Online Forum Members Exploited Weak Credentials To Turn Ring Cameras Against Their Owners

from the i-m-in-ur-house-yelling-at-ur-kids dept

To add to all the bad news that is Ring camera's life cycle to this point comes the report that a group of malcontents has been exploiting default/weak credentials to gain access to cameras. Joseph Cox has the this-would-be-funny-if-it-weren't-so-scary details at Motherboard.

Hackers have created dedicated software for breaking into Ring security cameras, according to posts on hacking forums reviewed by Motherboard. The camera company is owned by Amazon, which has hundreds of partnerships with police departments around the country.

On Wednesday, local Tennessee media reported that a hacker broke into a Ring camera installed in the bedroom of three young girls in DeSoto County, Mississippi, and spoke through the device's speakers with one of the children.

The family said they had the camera for four days, during which time the hacker could have been watching the kids go about their day.

There's not much actual hacking going on. What appears to be happening is purchasers aren't choosing unique passwords when they set up their cameras. They also aren't using the two-factor authentication Ring recommends.

There are enough cameras out there (and more being installed every day) that there's an entire forum set up just for the hijacking of Ring cameras/doorbells. Forum members are selling exploit tools to each other which allow these jackasses to brute force Ring devices using credentials (usernames/email addresses and passwords) found elsewhere on the web.

The popular exploitables have even spawned a podcast featuring unsuspecting device owners being trolled by jerks who have gained access to Ring and Nest cameras. This is what's in store for device owners who haven't properly secured their new purchases.

A blaring siren suddenly rips through the Ring camera, startling the Florida family inside their own home.

"It's your boy Chance on Nulled," a voice says from the Ring camera, which a hacker has taken over. "How you doing? How you doing?"

"Welcome to the NulledCast," the voice says.

The NulledCast is a podcast livestreamed to Discord. It's a show in which hackers take over people's Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners. In the example above, Chance blared noises and shouted racist comments at the Florida family.

Good times. Nulled forum members are starting to scatter, now that Joseph Cox has shined a light on their dirty little games. The Nulled admin has nailed an unbelievable statement to the top of the forum, saying that Nulled does not tolerate the "harassments of individuals over Ring cameras or any similar." This posting followed some "unscheduled maintenance," which occurred shortly after Motherboard's first article on Ring exploitation went live.

Panic has ensued. Cox reports the forum is in disarray, with members quitting or changing their usernames. Some appeared to be worried law enforcement is all over this. Others think the only ones going to jail are the members who participated in the podcasted Ring hijacking.

But it's not over yet. A few members appear to be willing to roll the dice on possible legal charges.

It doesn't seem the livestreaming of Ring hacking is going to end just yet, however.

"Podcast dead?" one user on the Nulled Discord asked Wednesday night.

Another user replied, "Nope. Tune in Friday. Like and subscribe."

Perhaps the focus of the podcast will change. Considering the channel's been dedicated to finding exploitable devices and exploiting them to create content, any pivot will likely be short lived.

In the meantime, Ring is doing about the only responsible thing it's ever done.

"As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords," [Ring] added.

Perhaps more education of consumers is in order. Security recommendations are great, but purchasers appear to feel installing the cameras is the end of the job. It's one thing to get your sidewalk-facing doorbell camera hacked. It's quite another to have your interior cameras turned against you. The Internet of Things continues to be awful. Ring's general awfulness kind of obscures the fact that this particular debacle isn't really Ring's fault. But it could be doing more. It could prevent deployment until two-factor authentication is engaged. And it could ease up a bit on its promises of home security when the default setup process allows outsiders to virtually enter the homes of Ring owners.

Filed Under: hackers, harassment, podcast, ring
Companies: amazon, ring


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 13 Dec 2019 @ 1:32am

    'Eh, I'll get around to it eventually'

    Buying and installing an internet connected security camera(or security anything really) and keeping the default settings is rather like buying a sturdy steel-reinforced door for your house and not bothering to add a lock to it, instead using a simple no-lock doorknob.

    Yes it's technically more secure than the alternative of nothing, but at that point the only 'security' is security theater, and if anything you've merely added another vulnerability for others to exploit.

    reply to this | link to this | view in chronology ]

  • identicon
    stine, 13 Dec 2019 @ 4:06am

    it actually is Amazon's fault, not Rings

    Amazon has the technology to make the device require a unique, unexposed password before it can be reached from outside of the local network. That they have simply chosen not to do so makes it entirely their fault.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 7:45am

      Re: it actually is Amazon's fault, not Rings

      While Amazon may be at fault for not doing more to ensure their devices were installed securely, the fault in the case described by this article lies entirely at the feet of those who participate in that podcast. They're the ones who actually committed the act, not Amazon or its employees.

      One of the major problems with the world today is failing to assign blame where it is due and instead going after the biggest company in the blame-chain, no matter how tenuous the relationship to responsibility. "You could have done more!" is the warcry of those looking for a payout instead of justice.

      reply to this | link to this | view in chronology ]

      • icon
        Cdaragorn (profile), 13 Dec 2019 @ 7:57am

        Re: Re: it actually is Amazon's fault, not Rings

        That's only half true. Yes the podcast is at fault for choosing to break into the devices, but the users that chose not to secure them absolutely bear some responsibility for choosing not to keep a camera they knew they stuck on the internet and pointed at their children locked.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2019 @ 8:03am

        Re: Re: it actually is Amazon's fault, not Rings

        "One of the major problems with the world today is failing to assign blame where it is due and instead going after the biggest company"

        Don't know that I would call it a major problem with the world today. Guess it depends upon what one considers to be major.

        How many people die each year as a result of this blame game?

        reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 13 Dec 2019 @ 8:11am

      Re: it actually is Amazon's fault, not Rings

      The truth is probably far worse. Very likely that Amazon is collecting data from these cameras like they do from all their services and devices so they can sell the collated tabulated linked etc. data + results to all buyers willing to pay up.

      Have to wonder how many Amazon employees or contractors are reviewing camera feeds 'For Quality Control Purposes'?

      If your 'security' device requires a cloud connection to operate, then it isn't a security device and is most likely a data collection and monitoring device that isn't working for you.

      reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 16 Dec 2019 @ 7:50am

      Re: it actually is Amazon's fault, not Rings

      Amazon has the technology to make the device require a unique, unexposed password

      Just a minor point, but if they're doing it right they do not know what your password is, and so cannot ensure it is unique.

      reply to this | link to this | view in chronology ]

  • icon
    lorgskyegon (profile), 13 Dec 2019 @ 4:10am

    I would say that a better question to ask

    Is why in the hell the parents set up a security camera in a little girl's bedroom.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 4:22am

      Re: I would say that a better question to ask

      And why use an Internet connected camera? It's not as though remote monitoring of young children is a desirable form of child care, a parent of child minder should be in the house to look after the children.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2019 @ 5:03am

        Re: Re: I would say that a better question to ask

        Because everyone has unlimited cash and time.

        reply to this | link to this | view in chronology ]

      • icon
        Cdaragorn (profile), 13 Dec 2019 @ 8:01am

        Re: Re: I would say that a better question to ask

        Because the world has become so stupidly enamored with the internet that no one has even considered providing one that can connect to your private network but NOT force it to be connected to the internet.
        And making it easier to occasionally check in on your young children is not "remote monitoring" of them. How the camera is being used matters, not just the fact that one was being used at all.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 6:24am

      Re: I would say that a better question to ask

      Because .. helicopter parents?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 7:04am

      Re: I would say that a better question to ask

      They're cheap, easy to set up, don't need to be connected to other devices to run, and the children can use it to page and talk to their parents or show them something if they need to. All the kid has to be able to do is push the button. And the parents can check on the kids remotely any time they want without needing the kids to answer a call.

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 13 Dec 2019 @ 7:16am

        Re: Re: I would say that a better question to ask

        Right, and you can teach the kids to cover up the camera when they are changing clothes too. Oh...wait...if you do that some smart ass kid will also learn to cover up the camera when they are doing something they don't want their parents to see. How long then till they figure out that loud music will cover up their plotting being captured by the microphone.

        Actions have consequences. Who would have thought. Apparently not these parents.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2019 @ 8:07am

        Re: Re: I would say that a better question to ask

        The modern world ... where parents are too busy to be bothered watching their offspring. What, you may ask, are they doing that is so important?
        \What's next? A robot nanny?

        reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 13 Dec 2019 @ 4:08pm

          What's next...

          Well, the police are at some point going to get a strip show by kids in their bedroom. The footage may end up on the internet accidentally.

          And the footage will probably get distributed quietly through the precinct before the kids or the parents are then SWAT raided for child porn distribution. Meanwhile, the kids undressing will wind up on the internet, maybe even used by the FBI as bait for child-porn purveyors.

          At least that's how it's going to go down in a cyberpunk dystopia novel.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Dec 2019 @ 4:34pm

      Re: I would say that a better question to ask

      Because they are legless, lazy?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 4:14am

    This ring of surveillance maniacs deserves every bit of shit that comes flying their way.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 4:23am

    Maybe it is time to throw a little chlorine into the hacker pool? Livestreaming the hacking of someone's device seems just the other side of posting it on your Facebook account.

    Of course, first you have to get law enforcement's attention. After all, these hackers aren't actually killing anyone, and it is unlikely that they'll have loads of cash (or a fancy car) laying about for civil forfeiture bait.

    reply to this | link to this | view in chronology ]

    • identicon
      Judge Dredd, 13 Dec 2019 @ 6:26am

      Re:

      "Maybe it is time to throw a little chlorine into the hacker pool?"

      Death for hijacking, meanwhile real killers go loose

      reply to this | link to this | view in chronology ]

  • identicon
    me, 13 Dec 2019 @ 4:53am

    the test for Law Enforcement will be

    How intent on shutting that down are they when they're benefiting so much from it.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 13 Dec 2019 @ 5:00am

    World in your Living Room

    Gives whole new meaning to the "World in your Living Room" concept. Oh, wait, no it doesn't...that ship sailed with Alexa.

    We're a ways past the day when you could bring the toaster home in a box, open it, toss the directions, plug it in and use it. Successfullly. A tissue page of directions in Flyspeck 4pt font was just fine for a toaster, who bothered to read them anyway?

    Where security is necessary, the tissue with the instructions isn't cutting it. Security needs to be inherent, or else the user needs to be hand-held through it.

    But, hey, buyer beware.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 5:11am

    There's nothing sweeter than seeing the ignorant forced to confront their ignorance.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 5:12am

    "I walked into a burning RING of fire..."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 5:35am

    I'm beginning ro believe IoT stands for Idiots Owning Technology.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 6:25am

      Re:

      Idiots all led to the slaughter by internet disinformation that has them going to hell and looking forward to the trip.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 6:27am

    As for why sites should be forced to host speech it disagrees with, eliminating the potential to "moderate" away any warnings about stuff like this is the most compelling agreement. USENET stands alone as the one place that whistleblowing about this could not be silenced.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 6:27am

      Re:

      *argument, for the language "enthusiasts"

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 13 Dec 2019 @ 7:22am

      Re:

      Because of all the sorts of content that a site might not want to host and therefore needs to be forced to, notifications that a camera is about as secure as a screen door would definitely be the sort that needs 'protecting' so it can stay up given how people would just be tripping over themselves to remove that. /s

      Would you perhaps like to try again with an example that isn't absurd?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2019 @ 7:49am

      Re:

      Wrong article, mate.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2019 @ 6:58am

    Education

    Perhaps more education of consumers is in order.

    Am I being overly cynical to think that this form of exploitation is the only "education" likely to work? I mean, we've been telling people for a decade or two to use strong passwords and to physically cover up any cameras they aren't actively using, and here they are putting internet-connected cameras in a bedroom.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 13 Dec 2019 @ 7:12am

      Re: Education

      It's kind of like that math forced upon you in school where both you and the teacher had a hard time expressing how one might use it later in life. Until it has some personal impact on you, that is voraciously shoved down your throat, it is more like a spring shower. Annoying but un-impactful, unless your vegetation.

      The question then becomes, how does one make IoT security voracious enough to impact all the Joe and Jane six packs of the world? Knowing about this might be a start, but I doubt it will be sufficient.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2019 @ 10:45am

        Re: Re: Education

        "that math forced upon you in school"

        What they called new math? LOL - it was stupid then and it remains so. General mathematics has not changed, what has changed is the silly ways they try to teach it.

        reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 13 Dec 2019 @ 11:58am

          Re: Re: Re: Education

          Sorry, I missed the new math by a couple or three decades, but I still value why I might need to know the volume of a cone, even if I have to look up how to calculate it these days.

          (For those not thinking, the value is in determining how much ice cream you can stuff into it) -:)

          reply to this | link to this | view in chronology ]

          • identicon
            TFG, 13 Dec 2019 @ 1:55pm

            Re: Re: Re: Re: Education

            I can only think of one way to enforce security, and that would be to design the enforcement into the setup process.

            all these devices that connect to the internet would need to be kept from connecting if the owner has not set up the basic security features. Default credentials? No go. Not set up for whatever MFA process is in place? No go. Attempting to connect to an unsecured router? No go.

            All of which would require a sea change in the approach of the manufacturers of these devices - the focus is on convenience of setup, which means plug-and-play and auto-activations, which means security options do not get enforced. I don't see it happening anytime soon, but it's the only thing I can think that might work.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 14 Dec 2019 @ 3:16am

              Re: Re: Re: Re: Re: Education

              It's funny that some think iot can be secured

              reply to this | link to this | view in chronology ]

              • icon
                Uriel-238 (profile), 15 Dec 2019 @ 8:56pm

                "some think iot can be secured"

                Some think IoT devices can be secured better than they are, by far. Even air-gaps are penetrable with a determined enough hacker. But IoT devices are being shoved onto the market with little to no security and teeming with data leaks.

                I mean the least I need out of my smart refrigerator is for it to not compromise my email accounts, let alone leave the door open to hackers.

                reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 14 Dec 2019 @ 4:38pm

            Re: Re: Re: Re: Education

            You put icecream in a cone, I prefer green buds :)

            reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 13 Dec 2019 @ 11:05am

    Greaat knock on the door..

    Ring the door bells in peoples heads about security and IOT..
    Bring back the Barbie story..
    Bring up how Security cams that Link directly NOT' to your own system, but to services outside, and require it. Sounds just like the failings of DRM.

    Give me a Wireless NAS inside a Wall/hidden very well.. and link my Security and IOT to it.. And it Wont broadcast its location. Must know its Network and name to get logged into it.
    The Thief cant find it, the cops wont, the kids wont, the Dog wont, the cat wont sleep on it..

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 13 Dec 2019 @ 4:18pm

    Behold the new robot uprising

    Does anyone else remember when thousands of YESCO billboards set up around Atlanta when they suddenly stopped posting an AT&T advert and rather showed goatse/hello.jpg instead, for hundreds of thousands of citizens to behold?

    We should be grateful that this is what happened first, that it's mischief and not something that resulted in a death.

    Amazon needs to get on this now and update Ring's security so that it's really hard to hack one. Like, right
    now.

    Otherwise worse things will happen and someone eventually will die.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Dec 2019 @ 2:53am

      Re: Behold the new robot uprising

      Amazon needs to get on this now and update Ring's security so that it's really hard to hack one.

      If you think that forcing users to set up security will result in stronger security, you have little experience of what users are capable of.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 15 Dec 2019 @ 8:51pm

        Forcing users to set up security

        We already have phones that set up a lot of security the first time it's powered on. If Ring units were issued one of 20,000 default randomized passwords (say two common six-letter-plus words in sequence) issued as a default, that would be more secure than every unit dropping off the assembly line with a single shared default password.

        Yes, it's up to users to be vigilant, but this doesn't mean the manufacturer needs to be any less responsible. Especially since, yeah, IoT devices are turning into botnet zombies that already serve organized crime (often while still serving their initial function, more or less).

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Dec 2019 @ 2:00pm

      Re: Behold the new robot uprising

      I don't remember that, but it sounds hilarious. Good old goat.se.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    lisa aniston (profile), 14 Dec 2019 @ 1:04am

    hacking

    dublicate softwares have always been an issue its is required to completly understand the software then move further.
    thanks for this article
    <a href="https://linksys-smartwifisetup.net/">Linksys router login</a>

    reply to this | link to this | view in chronology ]

  • icon
    Toro (profile), 15 Dec 2019 @ 5:17am

    Just a matter of time

    till ring obsoletes the tech like our much loved DRM and IoT lightbulbs

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Dec 2019 @ 2:07am

    It could prevent deployment until two-factor authentication is engaged.

    Yep. Irresponsible product.

    IT professionals know that they need to assume that their clients have little understanding of technology and just treat it as magic. Thus, you have to treat them as requiring all the help you can provide.

    This is predictable. Assume 10% of your customer base are lazy/stupid/dont-understand (whatever). You sell 100 000 units.

    Thus there are 10 000 hackable units out there. What is going to happen?

    I blame the manufacturer. This is a preventable, predictable mess.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.