We Tested Ring’s Security. It’s Awful
Credit to Author: Joseph Cox| Date: Tue, 17 Dec 2019 20:55:20 +0000
It's not so much being watched. It's that I don't really know if I'm being watched or not.
From across the other side of the world, a colleague has just accessed my Ring account, and in turn, a live-feed of a Ring camera in my apartment. He sent a screenshot of me stretching, getting ready for work. Then a second colleague accessed the camera from another country, and started talking to me through the Ring device.
"Joe can you tell I'm watching you type," they added in a Slack message. The blue light which signals someone is watching the camera feed faded away. But I still couldn't shake the feeling of someone may be tuning in. I went into another room.
My colleagues were only able to access my Ring camera because they had the relevant email address and password, but Amazon-owned home security company Ring is not doing enough to stop hackers breaking into customer accounts, and in turn, their cameras, according to multiple cybersecurity experts, people who write tools to break into accounts, and Motherboard's own analysis with a Ring camera it bought to test the company's security protections.
Last week a wave of local media reports found hackers harassed people through Ring devices. In one case a hacker taunted a child in Mississippi, in another someone hurled racist insults at a Florida family. Motherboard found hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring abuse on their own so-called podcast dubbed "NulledCast."
In response to the hacks, Ring put much of the blame for these hacks on its users in a blog post Thursday.
"Customer trust is important to us, and we take the security of our devices and service extremely seriously. As a precaution, we highly encourage all Ring users to follow security best practices to ensure your Ring account stays secure," it said. To be clear, a user who decides to use a unique password on their Ring device and two-factor authentication is going to be safer than one who is reusing previously hacked credentials from another website. But rather than implementing its own safeguards, Ring is putting this onus on users to deploy security best practices; time and time again we've seen that people using mass-market consumer devices aren't going to know or implement robust security measures at all times.
Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in—entirely common security measures across a wealth of online services.
"They are worth billions so where is the investment in security," Daniel Cuthbert, who is on the committee for annual cybersecurity conference Black Hat, and who is also a Ring owner, told Motherboard.
A Ring account is not a normal online account. Rather than a username and password protecting messages or snippets of personal information, such as with, say, a video game account, breaking into a Ring account can grant access to exceptionally intimate and private parts of someone's life and potentially puts their physical security at risk. Some customers install these cameras in their bedrooms or those of their children. Through an issue in the way a Ring-related app functions, Gizmodo found these cameras are installed all across the country. Someone with access can hear conversations and watch people, potentially without alerting the victims that they are being spied on. The app displays a user-selected address for the camera, and the live feed could be used to determine whether the person is home, which could be useful if someone were, for example, planning a robbery. Once a hacker has broken into the account, they can watch not only live streams of the camera, but can also silently watch archived video of people—and families—going about their days.
Or a hacker can digitally reach into those homes, and speak directly to the bewildered, scared, or confused inhabitants. That level of sensitivity should arguably encourage more robust security practices than an ordinary account.
Do you work at Ring? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password.
Other steps Ring could take to better keep hackers out includes checking whether someone is logging in from an IP address Ring has never seen before, and if so, carrying out additional checks, Cuthbert said. Another is checking for concurrent sessions, such as seeing whether the user is simultaneously logged in from, say, both Germany and the U.K., Cuthbert added, in case one of those may be a hacker accessing the account.
One member of a hacking forum who codes cracking tools, and who Motherboard granted anonymity so they could speak more openly about the process, said, "just enabling SMS verification if there is a connection from an unknown IP would instantly kill each checker." A checker is a piece of software that grinds through credentials to see if they work on a particular site or service.
CRACKING RING
Motherboard purchased a Ring camera to test what sort of security protections are in place to stop or slow hackers trying to break into Ring accounts. After setting up an account, the Ring app, and the camera itself, we shared the email address and password to the camera interface with multiple reporters who used both virtual private network software to connect to the camera from IP addresses from all over the world as well as physically being located in other countries.
We logged into the Ring app and website from the U.S., U.K., Spain, and Singapore, in some cases simultaneously and from various devices and browsers that had never been used to log into the platform before. At no point did Ring trigger any sort of alert, such as an email notification, to check that the IP address the system had never seen did indeed belong to the legitimate camera owner. Gmail, for instance, may email you if it detects a suspicious login attempt from a new location, a new device, or a new browser.
On a desktop web browser, someone who is logged in is able to watch historical, archived footage. From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera's microphone, speak through the camera's speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime "incidents." This shows the specific, user-selected home address plotted on a map. Ring requires that a user input a home address to set up the camera.
Multiple Motherboard staffers accessed these services simultaneously. But Ring provides no way to see how many people are logged in at once, meaning if a hacker is logged into the app, a Ring owner has no way to tell. If a user is livestreaming the camera feed, a blue light on the front of the camera turns on; however, many Ring users may not constantly be checking whether this light is on or not. Ring also doesn't appear to provide users a list of previous login attempts, making it harder to see if a hacker had access.
Ring hackers' software works by rapidly checking if an email address and password on the Ring web login portal works; hackers will typically use a list of already compromised combinations from other services. If someone makes too many incorrect requests to login, many online services will stop them temporarily from doing so, mark their IP address as suspicious, or present a captcha to check that the user trying to login is a human rather than an automated program. Ring appears to have minimal protections in place for this though. Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha.
One source sent Motherboard a screenshot of a piece of Ring cracking software in action.
"Headers can tell the website how legitimate a request is," they wrote along with the screenshot, headers referring to information a web request can include to give more information about the machine logging in. Headers can include the browser or operating system the request comes from, which could indicate if a login attempt is automated by software. "But Ring's security is such that even with minimal headers, you can get by," they added.
"Ring is a physical thing, they could implement something to securely pair it with an app on your smartphone. Then, mobile app approves web logins from untrusted web browsers," Dino Dai Zovi, mobile security lead at Square, wrote in a tweet on Sunday.
Security is a trade-off with efficiency. Ring may not want to have stricter checks in place so as to not raise barriers for its users. Perhaps a customer is out of the country but still wants to log into their account and check what has happened in view of the camera, meaning they may connect from a new IP address. But even with this trade-off in mind, Ring has made decisions to not provide users alerts with new logins or other protections.
Ring does offer two-factor authentication, where a user is required to enter a second code sent to them as well as their password, but Ring does not force customers to use it. Motherboard verified that Ring's two-factor authentication does work as advertised, but multiple people who were logged into the app didn't have to log back in after it was enabled—Ring didn't eject them nor ask them to enter a two-factor token. Ring did log everyone out after a password change, however.
Motherboard asked Ring a series of specific and detailed questions, such as whether Ring limits the number of login attempts, or blocks an attempt if the connecting IP address is from a country the user is not usually located in. The company responded with a statement nearly identical to its earlier one, saying, "Ring understands what a big decision it is to pick a home security product, and we don’t take that decision lightly. Ring will continue to introduce additional security features to keep Ring accounts and devices secure, and we're working with our customers to ensure they have the knowledge and tools to practice good password habits."
"They are worth billions so where is the investment in security."
The victims of Ring hacks have said themselves that they feel the company is putting too much burden on them to stop hackers. Ashley LeMay, one of the parents in Mississippi whose camera was hijacked to then spy on their children, told the New York Times she thought Ring's response provided scant information and shifted responsibility for the breaches onto customers.
"Auth [authentication] is still stuck in the '90s," Cuthbert said. "Username and password and very little other than that. That was ok back then but today we have a wealth of knowledge and experience to know that we need additional telemetry to make the [authentication] decision," he added.
Ring is advertised as a home security device which is supposed to make its customers safer by monitoring their homes. But its lack of certain security features shows how the device can work against its owners, and open them up to other risks. When I get home tonight, I'll put the Ring camera back into its box, regardless of whether that little blue light is on or not.
Jason Koebler, Emanuel Maiberg, and Lorenzo Franceschi-Bicchierai provided additional reporting for this piece.
Subscribe to our cybersecurity podcast, CYBER.
This article originally appeared on VICE US.