Home security company Ring suffered a data leak. It is the actions the company took after the leak that brought the ire of the EFF.
While the size of the data breach isn’t particularly big, the details of the breach can be rather creepy. A mother installed the Ring security system to help give her peace of mind. She set up a security camera in her 8 year old daughters room for protection. What happened next turned out to be anything but promoting security and peace of mind. From The Washington Post:
Then, as the 8-year-old wandered around her room alone, the mysterious song abruptly stopped.
“Hello there,” a man’s voice said.
It wasn’t Alyssa’s father, who was elsewhere inside the family’s Mississippi home. The voice belonged to a stranger. And not only could the faceless man speak to the young girl — he could see her.
In a chilling exchange caught on video last week, the LeMays say the man was able to interact with their daughter after hacking into a Ring security camera that had recently been installed in the bedroom shared by Alyssa and her two younger sisters. Over the course of several minutes, the man repeatedly directed a racial slur at Alyssa and tried to persuade her to misbehave, according to a copy of the video obtained by The Washington Post.
The video and account of the incident wound up being downright creepy. As creepy as this story is, it proved to be not the only one. BuzzFeed posted a report shortly after that said thousands of login credentials were leaked online:
The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”
Using the log-in email and password, an intruder could access a Ring customer’s home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.
Ring denied that there was any leak or breach. Unfortunately, what Ring did next is what sparked the Electronic Frontier Foundation (EFF) of accusing the company of throwing customers under the bus. Ring says that people being compromised is the result of credential stuffing. Essentially, hackers would gain access to accounts of other services. Then, they would use those login credentials in different services in an attempt to gain access. If those credentials are the same, unauthorized third parties can gain entry. That is credential stuffing in a nutshell. The EFF blasted the company for their response:
Ring is attempting to place the blame squarely at the feet of their customers for reusing passwords, using weak passwords, and not turning on two-factor authentication. The truth is that Ring itself deserves the largest share of blame for every attack that their users have suffered.
We don’t currently know how the Ring account data was acquired but for the moment let’s take Ring at their word that this was a credential stuffing attack. That implies that an attacker tried tens or even hundreds of thousands of username and password combinations on Ring’s website, and Ring didn’t even notice until they were alerted by security researchers.
Best practices in website security provide a few basic guidelines. First, numerous subsequent failed attempts on an account should result in extra scrutiny for logging in to that account. This may include limiting the number of attempts or locking the account until the owner can be contacted. Second, when a password is chosen for an account, this should go through some form of scrutiny: checking whether it is in a list of known compromised passwords and ensuring that it is sufficiently complex. Third, account holders should be able to see (and audit) the list of devices that have logged in to their account. And fourth, companies should encourage users to enable two-factor authentication (2FA) in their account settings.
Ring cameras have extremely sensitive data—live footage adjacent to and often within the home—at their disposal. This means that Ring should be extra careful with account information, not just employing basic account protections. And although Ring has 2FA available for accounts, they rarely encourage its use to protect user accounts, with the exception of the email above. Furthermore, they appear to have not even followed any of the other best practices listed above. And instead of giving users clear channels of remediation, they’re placing the blame for the data breach on their own users.
The EFF goes on to point out other security mistakes made by the company in the past. They also say that the company is simply placing the security burden on their customers instead of doing more.
For some observers, this is yet another case of how IoT (Internet of Things) devices are not to be trusted for anything sensitive. We’ve seen it happen earlier this year when the FDA (Food and Drug Administration) had to issue a recall of insulin pumps due to a security vulnerability. In January, a study was published that says how 58% of UK businesses couldn’t detect a security breach in IoT devices.
If anything, this latest incident isn’t going to help better the security image of IoT devices. If anything, it plays into the image of how these devices are creepy more than anything else. After all, would you trust cloud connected home security systems after seeing the details of this latest story?
Drew Wilson on Twitter: @icecube85 and Facebook.