Ring camera hacking stories abound — and there’s one billion more cameras to go

Click to read WMC’s report on Ring camera hacking

Parents in Tennessee say a hacker sang songs to their children in their bedroom through a Ring camera. A Texas Ring user says she was threatened with extortion through her front doorbell camera.  In Florida, another victim told local media that a hacker started screaming racial slurs at a child through a Ring.  The surveillance/home security giant owned by Amazon isn’t commenting on this string of scary incidents yet, but the good journalists at Motherboard have already found criminal chat rooms where hackers are bartering Ring login information — which can be had for under $10.

Let’s get this out of the way, fast: I think bringing a Ring into your house is a terrible idea. If you must have one, make sure it faces out, at your front yard, not in, at your family. Also, make sure the sound is off, so you don’t end up in court over an illegal wiretap; and make sure you aren’t filming beyond your property, lest you run into other potential legal problems. You’d do well to post a sign saying that you are filming visitors.

And finally, enable two-factor authentication on these gadgets RIGHT NOW.  It’s annoying; do it anyway.  Two factor is hardly foolproof, but at least you won’t be the easiest target on the block. With all this recent news around Ring hacking, you should feel confident that we are about to see a wave of these disturbing incidents.  As parents in the above examples say, hearing a phantom voice talk to your children is scary enough — consider what might have happened before the hacker announced himself.


For background on America’s privacy problem, listen to my 6-episode special podcast series, No Place to Hide

‘Mistakes were made’ — how did we get privacy so wrong? Ep. 2 of No Place to Hide podcast


America is right now being overwhelmed by cameras and surveillance recording capabilities.  The Wall Street Journal recently reported that there will soon be 1 billion active surveillance cameras online around the world. In a most extreme example, the city of Baltimore is considering a plan to put low-altitude aircraft in the skies about the city, outfitted with dozens of cameras that can keep 24-hour watch over residents there.  We’ve had very little productive discussion about what this means.

In the past, U.S. discussion has focused generally on fears that the government might use cameras to oppress people or violate civil liberties.  There have been robust discussions about use of facial recognition in crowds, and some law enforcement projects have been reversed with objections by the ACLU and other rights groups.

Those efforts seem a bit silly now that we live in the reality of Ring cameras.  Consumers around America are willingly installing surveillance gadgets in their own homes. What’s more, they are essentially volunteering to become part of a massive law enforcement dragnet.  Ring executives now self-identify as crime fighters.

This isn’t all bad.  I’m all for catching package thieves, or keeping an eye on your home during a long vacation.  The problem is we’ve put no guardrails around use of this data.  Generally speaking, law enforcement can do whatever it wants with data that citizens volunteer. There is no due process necessary, as there would be if cops wanted to do the surveillance themselves.  According to Gizmodo, 400 local police departments already have deals in place to access Ring user camera video.

If your neighborhood has a serious crime problem, then I understand the impulse to use technology and trade safety for surveillance.  But has every one of those communities engaged in a robust discussion about the pros and cons? I’d venture that none of them has.

The problem is only going to get worse. A confluence of tech events has led to this moment. The Internet of Things has been knocking at our front door for a few years, promising us George Jetson convenience.  IoT is here now. Connected gadgets are finally easy to use, and with 5G bandwidth coming soon, it will be practical to connedcts hundreds of them around the home. Already, storage space is cheap enough not just to film us using all these cameras, but to store the video for weeks…months….even, years.  We invited George Jetson, but now, we must live with George Orwell.

The creepy Ring hacker problem is predictable collateral damage of this technology mission creep. Every time law enforcement creates a crime-fighting tool, and every time a corporation creates a database, these things become available to criminals.  Sometimes, there’s token reference to security. But we’ve seen this play over and over.  Tech firms always blame human error.  Parents will be told it’s their fault that pedophiles were able to surveil children in their bedrooms. It’s not.  It’s tech’s fault.

Predictably, what comes next is an effort to minimize these hacker incidents. They have hit only a tiny fraction of users, we’ll be told. Baby monitors have also been hacked, so this is nothing new, we’ll be told.  Stop getting in the way of progress!

But this is new. This is different. Thanks to that confluence of improved bandwidth and gadgetry, the capacity of Ring camera networks to be used for criminal activity, to be misused by police, to lull people into a false sense of security — or worse, to make them numb to being watched all the time — is a clear and present danger. The time to talk about this is now.

Meanwhile, the Texas family being extorted through their Ring camera simply took out the batteries, and has left the things disabled. You might consider doing that, too, until meaningful regulations and security protections are put in place to control what these one billion cameras can do to us.

 

 

 

 

 

 

About Bob Sullivan 1380 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

2 Comments

  1. Last few years have demonstrated that SMS text messages, which is how they are handling 2FA, are often the weakest link in two-step logins. Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe. SMS is just not the best way to do this. Adding a layer of SMS-based verification to your login process is certainly better than relying on a password alone. But I’d argue that two-factor authentication using SMS text messages isn’t technically two-factor at all. Better tools like Google Authenticator or an RSA token prove that possession, by generating a unique code that matches one generated on a web service’s server. That’s far more effective than sending a text message with a one-time code to someone’s phone. It’s less convenient, though, which may be why it’s also less commonplace. SMS has turned that ‘something you have’ into ‘something they sent you. These attacks aren’t exactly easy to pull off, and likely require the attacker to figure out the user’s cell phone number in addition to the password that they’ve stolen, guessed, or reused after being compromised in a data breach from another hacked service. But for anyone who might be a target of sophisticated hackers, all of those techniques mean SMS should be avoided when possible for anything login-related. Ring should change their 2FA and do it via their app like Facebook or Apple do and because of the sensitivity of access to the camera and alarm system.

    • Here’s something else to consider, if these hackers have a list of compromised usernames and passwords from other breaches, I’m making the assumption they did a credential attack via ring.com looking for good and bad results. Is ring.com looking for attacks like these? where a large number of invalid result are coming in and blocking them? Simple security procedure. Slow them down by blocking those connections or only allowing that particular IP 3 invalid results before killing that connection as an attackers vector.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.