problem is only growing. In the most recent report, a database of Ring username and passwords made its way to the internet, and it contains a disturbing amount of information, including location and names of the cameras in use by an account. Ring continues to say the problem is password reuse, and that could be true.
If the perpetrator uses a password stolen from another site to log in to your account, they’ll be able to see the kind of information found in the database. They could be manually correlating all the data. But just because people shouldn’t reuse passwords doesn’t mean Ring shouldn’t do more.
After all, the company wants to sell security cameras to everybody, even those who are not tech-savvy and are unaware of the dangers of password reuse and stolen passwords. If any company wants you to trust it with cameras, security, and cloud in the most intimate portions of your homes, it should do everything it can to protect you—even from yourself.
And Ring could quickly solve the problem of password reuse with three changes: enforce two-step authentication, check IP location on login, and compare user and password combinations to known database leaks.
Required Two-Step Authentication is a Must For Security Systems
Any time you want to secure a login system, two-step authentication is the first place you should start. If you’re unfamiliar with two-step authentication, the premise is simple. First, you enter your usual login details such as username and password. Second, you must provide additional proof of identity. That could be a constantly changing code from an authentication app, a confirmation code sent to a cell phone number or a piece of hardware like a security key or key card.
The thought process here is that even if someone finds your login details from another hacked database, they won’t have the secondary proof of identity. Ring does support two-step authentication, and if you have Ring cameras, you should enable it now.
But Ring doesn’t require its users to set up two-step authentication. It could, and it likely should. It is an extra barrier of inconvenience for you, but it’s also a substantial barrier to keep bad actors out of your account. It’s not perfect, though, and it is possible to get around two-factor authentication, so Ring should also check location when anyone attempts to log into an account.
IP Checks On Every Login
When you log into a website or service, your Internet Protocol (IP) address reveals where you are. When you attempt to log in, many sites and services, like Gmail and Outlook.com, check your current location against a known history of your login locations.
If an hour ago, you were in the United States, and suddenly someone attempts to log in to your account from the other side of the world, Google or Microsoft will halt the login process. They’ll then reach out via one of your back up emails and warn you about the login attempt, along with the next steps to take.
Ring currently does not check IP location. Considering the privacy implications of security cameras in your home, it’s astounding that the company doesn’t perform a simple check that even your email handles.
If Ring started checking IP locations today, it wouldn’t necessarily solve the problem on its own: the bad actor may happen to be in your area and would look legitimate. But it certainly would curtail many instances where the hacker is far away from where you live.
To completely solve the problem, Ring should also take steps to prevent stolen credentials from working in the first place.
Ring Should Check Your Passwords—But You Can Do It Yourself Right Now
Are you using a password manager? If not, you should be. The best way to secure your online presence is to give every site you have an account with unique and complicated passwords. Password managers make that easy, but more and more provide an additional benefit. LastPass, Dashlane, 1Password, and others now work with HaveIBeenPwned to detect when you are reusing a known stolen email and password combination.
HaveIBeenPwned collects leaked databases from the breaches we’ve come to accept as an everyday occurrence. You can go to the site now, input an email you’ve used as a username or password, and you’ll see a list of breaches that contain your credentials.
Password managers take things a step further by comparing the username and passwords you are using against those databases then warning you of any matches.
Ring should do the same thing. If it occasionally compared your current details to the leaked databases, the company could warn you immediately if it found a match and make you change your password. That would prevent anyone from using stolen credentials to log in to your account in the first place.
Ring Needs To Be Proactive
Security generally comes in two forms: proactive and reactive. The locks on your door are proactive; they’re meant to keep the bad guys out. The cameras in your home are reactive; they let you know when someone already broke in.
Unfortunately, Ring has approached the problem of reused passwords reactively: by blaming its users for making a bad choice. The company may not be wrong, but that doesn’t make it right either. As a security company that promises to helps its users protect themselves from the bad actors of the world, it needs to become proactive. And sometimes, that means even protecting the users from themselves.
If the company even implemented the latter two suggestions—IP login tracking and password checking—that would go a long way to protecting all Ring customers. This is not just something it can do easily, but something that it should do.
But until that day comes, you have two choices: either avoid Ring products, or make sure you enabled 2FA, don’t re-use passwords, and keep an eye on compromised accounts yourself. The choice is yours.