Amazon-owned Ring Inc., makers of security cameras and other smart home devices, are facing a lawsuit and increasing scrutiny for what is being labeled a lack of cybersecurity in their products. After several reported incidents of Ring cameras being hacked and owners and their families (including multiple incidents involving children) being subjected to harassment, the company finally released a statement on their blog on December 12, 2019.
They assured customers that Ring’s system had not been compromised and encouraged them to change their passwords, as they believed the issue to lie with personal password practices. However, the lawsuit claims that the fault lies with Ring for not enforcing greater cybersecurity standards before the incidents became public, and that they violated the promises of security included in their product marketing. The suit seeks unspecified damages and better network security practices to be implemented for Ring cameras.
Victims Harassed and Solicited Through Hacked Cameras
The lawsuit plaintiff, John Baker Orange of Alabama, was one of many victims of hacking and harassment by what appear to be a semi-coordinated group of casual hackers. One such band even set up a podcast (called “NulledCast”), which was broadcasted regularly to an online forum featuring thousands of members.
The podcast hosts and possibly other hackers who broke into the cameras would hurl insults, racial slurs and other remarks meant to “troll” camera owners and their families inside their own homes. The hosts livestreamed the podcast from a Discord server to document the harassment in real-time. In at least one other case in Texas, the hacker also demanded a Bitcoin payment to leave the victims alone.
Ring Hack Highlights Danger of IoT and Basic Security
VICE Media’s Motherboard magazine has devoted extensive coverage to the situation, including a test run of Ring’s camera system to confirm the lack of cybersecurity controls. What they found reinforces the accusations in Orange’s lawsuit. Once a third party obtained access to the Ring owner’s credentials, they gain full control of the device, without facing any additional layers of security.
The Internet of Things (IoT), a name for the network created by connecting smart devices to the Internet, enables technology like the Ring to work through automated WiFi and Bluetooth endpoints. However, the deployment of IoT into personal and commercial spaces has always outpaced the adoption of a cybersecurity culture that reflects the realities of the digital age. This episode with Ring is symptomatic of a greater security dilemma and highlights the danger of sticking to 20th century safety standards.
There are two dangers that users often ignore with IoT: devices can and will be connected to each other on the same network, and these tools are inherently designed to broadcast data – whether you want them to or not. Studies and the efforts of white hat hackers have revealed how easily and silently these backdoors can be exploited by both third-party vendors and cybercriminals. In Ring’s case, this also includes what is effectively a surveillance grid made available to law enforcement – reporters at Gizmodo were able to map out a fraction (i.e., thousands of homes) of this network using only public data.
Educate Yourself and Your Employees on Password Security
IoT will find its way into your network – everyone in your business can introduce any number of shadow devices that can be exploited by bad actors. Ensuring that your employees know how to secure their machines will help protect your organization from poorly secured smart devices becoming a cyber attack vector.
Download our free Cybersecurity Tips guide to help educate your employees on the latest best practices for the workplace and at home.