Riverbank Ruminations
Observations from the Banks of the Technology River (Tom Evans)
Ding Dong, Guess Who?
Most of us have a doorbell. When we hear a chime, we do one of three things: 1) We go to the door and look out a window, a peephole or ask “who is it?” or 2) We press an intercom button and ask “Who is it?” or 3) We pick up our phone, open an app, look at the screen to see who is there and decide whether we want to acknowledge being home. On an absolute scale, #2 is probably the least risky. (Deciding why is left as an exercise for the reader.)
Option 3 is becoming more popular, but with some alarming consequences. This article is one of many about how security cameras are being subverted to evil ends. Ring seems to get the most publicity, but that may be due greater brand awareness or the marketing muscle of Amazon, which owns Ring. Without going into an analysis of all the products out there, let’s just use Ring as an example. First, the setup;
Trust was a major factor in Ashley LeMay’s decision to buy Ring cameras for her home. For two years, the 27-year-old mother of four said she talked herself out of getting indoor security cameras, citing potential privacy breaches as one of her concerns. That changed when she saw that a majority of people in her neighborhood had outfitted their homes with Ring doorbells. LeMay’s friend, a fellow mother, also recommended the indoor camera to her.
For LeMay, who works overnight at a hospital as a laboratory scientist, the cameras not only gave her “peace of mind” but also helped her children feel safe.
Around 8 PM music started playing in LeMay’s daughters’ bedroom, and an unknown male started conversing with one daughter. The exchange was recorded by the camera.
“Who is that?” Alyssa can be heard asking.
The voice responds: “I’m your best friend. You can do whatever you want right now. You can mess up your room. You can break your TV.”
This continues, until finally, the daughter gets her father, who unplugs the cameras. When the family contacts Ring support to question how this could happen, they get a very unsatisfying response.
Instead of answering her questions about whether the hack was done locally or by someone far away, LeMay said, a Ring representative repeatedly brought up how she didn’t set up two-factor authentication as an added security measure.
“The fact that they’re just continuing to give customers the same blanket statement, it’s like they don’t seem concerned at all,” she said. “To be honest, it felt like they were trying to place the blame on me. As a mother, I already feel guilty enough that I let this happen to my family. … There’s just no need for that.”
The article goes on to cite several other instances of Ring products being taken over. Are all these instances the fault of the users? Let’s install a doorbell.
To see what a user would see, I went to this site to get a Ring doorbell manual. If you go through the manual, it gives all the needed instructions to make it work. It looks very complete and should result in a successful PHYSICAL installation. Nowhere in the manual does it talk about two-factor authentication (2FA) or any type of additional security. If you happen to look for online instructions, you will find similar information at this site, helpfully titled “Setting Up Your Ring Video Doorbell in the Ring App”. No mention of 2FA here either. So the average user has no clue that this measure is available, or how to implement it. If Ring wants the users to activate it, they need to tell them about it.
If you know enough to know that 2FA is a good thing and want to know if it is available on Ring devices, you might search the support.ring.com website. This will lead you to this site titled “Two-Factor Security Authentication with Ring Products”. Here we, at last, get instructions for 2FA. We can even require 2FA for additional users and guests that we might configure. This is done in the app. Nowhere is this mentioned in the setup instructions. This is the manufacturer’s fault. Ring is not alone in this. Other IoT manufacturers don’t provide adequate security and instructions to implement any existing security measures. CAVEAT EMPTOR. In this case, beware of devices with poor security and evidence the company does not make this a priority.
While it is a poor response this statement from Ring is unfortunately true:
A spokesperson for Ring told The Post in a statement early Thursday that what happened to the LeMays “is in no way related to a breach or compromise of Ring’s security.” The “bad actors” behind the attacks “often re-use credentials stolen or leaked from one service on other services,” the spokesperson said. Ring has addressed the other reports of hacking with similar statements.
Password reuse is one of the main reasons bad guys are so successful. Password databases are breached and shared on the dark web. This data allows them to successfully take over other accounts and wreak havoc.
The takeaways here: Use unique passwords for every account you have. Before you buy any ‘security’ product, do research to see if it is securable before you worry about it giving you a sense of security.