How to Protect Home Doorbells and Cameras From Hackers
As science continues to advance more and more mundane things become sophisticated pieces of technology. These days even doorbells have joined the ever-expanding list of Internet of things (IoT) devices that have been compromised by malicious third parties. According to reports, credentials to 3000 Ring accounts have been hacked, which has resulted in a large number of attacks. In one disturbing report, a Ring camera in the bedroom of an eight-year-old girl was hacked by an individual, who told the girl to call her mother by racial slurs. And this isn't the only case of a camera being hacked. There have been multiple cases, which have resulted in lawsuits.
Unfortunately, smart home devices such as cameras, doorbells, smart speakers, and even appliances like refrigerators, can be compromised by hackers today. Ring issued a statement denying the accusations by saying that their systems were not compromised but that it was the result of other systems being compromised.
This is what the Ring statement said:
"Here's what happened. Malicious actors obtained some Ring users' account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts. When people reuse the same username and password on multiple services, it's possible for malicious actors to gain access to many accounts."
The attacks referred to in the Ring statement are called "credential stuffing" attacks.
What happens is a user's account logins (most often their email address) and passwords get stolen by bad actors. Then these credentials are sold for the highest bidder on the Dark Web, then they are used to attempt to access other systems. It's unfortunate that so users reuse the same passwords across various accounts. Once they have the victim's password they can gain access to all of their accounts across multiple systems.
Ring's instructions to change passwords and enable Two-Factor Authentication (2FA), while appropriate, are not enough to deter hackers. Most security experts believe that IoT devices, especially cameras, should have superior security measures.
This isn't the first time Ring has been involved in a data breach either. Previously, there were reports of Ring doorbells leaking WiFi credentials and a security flaw that let users stay logged into a device even after the device's password was updated.
The Ring breach is not the only example of leaked credentials resulting in an IoT hack. The famous Mirai botnet, which used factory default passwords to access multiple types of IoT devices, is the prime example of this practice. Static credentials (usernames and passwords) have proven to be ineffective, and worse a potential security threat because many owners do not bother to change them due to ignorance or other reasons. We have more advanced security technology today and the default user credentials have proven to be a detriment more than anything else.
How to build secure IoT devices
The IoT devices aren't a new emerging technology anymore, and they demand advanced security. We cannot afford to sell devices connected through the internet, like cars, cameras, smart doorbells, appliances, with no or just barebones security measures. The state of The State of California and the European Union have already begun enacting legislation, which requires higher levels of security for IoT devices. Many other laws and regulations are being added to ensure the safety of IoT devices. More than that, government regulatory bodies like the FDA, have started to add greater cybersecurity requirements for IoT devices in specific markets.
How to implement IoT security
The Ring breach was caused by poor security practices like password reuse, but that doesn't mean there's nothing Ring could have done. If they had required multi-factor authentication or certificate-based authentication for its devices, these leaks might have been prevented. It is imperative that IoT device manufacturers begin taking security more seriously and add more advanced security measures into their products. Technology is advanced enough that it is possible to build a connected home environment that is relatively secure from cyberattacks by using the latest security protocols.
Ideally, devices connected to the internet would have built-in security features that protect the device from attacks, protect the integrity of the device itself, and add device identity – so that the devices can be authenticated and securely communicate with each other via the Internet using sophisticated encryption algorithms. Some of the features that would improve IoT device security are:
- Add Secure Boot. This feature makes sure the software has not been tampered with from the initial "power on" to application execution. Also, it allows devs to securely code sign bootloaders, microkernels, operating systems, application code, and data.
- Enforce Device Identity Certificates. Stamping devices with digital certificates during manufacturing makes sure that the IoT devices are authenticated when added to a network, as well as before interacting with other devices in that network. This will protect them from counterfeit devices.
- Embed Firewalls into IoT devices. Embedded firewalls block communications with unauthorized devices and prevent malicious messages.
- Use Secure Elements. Original equipment manufacturers (OEM) and medical device manufacturers must use a secure element, like a trusted platform module (TPM) compliant secure element, or an embedded secure element for secure key storage. Secure key storage ensures a secure boot, and PKI enrollment using key pairs created within the secure element, add exceptionally high levels of security and protection from hacks.
- Ensure Secure Remote Updates. It is critical to ensure that the device firmware has not been altered in any way before the installation. Secure remote updates make sure the components are not changed and are authenticated modules from the OEM.