Hackers took over Ring cameras in households around the country in recent weeks, shouting at residents, blasting music and setting off the system’s alarm. Hackers hadn’t breached Ring’s corporate systems, the company said. Instead, they logged in to individual cameras with passwords that owners had used on other accounts that’d been hacked.
None of that makes the stories even a little less creepy.
In Mississippi, a hacker told an 8-year-old girl that he was Santa Claus and that she should wreck things in her bedroom. In Georgia, hackers yelled at a woman while she was in bed. And in Florida, hackers shouted racist remarks to a couple in their home until they pulled the batteries out of their Ring camera. Similar attacks have , like in January, when hackers told a California family that a North Korean airstrike was imminent.
“Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts,” a Ring spokeswoman said in a statement. “Consumers should always practice good password hygiene and we encourage Ring customers to change their passwords and enable two-factor authentication.”
You don’t need experts to tell you this is good advice. Robust passwords and two-factor authentication are the minimum for decent security these days. But smart home companies can do more to protect users from these types of attacks. One easy fix: Companies could require — rather than simply recommend — that consumers use two-factor authentication when they log in.
Consumers can do better, and so can companies, said Troy Hunt, a cybersecurity expert who runs Have I Been Pwned, a service that tracks hacked login credentials and other data breaches.
“Reusing credentials is certainly a very risky practice,” Hunt said. “Equally, corporate victims of credential stuffing need to be held more accountable for providing insufficient controls against what is a very well known attack these days.”
Passwords aren’t good enough
Telling consumers not to reuse passwords is unrealistic. First of all, many people have dozens or even hundreds of accounts, and only a robot could memorize unique, complex passwords for each of them. There are tools to make this easier, like password managers, but they can be challenging to use. That’s a disincentive for many people to rely on them.
Two-factor authentication is one way companies could securefor their customers even if they use bad passwords. If 2FA were required, consumers would need a second form of identity, often a one-time code sent to a phone after a username and password are entered, or a physical token that’s plugged in.
Watching out for hacked passwords
The technique hackers used to access the Ring cameras is often called credential stuffing. Hackers take lists of stolen usernames and passwords and try them on a variety of different accounts. According to Vice, hackers have recently been creating software tools to automate this process specifically for hacking Ring cameras.
New services are cropping up to warn consumers when they’re using a password that’s been caught up in a data breach, and this could make a big difference in the smart home, too.
For example, log-in management company Okta created abrowser that’ll warn you when you’re using a password that was compromised in a data breach. The company also created a tool that lets websites give users a similar warning when they go to log in.
The services draw from a massive database of stolen credentials created by the service Have I Been Pwned, where you can also check which data breaches you’ve been involved in.
Sharing is OK
Ring and its parent company, Amazon, are ahead of the curve in helping customers safely share access to accounts.
Instead of giving the impractical advice to never share your passwords with anyone, the companies offer features that let multiple people access one account with different passwords. Of course, this also means each user must avoid the temptation to reuse log-in credentials from another account, or even to just use the same password as the other users who access the account.
If you hadn’t already guessed, that’s a bad idea.