26 comments

[ 5.2 ms ] story [ 60.2 ms ] thread
Am I right in assuming that Ring, a company that was later acquired by Amazon, has an entirely different infrastructure than something like Alexa? From what I can tell, Alexa uses the same login system as my Amazon account, and (I assume/hope) is as safe/vulnerable to remote brute forcing as my Amazon account. But this seems not to be the case for Ring?
Sounds like it's not brute forcing simple using the same email/password for some random site that then gets compromised, malicious actors then try those same credentials to log into Ring and they're in first try
My colleagues were only able to access my Ring camera because they had the relevant email address and password

Come on, what lousy click bait. If you give someone your username and password, it isn't evidence of terrible security.

Hijacking a specific, known account is only one attack vector, and it is not the attack vector that has brought Ring's security into the news lately. Modern cloud services provide throttling and other protection from brute force attacks:

> Ring hackers' software works by rapidly checking if an email address and password on the Ring web login portal works; hackers will typically use a list of already compromised combinations from other services. If someone makes too many incorrect requests to login, many online services will stop them temporarily from doing so, mark their IP address as suspicious, or present a captcha to check that the user trying to login is a human rather than an automated program. Ring appears to have minimal protections in place for this though. Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha.

Right, that's why the rest of the sentence is "but Amazon-owned home security company Ring is not doing enough to stop hackers breaking into customer accounts"
You've taken that phrase completely out of context.

The author is clarifying that their friends were only able to access it because the author gave them the email/password, because the author wants to illustrate what someone who did have your email/password could see.

What's relevant are the sentences that come immediately after:

>, but Amazon-owned home security company Ring is not doing enough to stop hackers breaking into customer accounts, and in turn, their cameras, according to multiple cybersecurity experts, people who write tools to break into accounts, and Motherboard's own analysis with a Ring camera it bought to test the company's security protections.

Then the author goes through some instances and tools built to hack Ring passwords.

IOW, the author isn't claiming that Ring is insecure because someone who he gave the email/password to is able to login. The author is showing the kind of information a person who has your email/password can access, and then is showing how easily it is for someone nefarious to get that information.

The article is just fear mongering bs, suggesting useless solutions like sms two factor authentication.

The problem is with people using stupid passwords which is a problem on just about any service and has nothing to do with Ring. Yes it could be better but so could a lot of services.

The level of security you provide should be commensurate with the risk. Perhaps you don't need 2FA and IP checking for your smartwatch but you probably need it for your x-ray machine.

This is a device people are encouraged to put into their homes, with access to their most intimate moments. And sold to untrained consumers who probably won't even read any documentation you supply. And, as the article highlights, there are active attacks.

Ring need to up their game.

Yes, this seems like exactly the kind of service that should be checking passwords against known compromised password sets.
SMS 2FA is not useless against credential stuffing which is largely what is going on here.
> The article is just fear mongering bs,

The article cites plenty of cases demonstrating how insecure the devices are. Are those cases BS?

> The problem is with people using stupid passwords

Your comment makes no sense at all. A flimsy lock doesn't become automatically secure if you argue that the lock owners have mishandled the key. The fact is that the system has been demonstrated that the system's security is lacking and at best is very vulnerable. The fact that all you need to penetrate their system is an email address and a password is more than enough to demonstrate the depth of the problem.

> The fact that all you need to penetrate their system is an email address and a password is more than enough to demonstrate the depth of the problem.

You do realize that is true for the default account for 99.9% of all web services? They do support basic 2fa (SMS based), which is not the best (Webauthn would be a lot better), but one of the biggest complaints in the article is easy brute-forcing, and they support fixing that. Some of what they suggest is even downright wrong and bad practice (like blocking certain user-agent headers). The only legitimate feature they suggest that I could see is rate-limiting based on IP, but even that is not always a good idea (since you never know how many legitimate users share an IP).

Perhaps a better title would be "Ring does not do enough to advise their users on how to secure their accounts". The actual content is FUD and I'd bet that basically every VMS with a web API would have the same "vulnerabilities" in a default setup.

Source: Having worked on security for similar systems.

> If you give someone your username and password

Most victims of data breaches are unaware that they're victims.

As usual Vice is late to the party, re-packages a story that has already been circulating, takes all the credit, and does a terrible job presenting it. How is Vice still in business?
The part about the author giving their friend their credentials detracts from the main point of the article, which is:

- Ring doesn’t check if the login comes from a new IP address or location

- the Ring app doesn’t tell users how many others are logged in

- Ring doesn’t check password dumps and alert users of reused credentials

I think we should all demand that major consumer electronic companies include these features.

I personally remember witnessing the exploit of reused credentials as far back as the 80s in the days of modems and personal BBSes. Here we are almost 40 years later and seeing the same problem, except with high speed live video streams from in and around a user's home. WOW!
That's why all my passwords (including my Ring password) look like this:

c3Ve*w^ZHKmq1SQK&gGVQCezROLgZy

Individually generated, unique for every site I log into.

(comment deleted)
This doesn't help if your machine gets infected with malware. They can steal that password and you'd never know - which is the point: unusual account activity should alert the user.
If an attacker compromises your machine and steals your password they can also just route their traffic through it, meaning the IP would match the regular one seen by the Ring servers
Yes they can, but what we often see is accounts sold off to others. They don't give away their infected machine. They just harvest credentials.
I'm shocked SHOCKED that an Internet-of-Shit device has poor security. </sarcasm>

I'm still waiting for an I-o-S device that has good security.