Ring hacked, not surprising

Chuxing · ‎12-13-2019

Recent Ring hacking incidents, and why am I not surprised?

https://www.techspot.com/news/83172-ring-responds-reports-security-cameras-getting-hacked.html

https://www.vice.com/en_us/article/z3bbq4/podcast-livestreams-hacked-ring-cameras-nulledcast

BTW, here's Ring's response:

" ...Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts. Unfortunately, when people reuse the same username and password on multiple services, it’s possible for bad actors to gain access to many accounts.

Upon learning of the incident, we took appropriate actions to promptly block bad actors from known affected Ring accounts and affected users have been contacted. Out of an abundance of caution, we encourage Ring customers to change their passwords and enable two-factor authentication. ..."

Yep, it's YOUR responsibility !

____________________________________
Chuxing Chen, Ph.D., CISSP, PMP

mgorman · ‎12-17-2019

The most amazing thing to me is that a lot of these people buy Ring cameras to enhance the security of their homes. So they will fork out money for the device, maybe for installation, but not take any time at all to read and practice the fundamental security steps. This is the equivalent to buying a lock for your door, but not actually locking it, in my not at all humble opinion.

Caute_cautim · ‎12-17-2019

@mgorman @Chuxing Yes, it is their responsibility to read the instructions and change their passwords, rather than simply rushing to install the technology. However, under the CCPA SB-327 Connected Devices, more emphasis is put put upon the manufacturer to ensure it is by default secure, and sufficient warnings and awareness is transparent to the customer.

However, rather like the situation on White Island and the Volcano in New Zealand, people regularly sign waivers at their own risk, without looking at the content, and then when something happens, then attempt to sue the Cruise Company for not warning them sufficiently not to go on a trip to an active Volcano!!!

I think the manufacturers in this case, could have done a lot more to emphasis the security controls, and to ensure that they were inherently secure in the first place. My case rests for the moment.

Regards

Caute_cautim

mgorman · ‎12-18-2019

@Caute_cautim I would agree with you, were not the evidence that I have seen indicating that the users reused a password from another source, which was compromised. This means that they changed the password, no defaults here; they didn't activate 2FA, which is an option. They took positive action to reduce their own security posture. CCPA wouldn't have done anything in this case. Whether that is 100% true, or Ring playing CYA, I can't be certain, of course, but that is the evidence currently in the public sphere.

denbesten · ‎12-19-2019

This story continues to evolve.

Security experts told BuzzFeed News that the format of the leaked data — which includes username, password, camera name, and time zone in a standardized format — suggests it was taken from a company database. [cite]

Although Ring has good advise (use MFA) -- it is also insufficient in the face of a data dump. MFA does protects against credential replay and credential reuse (if implemented properly), but it does remain vulnerable to the shared secret appearing in data dumps.

The better choice is keeping the authentication secrets away from the data being protected, by using techniques such as federation, public key encryption, and/or client certificates.