Online Forum Members Exploited Weak Credentials To Turn Ring Cameras Against Their Owners
from the i-m-in-ur-house-yelling-at-ur-kids dept
To add to all the bad news that is Ring camera's life cycle to this point comes the report that a group of malcontents has been exploiting default/weak credentials to gain access to cameras. Joseph Cox has the this-would-be-funny-if-it-weren't-so-scary details at Motherboard.
Hackers have created dedicated software for breaking into Ring security cameras, according to posts on hacking forums reviewed by Motherboard. The camera company is owned by Amazon, which has hundreds of partnerships with police departments around the country.
On Wednesday, local Tennessee media reported that a hacker broke into a Ring camera installed in the bedroom of three young girls in DeSoto County, Mississippi, and spoke through the device's speakers with one of the children.
The family said they had the camera for four days, during which time the hacker could have been watching the kids go about their day.
There's not much actual hacking going on. What appears to be happening is purchasers aren't choosing unique passwords when they set up their cameras. They also aren't using the two-factor authentication Ring recommends.
There are enough cameras out there (and more being installed every day) that there's an entire forum set up just for the hijacking of Ring cameras/doorbells. Forum members are selling exploit tools to each other which allow these jackasses to brute force Ring devices using credentials (usernames/email addresses and passwords) found elsewhere on the web.
The popular exploitables have even spawned a podcast featuring unsuspecting device owners being trolled by jerks who have gained access to Ring and Nest cameras. This is what's in store for device owners who haven't properly secured their new purchases.
A blaring siren suddenly rips through the Ring camera, startling the Florida family inside their own home.
"It's your boy Chance on Nulled," a voice says from the Ring camera, which a hacker has taken over. "How you doing? How you doing?"
"Welcome to the NulledCast," the voice says.
The NulledCast is a podcast livestreamed to Discord. It's a show in which hackers take over people's Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners. In the example above, Chance blared noises and shouted racist comments at the Florida family.
Good times. Nulled forum members are starting to scatter, now that Joseph Cox has shined a light on their dirty little games. The Nulled admin has nailed an unbelievable statement to the top of the forum, saying that Nulled does not tolerate the "harassments of individuals over Ring cameras or any similar." This posting followed some "unscheduled maintenance," which occurred shortly after Motherboard's first article on Ring exploitation went live.
Panic has ensued. Cox reports the forum is in disarray, with members quitting or changing their usernames. Some appeared to be worried law enforcement is all over this. Others think the only ones going to jail are the members who participated in the podcasted Ring hijacking.
But it's not over yet. A few members appear to be willing to roll the dice on possible legal charges.
It doesn't seem the livestreaming of Ring hacking is going to end just yet, however.
"Podcast dead?" one user on the Nulled Discord asked Wednesday night.
Another user replied, "Nope. Tune in Friday. Like and subscribe."
Perhaps the focus of the podcast will change. Considering the channel's been dedicated to finding exploitable devices and exploiting them to create content, any pivot will likely be short lived.
In the meantime, Ring is doing about the only responsible thing it's ever done.
"As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords," [Ring] added.
Perhaps more education of consumers is in order. Security recommendations are great, but purchasers appear to feel installing the cameras is the end of the job. It's one thing to get your sidewalk-facing doorbell camera hacked. It's quite another to have your interior cameras turned against you. The Internet of Things continues to be awful. Ring's general awfulness kind of obscures the fact that this particular debacle isn't really Ring's fault. But it could be doing more. It could prevent deployment until two-factor authentication is engaged. And it could ease up a bit on its promises of home security when the default setup process allows outsiders to virtually enter the homes of Ring owners.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hackers, harassment, podcast, ring
Companies: amazon, ring
Reader Comments
Subscribe: RSS
View by: Time | Thread
'Eh, I'll get around to it eventually'
Buying and installing an internet connected security camera(or security anything really) and keeping the default settings is rather like buying a sturdy steel-reinforced door for your house and not bothering to add a lock to it, instead using a simple no-lock doorknob.
Yes it's technically more secure than the alternative of nothing, but at that point the only 'security' is security theater, and if anything you've merely added another vulnerability for others to exploit.
[ link to this | view in chronology ]
it actually is Amazon's fault, not Rings
Amazon has the technology to make the device require a unique, unexposed password before it can be reached from outside of the local network. That they have simply chosen not to do so makes it entirely their fault.
[ link to this | view in chronology ]
Re: it actually is Amazon's fault, not Rings
While Amazon may be at fault for not doing more to ensure their devices were installed securely, the fault in the case described by this article lies entirely at the feet of those who participate in that podcast. They're the ones who actually committed the act, not Amazon or its employees.
One of the major problems with the world today is failing to assign blame where it is due and instead going after the biggest company in the blame-chain, no matter how tenuous the relationship to responsibility. "You could have done more!" is the warcry of those looking for a payout instead of justice.
[ link to this | view in chronology ]
Re: Re: it actually is Amazon's fault, not Rings
That's only half true. Yes the podcast is at fault for choosing to break into the devices, but the users that chose not to secure them absolutely bear some responsibility for choosing not to keep a camera they knew they stuck on the internet and pointed at their children locked.
[ link to this | view in chronology ]
Re: Re: it actually is Amazon's fault, not Rings
"One of the major problems with the world today is failing to assign blame where it is due and instead going after the biggest company"
Don't know that I would call it a major problem with the world today. Guess it depends upon what one considers to be major.
How many people die each year as a result of this blame game?
[ link to this | view in chronology ]
Re: it actually is Amazon's fault, not Rings
The truth is probably far worse. Very likely that Amazon is collecting data from these cameras like they do from all their services and devices so they can sell the collated tabulated linked etc. data + results to all buyers willing to pay up.
Have to wonder how many Amazon employees or contractors are reviewing camera feeds 'For Quality Control Purposes'?
If your 'security' device requires a cloud connection to operate, then it isn't a security device and is most likely a data collection and monitoring device that isn't working for you.
[ link to this | view in chronology ]
Re: it actually is Amazon's fault, not Rings
Just a minor point, but if they're doing it right they do not know what your password is, and so cannot ensure it is unique.
[ link to this | view in chronology ]
I would say that a better question to ask
Is why in the hell the parents set up a security camera in a little girl's bedroom.
[ link to this | view in chronology ]
Re: I would say that a better question to ask
And why use an Internet connected camera? It's not as though remote monitoring of young children is a desirable form of child care, a parent of child minder should be in the house to look after the children.
[ link to this | view in chronology ]
Re: Re: I would say that a better question to ask
Because everyone has unlimited cash and time.
[ link to this | view in chronology ]
Re: Re: I would say that a better question to ask
Because the world has become so stupidly enamored with the internet that no one has even considered providing one that can connect to your private network but NOT force it to be connected to the internet.
And making it easier to occasionally check in on your young children is not "remote monitoring" of them. How the camera is being used matters, not just the fact that one was being used at all.
[ link to this | view in chronology ]
Re: I would say that a better question to ask
Because .. helicopter parents?
[ link to this | view in chronology ]
Re: I would say that a better question to ask
They're cheap, easy to set up, don't need to be connected to other devices to run, and the children can use it to page and talk to their parents or show them something if they need to. All the kid has to be able to do is push the button. And the parents can check on the kids remotely any time they want without needing the kids to answer a call.
[ link to this | view in chronology ]
Re: Re: I would say that a better question to ask
Right, and you can teach the kids to cover up the camera when they are changing clothes too. Oh...wait...if you do that some smart ass kid will also learn to cover up the camera when they are doing something they don't want their parents to see. How long then till they figure out that loud music will cover up their plotting being captured by the microphone.
Actions have consequences. Who would have thought. Apparently not these parents.
[ link to this | view in chronology ]
Re: Re: I would say that a better question to ask
The modern world ... where parents are too busy to be bothered watching their offspring. What, you may ask, are they doing that is so important?
\What's next? A robot nanny?
[ link to this | view in chronology ]
What's next...
Well, the police are at some point going to get a strip show by kids in their bedroom. The footage may end up on the internet accidentally.
And the footage will probably get distributed quietly through the precinct before the kids or the parents are then SWAT raided for child porn distribution. Meanwhile, the kids undressing will wind up on the internet, maybe even used by the FBI as bait for child-porn purveyors.
At least that's how it's going to go down in a cyberpunk dystopia novel.
[ link to this | view in chronology ]
Re: What's next...
I can see that...
[ link to this | view in chronology ]
Re: I would say that a better question to ask
Because they are legless, lazy?
[ link to this | view in chronology ]
This ring of surveillance maniacs deserves every bit of shit that comes flying their way.
[ link to this | view in chronology ]
Re:
It's not the kids fault
[ link to this | view in chronology ]
Maybe it is time to throw a little chlorine into the hacker pool? Livestreaming the hacking of someone's device seems just the other side of posting it on your Facebook account.
Of course, first you have to get law enforcement's attention. After all, these hackers aren't actually killing anyone, and it is unlikely that they'll have loads of cash (or a fancy car) laying about for civil forfeiture bait.
[ link to this | view in chronology ]
Re:
"Maybe it is time to throw a little chlorine into the hacker pool?"
Death for hijacking, meanwhile real killers go loose
[ link to this | view in chronology ]
the test for Law Enforcement will be
How intent on shutting that down are they when they're benefiting so much from it.
[ link to this | view in chronology ]
Re: the test for Law Enforcement will be
Probably a lot, since trust from the sheep is essential.
[ link to this | view in chronology ]
Re: Re: the test for Law Enforcement will be
Is it though? Somehow, the police in Baltimore still exist.
[ link to this | view in chronology ]
World in your Living Room
Gives whole new meaning to the "World in your Living Room" concept. Oh, wait, no it doesn't...that ship sailed with Alexa.
We're a ways past the day when you could bring the toaster home in a box, open it, toss the directions, plug it in and use it. Successfullly. A tissue page of directions in Flyspeck 4pt font was just fine for a toaster, who bothered to read them anyway?
Where security is necessary, the tissue with the instructions isn't cutting it. Security needs to be inherent, or else the user needs to be hand-held through it.
But, hey, buyer beware.
[ link to this | view in chronology ]
There's nothing sweeter than seeing the ignorant forced to confront their ignorance.
[ link to this | view in chronology ]
Re:
Why?
[ link to this | view in chronology ]
"I walked into a burning RING of fire..."
[ link to this | view in chronology ]
I'm beginning ro believe IoT stands for Idiots Owning Technology.
[ link to this | view in chronology ]
Re:
Idiots all led to the slaughter by internet disinformation that has them going to hell and looking forward to the trip.
[ link to this | view in chronology ]
As for why sites should be forced to host speech it disagrees with, eliminating the potential to "moderate" away any warnings about stuff like this is the most compelling agreement. USENET stands alone as the one place that whistleblowing about this could not be silenced.
[ link to this | view in chronology ]
Re:
*argument, for the language "enthusiasts"
[ link to this | view in chronology ]
Re:
Because of all the sorts of content that a site might not want to host and therefore needs to be forced to, notifications that a camera is about as secure as a screen door would definitely be the sort that needs 'protecting' so it can stay up given how people would just be tripping over themselves to remove that. /s
Would you perhaps like to try again with an example that isn't absurd?
[ link to this | view in chronology ]
Re:
Wrong article, mate.
[ link to this | view in chronology ]
Education
Am I being overly cynical to think that this form of exploitation is the only "education" likely to work? I mean, we've been telling people for a decade or two to use strong passwords and to physically cover up any cameras they aren't actively using, and here they are putting internet-connected cameras in a bedroom.
[ link to this | view in chronology ]
Re: Education
It's kind of like that math forced upon you in school where both you and the teacher had a hard time expressing how one might use it later in life. Until it has some personal impact on you, that is voraciously shoved down your throat, it is more like a spring shower. Annoying but un-impactful, unless your vegetation.
The question then becomes, how does one make IoT security voracious enough to impact all the Joe and Jane six packs of the world? Knowing about this might be a start, but I doubt it will be sufficient.
[ link to this | view in chronology ]
Re: Re: Education
"that math forced upon you in school"
What they called new math? LOL - it was stupid then and it remains so. General mathematics has not changed, what has changed is the silly ways they try to teach it.
[ link to this | view in chronology ]
Re: Re: Re: Education
Sorry, I missed the new math by a couple or three decades, but I still value why I might need to know the volume of a cone, even if I have to look up how to calculate it these days.
(For those not thinking, the value is in determining how much ice cream you can stuff into it) -:)
[ link to this | view in chronology ]
Re: Re: Re: Re: Education
I can only think of one way to enforce security, and that would be to design the enforcement into the setup process.
all these devices that connect to the internet would need to be kept from connecting if the owner has not set up the basic security features. Default credentials? No go. Not set up for whatever MFA process is in place? No go. Attempting to connect to an unsecured router? No go.
All of which would require a sea change in the approach of the manufacturers of these devices - the focus is on convenience of setup, which means plug-and-play and auto-activations, which means security options do not get enforced. I don't see it happening anytime soon, but it's the only thing I can think that might work.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Education
It's funny that some think iot can be secured
[ link to this | view in chronology ]
"some think iot can be secured"
Some think IoT devices can be secured better than they are, by far. Even air-gaps are penetrable with a determined enough hacker. But IoT devices are being shoved onto the market with little to no security and teeming with data leaks.
I mean the least I need out of my smart refrigerator is for it to not compromise my email accounts, let alone leave the door open to hackers.
[ link to this | view in chronology ]
Re: Re: Re: Re: Education
You put icecream in a cone, I prefer green buds :)
[ link to this | view in chronology ]
Greaat knock on the door..
Ring the door bells in peoples heads about security and IOT..
Bring back the Barbie story..
Bring up how Security cams that Link directly NOT' to your own system, but to services outside, and require it. Sounds just like the failings of DRM.
Give me a Wireless NAS inside a Wall/hidden very well.. and link my Security and IOT to it.. And it Wont broadcast its location. Must know its Network and name to get logged into it.
The Thief cant find it, the cops wont, the kids wont, the Dog wont, the cat wont sleep on it..
[ link to this | view in chronology ]
Behold the new robot uprising
Does anyone else remember when thousands of YESCO billboards set up around Atlanta when they suddenly stopped posting an AT&T advert and rather showed goatse/hello.jpg instead, for hundreds of thousands of citizens to behold?
We should be grateful that this is what happened first, that it's mischief and not something that resulted in a death.
Amazon needs to get on this now and update Ring's security so that it's really hard to hack one. Like, right
now.
Otherwise worse things will happen and someone eventually will die.
[ link to this | view in chronology ]
Re: Behold the new robot uprising
If you think that forcing users to set up security will result in stronger security, you have little experience of what users are capable of.
[ link to this | view in chronology ]
Forcing users to set up security
We already have phones that set up a lot of security the first time it's powered on. If Ring units were issued one of 20,000 default randomized passwords (say two common six-letter-plus words in sequence) issued as a default, that would be more secure than every unit dropping off the assembly line with a single shared default password.
Yes, it's up to users to be vigilant, but this doesn't mean the manufacturer needs to be any less responsible. Especially since, yeah, IoT devices are turning into botnet zombies that already serve organized crime (often while still serving their initial function, more or less).
[ link to this | view in chronology ]
Re: Behold the new robot uprising
I don't remember that, but it sounds hilarious. Good old goat.se.
[ link to this | view in chronology ]
hacking
dublicate softwares have always been an issue its is required to completly understand the software then move further.
thanks for this article
<a href="https://linksys-smartwifisetup.net/">Linksys router login</a>
[ link to this | view in chronology ]
Just a matter of time
till ring obsoletes the tech like our much loved DRM and IoT lightbulbs
[ link to this | view in chronology ]
Yep. Irresponsible product.
IT professionals know that they need to assume that their clients have little understanding of technology and just treat it as magic. Thus, you have to treat them as requiring all the help you can provide.
This is predictable. Assume 10% of your customer base are lazy/stupid/dont-understand (whatever). You sell 100 000 units.
Thus there are 10 000 hackable units out there. What is going to happen?
I blame the manufacturer. This is a preventable, predictable mess.
[ link to this | view in chronology ]