为什么 Ring 的门铃是物联网安全危机的完美例证
Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis
1067字
2019-12-13 18:27
63阅读
火星译客

There's been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. News reports this week are raising a different issue: hackers are breaking into users' Ring accounts, which can also be connected to indoor Ring cameras, to take over the devices and get up to all sorts of invasive shenanigans.

有很多恐怖的和令人担忧的关于亚马逊的Ring门铃如何将监控带到郊区,并引发亚马逊和执法部门之间的数据共享关系的新闻。本周的新闻报道提出了一个不同的问题:黑客正在侵入用户可以连接到室内的Ring摄像头,从而接管这些设备搞各种侵犯隐私的的恶作剧。

In Tennessee, a local news channel reported on Tuesday about a case where hackers hijacked an indoor Ring camera one family had placed in a bedroom and used it to talk to three young girls. And as Motherboard first showed, there are tools available online for breaking into Ring accounts by strategically guessing the login credentials. When account thieves record enough juicy audio from people's Ring feeds, there's even a podcast where they can broadcast it.

在田纳西州,一家当地新闻频道周二报道了一起黑客劫持了一户人家放在卧室里的室内Ring摄像头的案件,并利用它与三名年轻女孩通话。而且,正如头版首次显示的,有一些工具可以通过策略性地猜测登录凭证来破解Ring账号。当账户窃贼从人们的Ring feeds中录制了足够多的有吸引力的音频时,他们甚至可以在播客上播放。

Though it sounds shocking, the situation with Ring is far from unique. At the beginning of the year, for example, hackers launched similar attacks against Nest cameras, complete with incidents where hackers were creepily talking to children through the devices. The manufacturers behind these devices—Amazon and Google, respectively—are both billion-dollar tech giants with massive development resources. The fact that their cameras regularly feature in these kinds of cases reflects a broader industry failure to produce trustworthy internet-of-things devices that are easy for consumers to set up in a secure and private way.

虽然这听起来令人震惊,但Ring的情况远非个例。例如,今年年初,黑客对Nest的摄像头发起了类似的攻击,其中包括黑客通过设备与儿童进行令人毛骨悚然的对话。这些设备背后的制造商分别是亚马逊和谷歌——都是拥有大量开发资源的十亿美元级别的科技巨头。他们的摄像头经常出现在这类案件中这一事实反映了一个更广泛的行业失误:即未能生产出值得信赖的物联网设备,而消费者很容易就能以安全且私密的方式安装这些设备。

"We have ways of preventing attacks like this," says Ang Cui, founder of the IoT analysis and security firm Red Balloon. "We've been thinking about securely allowing people to access computers remotely for decades. So if we insist on making our doorbells a computer that connects to the internet, then we have to put the same level of care into securing those computers."

物联网分析和安全公司Red Balloon的创始人崔昂(Ang Cui音译)说:“我们有办法阻止这样的攻击。”“几十年来,我们一直在考虑让人们安全地远程访问电脑。因此,如果我们坚持要把我们的门铃变成一台连接互联网的电脑,那么我们就必须在保护这些电脑方面付出同样的努力。”

Turn It On

打开它

Basic security measures like good password hygiene and enabling two-factor authentication are enough to stop most attacks. Right now it's the user who ultimately has to take those steps. But it's also true that the companies making and selling these devices could do much more to educate people about these methods and encourage them to do it.

基本的安全措施,如良好的密码设置习惯和启用双重身份验证,足以阻止大多数攻击。现在最终必须采取这些步骤的是用户。但事实是,制造和销售这些设备的公司可以做更多的工作来告诉人们这些方法,并鼓励他们这样做。

"IoT vendors emphasize, often rightly, that their products improve quality of life, but they often neglect to disclose the risk of these devices to consumers," says Jake Williams, founder of the security firm Rendition Infosec. "The onus of understanding how an IoT device might impact security should not be purely on the consumer. The vendor shares this responsibility."

安全公司Rendition Infosec的创始人杰克•威廉姆斯(Jake Williams)表示:“物联网供应商常常过分地强调,他们的产品提高了生活质量,但他们往往忽视了向消费者披露这些设备的风险。了解物联网设备如何影响安全的责任不应该完全由消费者,而是卖方承担。”

When it comes to something like a Ring doorbell or camera, the devices can be genuinely useful, but they also generate sensitive data that would be valuable to many parties—from law enforcement to criminals or even nation-state hackers. Which makes security that much more important. And while Ring provides instructions for enabling two-factor authentication, Amazon doesn't require it or turn it on by default. If you're a Ring user, you definitely should turn it on.

当涉及到像Ring门铃或照相机这样的东西时,这些设备可能是真正有用的,但它们也会产生对许多方面都有价值的敏感数据——从执法到罪犯甚至是国家黑客。这使得安全变得更加重要。虽然Ring提供了启用双重认证的说明,但Amazon不需要它,默认情况下也不打开它。如果你是Ring的使用者,你一定要打开它。

To enable two-factor authentication on your account, open the Ring app, tap the three-lined icon in the upper-left corner of the screen, and go to Account > Enhance Security > Two-factor Authorization > Turn on Two-factor. Then enter your password and the mobile number where you'll receive the SMS messages with one-time login codes. Then enter the first test code and hit Continue. Keep in mind that you need to add two-factor individually to every "Shared" and "Guest User" account that branches off a main account.

打开你账号双重身份验证的方法:打开Ring app,点击屏幕左上角的“三条杠”图标,转到“账户>加强安全 > 双重认证 > 打开双重认证”。然后输入您的密码和手机号码,您将收到短信与一次性登录码。然后输入第一个测试代码并点击“继续”。请记住,您需要将两个身份分别添加到主帐号的每个“共享”和“来宾用户”帐号。

Not One IoTa

一丁点儿也没有

Amazon did not return a request for comment from WIRED about the rash of recent Ring account comprises. It said in a statement to other outlets that, "While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring's security."

《连线》杂志未得到亚马逊关于最近Ring账号被滥用的评论回复。该公司在一份发给其他媒体的声明中表示:“虽然我们仍在调查这起事件,并根据我们的调查采取了适当的措施来保护我们的设备,但我们能够确认,这起事件与Ring的安全性没有任何关系。”

Like almost all connected-device manufacturers, Amazon seems to have reservations about adding enhanced account protections like two-factor authentication that might create friction or make devices slightly harder to use in any way. In one informational page about account security, Amazon writes, "Won't two-factor authentication make it inconvenient to access my devices or account? Two-factor authentication will add an extra step to accessing devices. The extra step is worth it, however, for the added security it brings."

与几乎所有的联网设备制造商一样,亚马逊似乎对增加双重验证等增强的账户保护的手段有所保留,因为这可能会产生摩擦,或使设备在其他方面的使用略微困难。在一个关于账户安全的信息页面上,亚马逊写道,“双重身份认证不会给我的设备或账户带来不便吗?”双因素身份验证将为访问设备增加一个额外步骤。然而这额外的一步是值得的,因为它带来了额外的安全。”

For years, critics have pointed out lax security and thoughtlessness in how IoT devices are designed, as attackers have ramped up mass-scale exploitation of embedded devices. Developers have begun to take IoT security more seriously in response, but researchers say that it's disheartening to see even the biggest players still making basic mistakes. Ring cameras have had their share of security vulnerabilities, and just this week Amazon issued fixes for a slew of vulnerabilities in its Blink home cameras that could have allowed device hijacks. Combined with an ongoing lack of emphasis at white-label companies and startups, industry progress overall is still slow.

多年来,批评人士指出,由于攻击者加大了对嵌入式设备的大规模利用,物联网设备的设计对安全性有松懈和考虑不周的问题。作为回应,开发商已经开始更加重视物联网安全问题。但研究人员表示,令人沮丧的是即使是最大的开发商也在犯基本错误。Ring摄像头也存在安全漏洞,就在本周,亚马逊发布了针对Blink家用摄像头的一系列安全漏洞的补丁,这些漏洞可能会导致设备被劫持。再加上目前贴牌厂和初创公司缺乏重点,整个行业的进展仍然缓慢。

"We've worked with several vendors that claim they can't both implement security and be profitable at early stages," Williams says. "In many cases the vendors themselves haven't done the threat modeling."

威廉姆斯说:“我们与一些厂商合作过,他们声称在早期阶段,安全性和盈利都没法实现。在很多情况下,厂商自己都没有进行威胁模型分析。”

By not thinking through the risks, vendors leave consumers exposed to them. In theory, IoT security could be much more nuanced and robust, but researchers point out that it's hard to go deeper until the most basic IoT security issues are resolved.

由于没有考虑到这些风险,供应商让消费者暴露在风险之下。从理论上讲,物联网安全可以更加细致和强大,但研究人员指出:在最基本的物联网安全问题得到解决之前,很难深入研究。

Amazon has sold more than 100 million Americans on the benefits of paying for Prime accounts. It's time to use that power of persuasion to promote basic security protections.

已经向超过1亿美国人接受了亚马逊prime账户支付的好处。现在是利用说服的力量来促进基本安全保护的时候了。

More Great WIRED Stories

更多精彩《连线》故事

  • 为什么“垃圾机器人女王”要放弃她的王冠;
  • 亚马逊、谷歌、微软——谁拥有最绿色的云?
  • Instagram,我女儿和我;
  • 伊沃克人是《星球大战》中战术最先进的战斗力量;
  • 你需要知道的关于影响者的一切;
  • 将人工智能领域很快“撞墙”吗?另外,还有关于人工智能的最新消息;
  • 想要最好的工具来获得健康吗?看看我们的装备团队挑选的最好的健身追踪器,跑步装备(包括鞋子和袜子),和最好的耳机。
0 条评论
评论不能为空