Parents of three Tennessee children learned today that a hacker had remotely broke into there Ring smart camera. The hacker spoke to the children and monitored them just four days after the purchase of the device.
This sets a dangerous precedent when so many IOT devices have come to market including Amazon’s Alexa, Google’s Home and the Ring smart cameras.
Was Ring Hacked
In short the actual software was not hacked via a security vulnerability in the software or mechanisms.
The family was hacked due to Ring’s authentication model being less than secure. Ring users were allowed to choose their own passwords and there was no push or requirements to set up 2 factor authentication.
Users from the website nulled.to have been producing and selling software for brute forcing the passwords of Ring accounts en masse. They even had a podcast where they would hack them live for thousands of viewers to troll home owners across the world.
Password Authentication Model
This exposes the possible not so safe practice of allowing users to generate their own passwords. Passwords are often re-used by less tech savvy users and then when your information is pwned via one of the continued breaches attackers attempt to login to other accounts sharing that user data.
Many industry professionals believe that the user experience is more important and therefore you should not always require 2FA or unique passwords.
This is a big talking point made by Troy Hunt after a recent twitter debate:
While requiring things like 2FA and random non re-used passwords may not be the best user experience the recent breaches of IOT devices bring up massive privacy concerns.
Users would most likely not have their children spied on even if that means a few extra steps and minutes to fully secure their accounts.