Ring Sued Over Hacked Cameras That Exposed Children's Privacy

Ring Cameras Hacked Lawsuit

Unfortunately, we tend not to think about the consequences when we're connecting more and more devices to the internet. Last year, for example, Ashley LeMay and Dylan Blakeley bought a couple of IP cameras manufactured by Ring and installed them in their house with the intention of using them as baby monitors. They liked the idea that in addition to keeping an eye on their kids, they can also use the camera's speaker to talk to their children, and for a while, they were pretty happy with their choice. On December 4, however, an unidentified cybercriminal managed to hack and take control over Blakeley's cameras. First, the hacker played some creepy music, and he later spoke to the children who, the footage shows, were terrified.

A few days later, Todd Craig and Tania Amador, a couple from Texas, found themselves in a similar situation after their surveillance devices got hacked, and there were reports of other Ring camera owners getting hit by the attack. These are among the creepiest cybersecurity incidents we've seen lately, and, not surprisingly, the backlash against Ring has been significant.

It could very well get worse, though, because last week, the two couples, along with other owners of hacked Ring cameras, announced that they will sue the Amazon-owned vendor. But is Ring solely responsible for the attack?

Ring said that its systems were not breached

Not surprisingly, in the wake of the attack, Ring started an investigation, and within about a week, it announced that the creep who spoke to 8-year-olds through another person's security camera never actually managed to break the vendor's security systems. The blog post said that he took control of the camera by taking username and password combinations stolen from another service and trying them out on the victim's Ring accounts. In other words, Ring camera owners were hit by a credential stuffing attack.

This is yet another proof of how negligent we are towards the potential consequences of connecting a large number of gadgets to the internet. By reusing their passwords on more than one online service, the owners of the hacked cameras enabled the credential stuffing attack, and they made the hackers' lives even easier by failing to set up two-factor authentication. A few weeks after the attack, some Ring passwords ended up on a dark web marketplace, and it turned out that many of them were terrifyingly easy to guess, which hammers the point home even further.

In other words, although they are right to feel angry about the gross invasion of privacy they had to deal with, the owners of the hacked cameras must also take their share of the blame.

It's not all down to password reuse

You can see that people's attitude towards their own privacy and security is far from ideal, but this is not really news. The problem has existed for years now, and it looks like people just aren't willing to get their act together. Service providers and hardware vendors do have more than a few methods for nudging people away from making the same old mistakes, though. They can, for example, impose password rules that would stop people from protecting their accounts with something simple and easy to guess like "12345678" and "password." According to TechCrunch, however, you can still use these passwords even now, close to two months after December's hacking incidents. The vendor was also criticized for using SMS messages as a medium for 2FA one-time passwords, which isn't the best option, especially when a compromised account can have such serious privacy implications.

Speaking of which, there are other precautions that could have kept Ring owners a bit more secure. Many online services alert users when their accounts are accessed from an unknown device, for example, and almost all of them impose a limit on the number of failed login attempts from a single IP. According to the lawsuit, however, Ring didn't implement these measures.

If there's anything we can learn from the whole incident, it's that both vendors and users have everything the tools to prevent simple credential stuffing attacks and avoid serious privacy problems. Unfortunately, neither Ring nor its customers used these tools, and the consequences were pretty horrific.

February 4, 2020

Leave a Reply