Hacking Ring Security Cameras: Amazon Makes it Easy

A bunch of childish script kiddies have been making the lives of Ring camera owners miserable. And the nexus seems to be a Discord podcast called NulledCast.

However, it’s sort of the owners’ fault for reusing their passwords. Yes, this is not so much of a hack as a credential stuffing attack.

But why doesn’t Amazon do a better job of educating its customers? In today’s SB Blogwatch, we wave the flag for 2FA.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: YAMOTD.

Don’t Put a Ring On It

What’s the craic? Joseph Cox and Jason Koebler report—“the Podcast that Hacks Ring Camera Owners Live”:

 The NulledCast is a podcast livestreamed to Discord. It’s a show in which hackers take over people’s Ring and Nest … cameras and use their speakers to talk to and harass their unsuspecting owners.

A recent spate of hacks … have occurred both during the podcast and at other times, several of which have been covered by local media outlets. … These hacks, and this podcast, have turned devices nominally designed to protect people’s homes into surveillance devices that have been turned back on their owners.

Ring cameras are the wildly popular home surveillance devices owned and heavily marketed by Amazon. … These internet-connected cameras have invaded much of America’s suburbs.

After the recent media attention about Ring hacks, Nulled members are scrambling. … On the Nulled forum, which has thousands of members, administrators tried to delete all evidence of Ring hacking by rolling back the entire forum’s database by four days.

And Lily Hay Newman adds—“Ring Doorbells Perfectly Exemplify the IoT Security Crisis”:

 Though it sounds shocking, the situation with Ring is far from unique. At the beginning of the year, for example, hackers launched similar attacks against Nest cameras, complete with incidents where hackers were creepily talking to children through the devices.

[It] reflects a broader industry failure to produce trustworthy internet-of-things devices that are easy for consumers to set up in a secure and private way. … Basic security measures like good password hygiene and enabling two-factor authentication are enough to stop most attacks.

It’s also true that the companies making and selling these devices could do much more. … While Ring provides instructions for enabling two-factor authentication, Amazon doesn’t require it or turn it on by default.

Amazon seems to have reservations about heavily promoting enhanced account protections like two-factor authentication that might … make devices slightly harder to use. … Amazon has sold more than 100 million Americans on the benefits of paying for Prime accounts. It’s time to use that power of persuasion to promote basic security protections.

For years, critics have pointed out lax security and thoughtlessness in how IoT devices are designed. … Researchers say that it’s disheartening to see even the biggest players still making basic mistakes. … Combined with an ongoing lack of emphasis at white-label companies and startups, industry progress overall is still slow.

What does Ring have to say for itself? This, via Josiah Bates—“Ring Recommends Users Update Their … Passwords”:

 Ring said that they take their devices’ security very seriously, but that the incidents are not related to a breach of security protocols. “We have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network.”

Ring is aware of an incident where “malicious actors” were able to obtain a user’s login credentials from an outside, non-Ring device and use that same information to log into the Ring device. … Ring also recommends customers change their passwords and enable two-factor authentication.

OK, so this is basically a credential reuse problem? 110010001000 bit off more than could be chewed: [You’re fired—Ed.]

 I guess typing in a known password is what qualifies for “hacking” nowadays.

And baroffoos gives up:

 At some point we have to admit that passwords have not worked and the general public does not understand how to use them despite decades of education attempts. This problem would be entirely solved if they enforced the use of 2fa.

But what of the NulledCast denizens? RightSaidFred99 said:

 It’s funny to me that people are stupid enough to literally record and broadcast themselves committing crimes, possibly Federal crimes. Truly our best and brightest here, folks.

Yes, angry-sw-dev sounds slightly angry:

 Having your life compromised is never comfortable, but it’s never less comfortable then when you suddenly realize you’re being watched and having your home “invaded” in a potentially very personal way. … These discord shock jocks go off and [stuff] these compromised email/password combinations … and then the hapless victim is subjected to the electronic analog of them unlocking the front door of their home and bursting into the living room yelling.

I think it’s just a ****** thing to do, but even more so when it involves children, or people who have no control over the cameras (like animal shelter workers). [They] ought to take a lesson from Jon Stewart: BE A ******* PERSON; think about how ****** what you’re doing is (and no, the fact that these people are saps with insecure logins does not mean they deserve this).

So beep54 is sympathetic. No, wait, not sympathetic—the other thing:

 I have absolutely no sympathy for idiots that install invasive **** like this in their homes. This goes for ‘smart’ speakers too.

Meanwhile, beshrkayali recycles this gag:

 The S in IoT stands for security.

And Finally:

Yet another mashup of the decade

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U.S. Army photo by Brandon O’Connor (public domain)

Richi Jennings

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 399 posts and counting.See all posts by richi