Insecuring Your Home And Data: Ring Vendor Apparently Hit With Ransomware Attack

(Mis)Uses of Technology

from the better-put-a-camera-on-the-data dept

Ring offers security products. Shame they’re not all that secure. Sure, things have improved in recent years, but there was nowhere to go but up.

In December 2019, multiple reports surfaced of Ring cameras — most of them inside people’s houses — being hijacked by malicious idiots who used the commandeered cameras to yell nasty things at people’s children when not just lurking and watching the inner lives of unsuspecting Ring users. The worst of these people performed livestreams of camera hacking, taunting and frightening their targets for the amusement of truly terrible human beings.

The problem here was the default security options for the cameras. Ring did not require anything more than an email address and password to activate accounts, allowing these miscreants to sift through the massive piles of endlessly reused credentials to hijack the cameras. Shortly thereafter, Ring “encouraged” users to enable two-factor authentication. But it did not make this a requirement.

That same month, login credentials for nearly 4,000 Ring owners were exposed. Ring claimed it had suffered no breach, suggesting (rather unbelievably) that people were compiling credentials from other data breaches and compiling lists of verified Ring owners. Whatever the case, the company still wasn’t forcing customers to use strong passwords or enable 2FA, so credentials continued to be easily obtained and exploited.

The hijacked cameras led to a lawsuit in early 2020. A few days after the lawsuit was filed, Ring finally decided it was time to make some changes. It added a privacy dashboard for users to allow them to manage connected devices, block any they didn’t recognize, and control their interactions with law enforcement. And it finally made 2FA opt-out, rather than opt-in.

None of that’s helping much in the latest bad news for Ring. As Joseph Cox reports for Motherboard, hackers claim to have made off with some Ring data and left behind a ransom note.

A ransomware gang claims to have breached the massively popular security camera company Ring, owned by Amazon. The ransomware gang is threatening to release Ring’s data. 

The party behind this appears to be ALPHV, a ransomware gang that — unlike others in this criminal business — created a searchable database of data obtained from these attacks and made it available on the open web.

That’s where this data may soon end up:

“There’s always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo.

Nice. But what data is it? And where did it come from?

Ring claims this isn’t its data, at least not specifically. In a comment to Motherboard, Ring claimed the breached/ransomed party is one of its third-party vendors and not Ring itself. But ALPHV must have something Ring-related and worth ransoming, otherwise it likely would not have called out Ring by name (and logo) on its website. Ring says this vendor does not have access to customer records, but it could have access to information and records Ring may not want to be made public.

Whatever the case, Ring claims to be on top of it. Not exactly comforting, given its history of taking a rather hands-off approach to user security.

Filed Under: alphv, login credentials, ransomware
Companies: amazon, ring