There's been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. News reports this week are raising a different issue: hackers are breaking into users' Ring accounts, which can also be connected to indoor Ring cameras, to take over the devices and get up to all sorts of invasive shenanigans.
In Tennessee, a local news channel reported on Tuesday about a case where hackers hijacked an indoor Ring camera one family had placed in a bedroom and used it to talk to three young girls. And as Motherboard first showed, there are tools available online for breaking into Ring accounts by strategically guessing the login credentials. When account thieves record enough juicy audio from people's Ring feeds, there's even a podcast where they can broadcast it.
Though it sounds shocking, the situation with Ring is far from unique. At the beginning of the year, for example, hackers launched similar attacks against Nest cameras, complete with incidents where hackers were creepily talking to children through the devices. The manufacturers behind these devices—Amazon and Google, respectively—are both billion-dollar tech giants with massive development resources. The fact that their cameras regularly feature in these kinds of cases reflects a broader industry failure to produce trustworthy internet-of-things devices that are easy for consumers to set up in a secure and private way.
"We have ways of preventing attacks like this," says Ang Cui, founder of the IoT analysis and security firm Red Balloon. "We've been thinking about securely allowing people to access computers remotely for decades. So if we insist on making our doorbells a computer that connects to the internet, then we have to put the same level of care into securing those computers."
物联网分析和安全公司Red Balloon的创始人崔昂（Ang Cui音译）说:“我们有办法阻止这样的攻击。”“几十年来，我们一直在考虑让人们安全地远程访问电脑。因此，如果我们坚持要把我们的门铃变成一台连接互联网的电脑，那么我们就必须在保护这些电脑方面付出同样的努力。”
Turn It On
Basic security measures like good password hygiene and enabling two-factor authentication are enough to stop most attacks. Right now it's the user who ultimately has to take those steps. But it's also true that the companies making and selling these devices could do much more to educate people about these methods and encourage them to do it.
"IoT vendors emphasize, often rightly, that their products improve quality of life, but they often neglect to disclose the risk of these devices to consumers," says Jake Williams, founder of the security firm Rendition Infosec. "The onus of understanding how an IoT device might impact security should not be purely on the consumer. The vendor shares this responsibility."
安全公司Rendition Infosec的创始人杰克•威廉姆斯(Jake Williams)表示:“物联网供应商常常过分地强调，他们的产品提高了生活质量，但他们往往忽视了向消费者披露这些设备的风险。了解物联网设备如何影响安全的责任不应该完全由消费者，而是卖方承担。”
When it comes to something like a Ring doorbell or camera, the devices can be genuinely useful, but they also generate sensitive data that would be valuable to many parties—from law enforcement to criminals or even nation-state hackers. Which makes security that much more important. And while Ring provides instructions for enabling two-factor authentication, Amazon doesn't require it or turn it on by default. If you're a Ring user, you definitely should turn it on.
To enable two-factor authentication on your account, open the Ring app, tap the three-lined icon in the upper-left corner of the screen, and go to Account > Enhance Security > Two-factor Authorization > Turn on Two-factor. Then enter your password and the mobile number where you'll receive the SMS messages with one-time login codes. Then enter the first test code and hit Continue. Keep in mind that you need to add two-factor individually to every "Shared" and "Guest User" account that branches off a main account.
打开你账号双重身份验证的方法：打开Ring app，点击屏幕左上角的“三条杠”图标，转到“账户>加强安全 > 双重认证 > 打开双重认证”。然后输入您的密码和手机号码，您将收到短信与一次性登录码。然后输入第一个测试代码并点击“继续”。请记住，您需要将两个身份分别添加到主帐号的每个“共享”和“来宾用户”帐号。
Not One IoTa
Amazon did not return a request for comment from WIRED about the rash of recent Ring account comprises. It said in a statement to other outlets that, "While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring's security."
Like almost all connected-device manufacturers, Amazon seems to have reservations about adding enhanced account protections like two-factor authentication that might create friction or make devices slightly harder to use in any way. In one informational page about account security, Amazon writes, "Won't two-factor authentication make it inconvenient to access my devices or account? Two-factor authentication will add an extra step to accessing devices. The extra step is worth it, however, for the added security it brings."
For years, critics have pointed out lax security and thoughtlessness in how IoT devices are designed, as attackers have ramped up mass-scale exploitation of embedded devices. Developers have begun to take IoT security more seriously in response, but researchers say that it's disheartening to see even the biggest players still making basic mistakes. Ring cameras have had their share of security vulnerabilities, and just this week Amazon issued fixes for a slew of vulnerabilities in its Blink home cameras that could have allowed device hijacks. Combined with an ongoing lack of emphasis at white-label companies and startups, industry progress overall is still slow.
"We've worked with several vendors that claim they can't both implement security and be profitable at early stages," Williams says. "In many cases the vendors themselves haven't done the threat modeling."
By not thinking through the risks, vendors leave consumers exposed to them. In theory, IoT security could be much more nuanced and robust, but researchers point out that it's hard to go deeper until the most basic IoT security issues are resolved.
Amazon has sold more than 100 million Americans on the benefits of paying for Prime accounts. It's time to use that power of persuasion to promote basic security protections.
More Great WIRED Stories
- Why the “queen of shitty robots” renounced her crown
- Amazon, Google, Microsoft—who has the greenest cloud?
- Instagram, my daughter, and me
- Ewoks are the most tactically advanced fighting force in Star Wars
- Everything you need to know about influencers
- 👁 Will AI as a field "hit the wall" soon? Plus, the latest news on artificial intelligence
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team's picks for the best fitness trackers, running gear (including shoes and socks), and best headphones.