Somebody’s Watching: Hackers Breach Ring Home Security Cameras

1 BUSINESS

Business News - Opportunities - Reviews

 

 

Ashley LeMay and Dylan Blakeley recently installed a Ring security camera in the bedroom of their three daughters, giving the Mississippi parents an extra set of eyes — but not the ones that they had bargained for.

Four days after mounting the camera to the wall, a built-in speaker started piping the song “Tiptoe Through the Tulips” into the empty bedroom, footage from the device showed.

When the couple’s 8-year-old daughter, Alyssa, checked on the music and turned on the lights, a man started speaking to her, repeatedly calling her a racial slur and saying he was Santa Claus. She screamed for her mother.

The family’s Ring security system had been hacked, the family said. The intrusion was part of a recent spate of breaches involving Ring, which is owned by Amazon.

There have been at least three similar cases reported this month — the others were in Connecticut, Florida and Georgia. Other breaches, involving Google’s Nest and Taococo, a baby monitor sold on Amazon, have also drawn scrutiny and prompted concerns about privacy.

Ms. LeMay, 27, said the Dec. 4 episode unnerved her family, particularly her daughter Alyssa.

“She won’t even sleep in her room,” Ms. LeMay said on Saturday. “She actually spent the night with a friend the other night because she didn’t want to be here.”

Ms. LeMay said that she and her husband, who unplugged the camera, had immediately reported the episode to Ring and later to the police in Southaven, Miss. Since the episode, she said her family had been contacted by the F.B.I. and by Ring’s chief operating officer, Jon Irwin.

But she criticized the company’s response, saying it had provided scant information and deflected responsibility for the breaches onto customers.

A Ring spokeswoman said in a statement on Saturday that the company took the security of its devices seriously, and attributed the recent episodes to hackers gaining users’ login credentials.

“Our security team has investigated this incident and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the statement said. “Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., user name and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts.”

Ring users can monitor the cameras on the company’s smartphone app and speak to people inside their home and at their front door using a two-way audio feature. But cybersecurity experts say all it takes is a user name and password for hackers to gain access to the devices.

Ring said it began sending emails this weekend to its millions of customers, reminding them to use multifactor authentication, which requires users to verify their identity by entering a code that they receive as a text message or by using an authentication application, in addition to their password.

“Unfortunately, when the same user name and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts,” the statement said.

A spokesman for the Jackson, Miss., field office of the F.B.I. said he could not confirm or deny that the episode was being investigated. The Southaven police chief, Macon Moore, did not immediately respond to a request for comment on Saturday.

Cybersecurity experts said it’s not that difficult for hackers to gain access to “internet of things” devices, which include Ring security cameras and voice assistants, such as Alexa and Google Home.

“Unfortunately, we’re so reliant on passwords at this point, but passwords are absolutely the weakest link,” said Tim Weber, security services director for ADNET Technologies in Farmington, Conn.

Mr. Weber, who is a certified ethical hacker, said he had not seen any evidence that Ring’s operating platform had been breached. He recommended that people avoid reusing old passwords because they could have already been compromised as part of a previous data breach without users even knowing it.

“People are honestly struggling right now because they have so many passwords to maintain,” he said.

“Nothing is 100 percent secure,” she said. “It takes a lot of layers of defense to make things more secure and to lower the risk. I understand the convenience of getting these devices, but I would also hate to see children exploited. We don’t know how long someone may be monitoring those cameras.”

In addition to multifactor authentication, she recommended using pass phrases instead of passwords, because they are harder for hackers and computers to guess.

Ms. LeMay, who works the overnight shift as a laboratory scientist at a hospital, said she thought she had been getting peace of mind with the Ring camera, as one of her daughters suffers from seizures.

Now, she said, the family is on edge.

“I’m definitely very paranoid,” she said. “Yesterday, I told my husband, ‘I really want to get away from here for a bit.’”

1 BUSINESS

Business News - Opportunities - Reviews

 

 

Leave a Reply