In the wake of news last week that a hacker was able to watch and communicate with an 8-year-old girl in Mississippi by using an Amazon Ring camera her parents had installed in her bedroom, the smart security device company downplayed the incident and deflected the blame from itself.
“Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorized intrusion or compromise of Ring’s systems or network,” Ring wrote in an email sent to users a few days after the highly publicized incident. Yet some Ring customers across the country have reported similar hacks of their smart cameras and video doorbells.
Ring’s defense misses the point and is a disservice to its customers. Yes, it’s important to know that the hack wasn’t a breach of Ring’s internal systems, but that is unlikely to prevent such hacks from continuing to happen. Rather than dismissing the incident and putting the blame on users, the company could roll out a simple change that privacy experts have long advocated for on just about any service or product that requires a login: mandatory two-factor authentication.
The hacker was able to access the camera with a username and password found in an online database of previously compromised login information (you can check to see if your logins have been compromised by going to haveibeenpwned.com). The ability to connect to a Ring camera from anywhere is a feature the company touts, though it’s supposed to be available only to the device owners and the people they choose.
Ring suggested in its email that consumers practice better password security by not reusing passwords, updating their passwords regularly, and by enabling two-factor authentication, a process that requires users to supplement their username and password with an extra piece of information, usually a personal code generated by their phone, in order to log in.
Ring’s advice is sound. People should absolutely set up two-factor authentication on their devices, and should also check to see whether any of their logins have been compromised by going to haveibeenpwned.com. But expecting consumers to take these precautions on their own rarely works. One study found that less than one-third of Americans use two-factor authentication, and more than half have never even heard of it.
Most people simply go with the easiest thing possible: the username and password they actually remember — the one they’ve used before.
It’s ironic that a product that unrealistically inflates users’ fear of crime is itself less than secure. These issues, of course, are not unique to Ring.
“Ring isn’t a camera; it’s an internet-connected computer that happens to have a camera on it,” Brian Vecci, field CTO at data protection and analytics company Varonis, told Recode. “Any internet-connected computer is vulnerable to attack.”
Ring is a mass-market, highly popular device that’s likely showing up under trees and in shiny gift wrap across the country this holiday season, despite warnings from consumer groups of the product’s various privacy issues, including the inadvertent sharing of the location of Ring devices without permission and police handing over Ring footage to ICE and other law enforcement agencies, as well as the ongoing potential for hacking.
Ring could make consumers do the right thing and mandate two-factor authentication, or perhaps assign its own unique passwords.
It could require confirmation from device owners before allowing new sign-ons. It could also better detect suspicious behavior like multiple login attempts or logins from strange locations.
This is, of course, a trade-off.
“Security is often in contrast to convenience,” Vecci said. “Ring could hypothetically require using a fingerprint reader every time, but no one would use it. They’re trying to balance convenience with security.”
Small inconveniences, however, are preferable to big violations of personal privacy.