The company said hackers were able to break into the camera in part because of weak passwords. It's unclear what Ring's security improvements will be.
- A Tennessee family said that hackers broke into a Ring home-monitoring camera in their 8-year-old daughter's bedroom, and the intruders were able to watch and speak to her.
- After the incident, Ring told Business Insider "We will continue to introduce additional security features to keep our customer's Ring accounts and devices secure." It's not yet clear what those features are.
- The company suggested that the family's passwords were weak. But weak account credentials are common on the internet. Manufacturers also need to do more to prevent these kinds of hacks from happening.
- Here are some easy steps you can take to secure your accounts from hackers.
- Visit Business Insider's homepage for more stories.
A Tennessee family said their 8-year-old daughter was being watched after the Ring security camera installed in her bedroom was hacked. The hacker had watched and talked to her over the device, taunting her that he was Santa Claus, they said.
Ring said the hackers obtained the family's Ring account login credentials from "a separate, external, non-Ring service." This separate service could be a variety of sources, like the dark web, or a hacker forum. Either way, the family's credentials were obtained.
In an official comment, Ring said that the hack was at least partly due to the family's security settings, which it implied were weak. "Unfortunately, when the same username and password is reused on multiple services, it's possible for bad actors to gain access to many accounts," the company said.
That's to say that the family's Ring account password may have been identical to passwords used on other accounts — one of which may have been included in any one of the numerous recent hacks where millions of accounts were compromised.
Still, Ring told Business Insider that the family was sent an email alert notifying them of unusual activity on their account. Unfortunately, it wasn't enough. More active security measures like two-factor-authentication are available in Ring's security options, but they're optional.
After the incident, Ring told Business Insider "We will continue to introduce additional security features to keep our customer's Ring accounts and devices secure."
The company didn't divulge what those additional security features would include, but practices like mandatory two-factor authentication or requiring password change after a certain period of time are common in the industry.
This hack wasn't the only time Ring users have reported strangers having access to their devices recently. A woman said she was woken up when a man's voice coming from her Ring security camera was telling her dog to "wake the f--- up."
—Jessica Holley (@Jessica_Holley) December 10, 2019
It's hard to find a single source of weakness in these attacks. Insecure internet account credentials are common to connected internet life and hard to change without extended effort. (Here's how you can easily protect your accounts — we recommend using a password manager.) Some take it seriously, while others not as much. And as for Ring, and most other companies, these vulnerabilities are the result of trying to balance security with ease-of-use.
Etay Maor, a security advisor at IBM Security, told Business Insider during an interview in July that if a company makes it too difficult or time consuming to enter your account by using too many security steps like two-factor authentication, you'll often go to another company or service. Indeed, if Ring forced more stringent security measure onto the affected family, or any user, they may have returned the Ring and used a different company's camera that didn't make it as difficult to log into their account.
Unfortunately for everyone, that's what needs to happen. If a company wishes to actively prevent something like the Ring hack from happening, it needs to make it harder for unintended users to log into their account. And that could mean making active security measures like two-factor authentication mandatory, or by using another security measure that's equally effective.