Safe to say, it has been a bad month for Ring, the smart home and video doorbell company owned by Amazon.
Amid numerous reports of home security cameras being hijacked and viewed by strangers — including one where a stranger spoke to an eight-year-old child — Ring's security practices have also been questioned.
- Security keys: What are they and how do they work?
- The 12 biggest data breaches and cyber attacks of 2019
- How safe is your smart home? This cybersecurity scorecard has the answer
But instead of rolling out extra layers of security for Ring owners to enable, or make heightened security like two-factor authentication a mandatory requirement for all Ring account holders, the company says its customers' poor cybersecurity practices are to blame.
In response to multiple reports of Ring cameras being 'hacked,' the company wrote a blog post explaining that its services had not been compromised. Instead, the company explained: "Unfortunately, when people reuse the same username and password on multiple services, it's possible for bad actors to gain access to many accounts."
Ring Floodlight Camera Motion-Activated HD Security Cam Two-Way Talk and Siren Alarm, White
Next, a report by Motherboard branded Ring's security as "awful," and pointed out how there are no safeguards in place to raise a red flag when someone is seen logging into a Ring account to view a camera thousands of miles from where the camera's owner says they live.
It is also possible for multiple people in multiple countries to log into one Ring account and view the cameras together, without the app becoming suspicious or asking for everyone to confirm they are the account holder.
Logging into a Ring account and viewing a camera from a foreign country, using a phone or tablet which has never been used by that account before, also fails to raise any alarms. Logging into other web services like this, from the likes of Google and Apple, prompts a security check or contacts the account holder to check it's them.
On December 19, Buzzfeed News reported that a publicly accessible database was discovered with the login details of over 3,600 Ring users. The data included their email addresses and passwords, as well as the names of their cameras, which are often named after the rooms they appear in, like 'bedroom' or 'kitchen'. The database appeared to have been stolen from Ring.
With access to this database, an attacker could log into the Ring accounts, watch live feeds from the cameras, and speak to their targets. They may also be able to view weeks of saved footage, depending on the payment plan the Ring customer has.
Ahead of the report being published, Ring contacted all users who appeared in the database. An email stated: "During a recent investigation by our security team, we identified that the email address and password of one of your external accounts was exposed in a data breach."
The email then repeated Ring's earlier explanation of how people use the same credentials repeatedly, and when one is compromised other accounts can be accessed too. This is known as a credential stuffing attack, where stolen login credentials are repeatedly and automatically used to try and log into other accounts, like a Ring account.
Ring Video Doorbell 2 with HD Video, Motion Activated Alerts, Easy Installation
How to enable two-factor authentication and better secure your Ring account
Two-factor authentication is a system where your email address and password are not enough to log into your account. Instead, when you provide the correct address and password, the Ring app will send a text message to your phone. This contains a unique code, which you then need to enter in the app to log in.
Two-factor is presented as a security option when first setting up your Ring account, but if you skipped that step you can go into the app and activate it — something we strongly suggest everyone does immediately.
To set up two-step authentication with Ring, following these instructions:
- Open the Ring smartphone app
- Tap the three-lined icon in the top-left corner
- Tap on Account
- Tap on Two-factor Authentication under the enhanced security tab
- Tap where it says 'Turn on Two-factor'
- Enter your password when prompted
- Enter the mobile number you want the aforementioned security code to be sent to
- A six-digit code will be sent to your phone. Enter this in the app when prompted
- Tap Continue
You should probably also consider changing your Ring password at this point, which you can do in the Account Settings page.
As for avoiding a credential stuffing attack, you should always use a different password for every account you create. To help come up with new, secure passwords, and remember every one you have made, you should consider a password manager. You should also consider using a physical security key, too
Ring Chime, A Wi-Fi-Enabled Speaker for Your Ring Video Doorbell