Though it sounds shocking, the situation with Ring is far from unique. At the beginning of the year, for example, hackers launched similar attacks against Nest cams, complete with incidents where hackers were creepily talking to children through the devices. The manufacturers behind these devices—Amazon and Google, respectively—are both billion-dollar tech giants with massive development resources. The fact that their cameras regularly feature in these kinds of cases reflect a broader industry failure to produce trustworthy IoT devices that are easy for consumers to set up in a secure and private way.
"We have ways of preventing attacks like this," says Ang Cui, founder of the IoT analysis and security firm Red Balloon. "We've been thinking about securely allowing people to access computers remotely for decades. So if we insist on making our doorbells a computer that connects to the internet, then we have to put the same level of care into securing those computers."
Turn It On
Basic security measures like good password hygiene and enabling two-factor authentication are enough to stop most attacks. Right now it’s the user who ultimately has to take those steps. But it’s also true that the companies making and selling these devices could do much more to educate people about these methods and encourage them to do it.
"IoT vendors emphasize, often rightly, that their products improve quality of life, but they often neglect to disclose the risk of these devices to consumers," says Jake Williams, founder of the security firm Rendition Infosec. "The onus of understanding how an IoT device might impact security should not be purely on the consumer. The vendor shares this responsibility."When it comes to something like a Ring doorbell or camera, the devices can be genuinely useful, but they also generate sensitive data that would be valuable to many parties—from law enforcement to criminals or even nation state hackers. Which makes security that much more important. And while Ring does provide instructions for enabling two-factor authentication, Amazon doesn't require it or turn it on by default. If you're a Ring user, you definitely should if you haven't already.
To enable two-factor authentication on your account, open the Ring app, tap the three-lined icon in the upper left corner of the screen and go to Account > Enhance Security > Two-factor Authorization > Turn on Two-factor. Then enter your password and the mobile number where you'll receive the SMS messages with one-time login codes. Then enter the first test code and hit Continue. Keep in mind that you need to add two-factor individually to every "Shared" and "Guest User" account that branches off a main account.
Not One IoTa
Amazon did not return a request for comment from WIRED about the rash of recent Ring account comprises. It said in a statement to other outlets that, "While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring’s security."