Online Forum Members Exploited Weak Credentials To Turn Ring Cameras Against Their Owners
from the i-m-in-ur-house-yelling-at-ur-kids dept
To add to all the bad news that is Ring camera’s life cycle to this point comes the report that a group of malcontents has been exploiting default/weak credentials to gain access to cameras. Joseph Cox has the this-would-be-funny-if-it-weren’t-so-scary details at Motherboard.
Hackers have created dedicated software for breaking into Ring security cameras, according to posts on hacking forums reviewed by Motherboard. The camera company is owned by Amazon, which has hundreds of partnerships with police departments around the country.
On Wednesday, local Tennessee media reported that a hacker broke into a Ring camera installed in the bedroom of three young girls in DeSoto County, Mississippi, and spoke through the device’s speakers with one of the children.
The family said they had the camera for four days, during which time the hacker could have been watching the kids go about their day.
There’s not much actual hacking going on. What appears to be happening is purchasers aren’t choosing unique passwords when they set up their cameras. They also aren’t using the two-factor authentication Ring recommends.
There are enough cameras out there (and more being installed every day) that there’s an entire forum set up just for the hijacking of Ring cameras/doorbells. Forum members are selling exploit tools to each other which allow these jackasses to brute force Ring devices using credentials (usernames/email addresses and passwords) found elsewhere on the web.
The popular exploitables have even spawned a podcast featuring unsuspecting device owners being trolled by jerks who have gained access to Ring and Nest cameras. This is what’s in store for device owners who haven’t properly secured their new purchases.
A blaring siren suddenly rips through the Ring camera, startling the Florida family inside their own home.
“It’s your boy Chance on Nulled,” a voice says from the Ring camera, which a hacker has taken over. “How you doing? How you doing?”
“Welcome to the NulledCast,” the voice says.
The NulledCast is a podcast livestreamed to Discord. It’s a show in which hackers take over people’s Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners. In the example above, Chance blared noises and shouted racist comments at the Florida family.
Good times. Nulled forum members are starting to scatter, now that Joseph Cox has shined a light on their dirty little games. The Nulled admin has nailed an unbelievable statement to the top of the forum, saying that Nulled does not tolerate the “harassments of individuals over Ring cameras or any similar.” This posting followed some “unscheduled maintenance,” which occurred shortly after Motherboard’s first article on Ring exploitation went live.
Panic has ensued. Cox reports the forum is in disarray, with members quitting or changing their usernames. Some appeared to be worried law enforcement is all over this. Others think the only ones going to jail are the members who participated in the podcasted Ring hijacking.
But it’s not over yet. A few members appear to be willing to roll the dice on possible legal charges.
It doesn’t seem the livestreaming of Ring hacking is going to end just yet, however.
“Podcast dead?” one user on the Nulled Discord asked Wednesday night.
Another user replied, “Nope. Tune in Friday. Like and subscribe.”
Perhaps the focus of the podcast will change. Considering the channel’s been dedicated to finding exploitable devices and exploiting them to create content, any pivot will likely be short lived.
In the meantime, Ring is doing about the only responsible thing it’s ever done.
“As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords,” [Ring] added.
Perhaps more education of consumers is in order. Security recommendations are great, but purchasers appear to feel installing the cameras is the end of the job. It’s one thing to get your sidewalk-facing doorbell camera hacked. It’s quite another to have your interior cameras turned against you. The Internet of Things continues to be awful. Ring’s general awfulness kind of obscures the fact that this particular debacle isn’t really Ring’s fault. But it could be doing more. It could prevent deployment until two-factor authentication is engaged. And it could ease up a bit on its promises of home security when the default setup process allows outsiders to virtually enter the homes of Ring owners.