Ring ring: Did I get hacked, or was it my password?

Ring ring: Did I get hacked, or was it my password?

There have been several news articles (and tweets!) recently on the subject of "ring camera hacks"; all of which Google has decided to bring to my attention as I recently did some research (before buying) the ring alarm system. This means that Google feels the need to tell me about every random "news" site that copies and pastes an article about Ring!

As the tweet above might tell you, Ring has not been hacked (or at least they have not owned up to a hack). At the start of this article, I put the word news in quotes; and I did that on purpose. Most of the websites which have been posting articles about "the hack" can hardly be described as news outlets, they just use sensationalist headings as click-bait to drive advertising revenue. Unfortunately, because these websites get a lot of traffic they also get shared a lot on social media; many of their readers are not experts so take the statements as factual. The problem with inaccurate or fake news is well beyond the subject of this blog post so I shall leave it there, needless to say, it is not always the fault of the reader!

For those who want to read the details; this BBC article is a little nearer to the truth, and is less sensationalist!

What happened in the ring hacks?

The big-ticket article (and each of its copies) in recent days has been the story of a young girl who was verbally abused via a ring camera in her bedroom. I won't go into the choice of a parent putting an internet-connected camera into a child's bedroom; that is a parenting decision and I am not a parent.

The so-called "hacker" accessed the ring camera and used it to talk to the young girl in question; he was rude and offensive and frightened the child. Again I won't go into the subject of legality or morals; the man in question needs to be arrested, but that is my opinion.

This event caused many to claim that the camera was hacked; it wasn't.

What happened?

Please note I am in no way victim shaming in this article, a nasty thing happened to this family. But others can learn from their mistakes.

As many individuals do, the child's parent uses the same password across multiple services; perhaps for email, social media, forums, shopping, etc. One of the websites/services that the parent uses was breached; it may have been hacked, or it may have exposed a database online. This breach exposed the password the parent uses (including for their ring account), and an unscrupulous person (I hesitate to use the word hacker here) used it to log into the parent's ring account.

In reality, the "bad actors" (let us not call them hackers) are not just trying every password from a breach, someone has created a program that can ingest the username-password pairs from many breaches and try them against the Ring login methods; the tool then flags up accounts that use the same password.

How should ring have reacted?

The parent in my example stated that Rings response when she called was "you should have enabled 2FA"; they are not wrong but they could have been better!

Ring is correct in that they have not been hacked in this instance, but they need to realise that most of their users have purchased the system because it is easy to use and requires little in the way of technical knowledge.

A better response would have been:

I am sorry to hear this has happened to you; can I suggest that we first ensure your account is secure with a unique password and multi-factor authentication, to ensure this doesn't happen again.

Ring can then find out where the bad actor was acting from (System logs etc) and provide this information to the customer for reporting to their police organisation. Simply telling the customer that it is their fault is not overly helpful, even when it is their fault.

How can I protect myself?

When it comes to online security there are some simple rules to follow:

  1. Do not re-use passwords.
  2. Use strong passwords!
  3. Learn about, and enable MFA/2FA for any service that supports it.
  4. Ideally, to help with point one, use a password manager. Such as 1password.
  5. Sign up to haveibeenpwned.com to make sure you know if your details have been exposed in a breach.

Check out be-a-password.ninja for further guidance!

Thank you to Bernard Hermant for sharing the header photo used for this post on Unsplash.
James Chorlton

About James Chorlton

I am a software developer from the South-West of England; I mostly work in .NET (c#) creating desktop, web, service, and backend software for the Legal and Health markets.

Comments