It seems ironic that a product purchased for peace of mind could make you vulnerable to malevolent hackers, but apparently that's exactly what's been happening to some Ring camera owners. Several have recorded strangers' voices taunting them inside their homes using Ring devices. There was even a podcast devoted to hacking into both Ring and Nest devices for entertainment value. In one case, a hacker used a Ring device to demand a 50 bitcoin ($400,000) ransom.
In a particularly disturbing event, a family in Mississippi heard a hacker playing Tiny Tim's "Tiptoe Through the Tulips" in their eight-year-old daughter's bedroom. When the little girl asked who was there, the hacker replied, "I'm your best friend! I'm Santa Claus. Don't you want to be my best friend?" The camera had only been in place for four days at the time.
How are hackers doing this? For one thing, Ring offers, but does not require, two-factor authentication, in which users enter a password and then confirm their identity after receiving a message on their smartphones. Two-factor authentication would make executing hacks like these much more difficult, and the family in Mississippi said they had not set it up.
This past week, a couple in Grand Prairie, Texas were awakened late at night when their Ring intruder alarm began going off in their bedroom. This was followed by a hacker's voice saying, "We would like to notify you that your account has been terminated by a hacker. Pay this 50 bitcoin ransom or you will get terminated yourself." Accessing the couple's front door camera, the hacker added, "I'm outside your front door." The sleepy couple found a simple solution to the problem: They pulled the batteries out of their Ring devices.
Attacks such as these are so popular, there is or was a podcast called NulledCast, in which hackers would take control of both Ring and Nest devices during the podcast for entertainment purposes. Software specifically created to break into Ring cameras is being passed around in these circles. According to a report this week by Vice, the podcast's creators have recently announced that they need to "calm down" the Ring hacking because of law enforcement investigations. "It will still happen just on a much smaller scale," they promise.
"In no way related to a breach of Ring's security."
As for Ring, it's blamed the problem on poor security practices by users. In a statement Ring sent to the Mississippi family, the Grand Prairie Couple, other families whose devices were hacked, the company said: "During an investigation by our security team, we identified that the email address and password of one of your external accounts were exposed in a data breach. The incident we emailed you about is in no way related to a breach or compromise of Ring's security."
The company went on to describe a common scenario in which credentials stolen during a data breach are sold on the black market and used for hacking into accounts. Many large companies with millions of user accounts have suffered major data breaches in the past few years, with Marriott and CapitalOne only among the most recent. When large stores of user data get stolen, the data often goes up for sale on the open market. With today's ultra-fast processors, purchasers of that data can use it for "brute force" attacks, in which malware simply tries millions of username/password combinations in very rapid succession, looking for a match. Customers who use the same combo for more than one account are at risk.
That's what Ring says happened in all these cases. It sent the following statement to Inc.com:
"Recently, we were made aware of an incident where malicious actors obtained some Ring users' account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts. Unfortunately, when the same username and password is reused on multiple services, it's possible for bad actors to gain access to many accounts.
Upon learning of the incident, we took appropriate actions to promptly block bad actors from known affected Ring accounts and affected users have been contacted."
But Tania Amador, whose Ring camera issued the bitcoin ransom demand, questioned that explanation in her interview with a local news affiliate. She said that her Ring password is 21 characters long and only used for her Ring account.
Ring also offers this advice to its customers: "As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords."
That's advice everybody should follow. But as for Amador and the Mississippi family, they say they are getting rid of Ring altogether.