'We Tested Ring's Security. It's Awful' (vice.com) 48
"Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers," reports Motherboard:
Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in -- entirely common security measures across a wealth of online services... Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password....
Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha....
Ring does offer two-factor authentication, where a user is required to enter a second code sent to them as well as their password, but Ring does not force customers to use it. Motherboard verified that Ring's two-factor authentication does work as advertised, but multiple people who were logged into the app didn't have to log back in after it was enabled -- Ring didn't eject them nor ask them to enter a two-factor token...
From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera's microphone, speak through the camera's speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime "incidents." This shows the specific, user-selected home address plotted on a map. Ring requires that a user input a home address to set up the camera.
Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha....
Ring does offer two-factor authentication, where a user is required to enter a second code sent to them as well as their password, but Ring does not force customers to use it. Motherboard verified that Ring's two-factor authentication does work as advertised, but multiple people who were logged into the app didn't have to log back in after it was enabled -- Ring didn't eject them nor ask them to enter a two-factor token...
From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera's microphone, speak through the camera's speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime "incidents." This shows the specific, user-selected home address plotted on a map. Ring requires that a user input a home address to set up the camera.
It's a shocking surprise! (Score:3)
Said no one, ever.
I'm surprised their security doesn't suck (Score:5, Insightful)
I expected to read that they came with default passwords, they don't support 2FA, etc - real problems. That's not the case.
The author of the article found that Ring doesn't add more security protections that nobody else does either, such as "Ring doesn't appear to check a user's chosen password against known compromised user credentials". Approximately no products do that. Turning off 2FA and turning it on again doesn't log out other family members. Okay maybe logging everybody off when you do that would be a good idea, but it seems like rather a minor quibble.
If what they reported are actually the worst things about Ring security, apparently Ring did a decent job (though not Fort Knox level security).
Re:I'm surprised their security doesn't suck (Score:5, Insightful)
I expected to read that they came with default passwords, they don't support 2FA, etc - real problems. That's not the case.
The author of the article found that Ring doesn't add more security protections that nobody else does either, such as "Ring doesn't appear to check a user's chosen password against known compromised user credentials". Approximately no products do that. Turning off 2FA and turning it on again doesn't log out other family members. Okay maybe logging everybody off when you do that would be a good idea, but it seems like rather a minor quibble.
If what they reported are actually the worst things about Ring security, apparently Ring did a decent job (though not Fort Knox level security).
The part about not checking if you are a bot and also not limiting the number of failed password attempts is curiously absent in your list of "worst offenses"
Those items made me $2 million, so I like them (Score:3)
Those are good things to check. Actually the first real money I made in security was selling login software I made which basically counted failed logins from IPs and had a captcha. It eaa cool captcha I invented, way better than the distorted text ones. The captcha was a bit of a red herring but that's a different story.
I sold about $2 million of that software, so I'm really kinda fond of those checks. Still, many, probably most, logins don't have a captcha.
Every month I gather with some friends in the s
the article is cocksuck (Score:2)
yes, exactly. they do support 2fa etc what you want.
did they test a real password after testing 10 false ones from the tor network? if you're logging yourself from tor network, how are they supposed to block the exit points?
it might not be perfect but at least they make optional things that should be optional. it's not as awful as googles multi factor authentication which ACTUALLY just turns into multi route password reset.. thats the kind of stuff I'd have liked to known. not some shoddy two bit pen tes
Re: I'm surprised their security doesn't suck (Score:2)
I lived at Fort Knox once during my term of service, believe me it's not very secure. A public highway runs right through the middle of it.
But yeah, I really hate it when some services implement the security measures that motherboard is asking for. Captchas are either totally useless or totally annoying. Recaptcha in particular tends to be hard to solve as it is very nitpicky. Some of the measures motherboard is asking for would pretty well piss me off as these are things that Amazon already does, and it su
Re: (Score:1)
gaslight much? (Score:2)
That's not basic. That's pretty uncommon.
That's not basic either. That's pretty uncommon too. a "wealth of online services"? Can I postulate a guess at 1%?
Re: (Score:2)
[It's a shocking surprise!] Said no one, ever.
There was a /. piece a couple weeks ago about the Ring system where I said basically the same thing as TFS and got modded down for it. Many Slashdotters are schizo as hell, apparently. Hilarious! :D
Allow me to borrow a phrase from "Raz0rfist" the Rageaholic from YT fame:
[spins in computer chair]
"Fuck you, I was right!
Fuck you, I was right!
Fuck you, I was right!"
Strat :D
Matches my expectations (Score:2)
I mean, they do absolutely nothing to protect customers that are not security-savvy. No mandatory 2FA, login from everywhere, no checks against leaked passwords, no nothing. For a company selling to the general public, that is not acceptable.
Re: (Score:2)
Re:Matches my expectations (Score:5, Insightful)
Even if they had 5FA, they'd still be a shit company ... the data generated by their cameras is stored on Someone Else's (Amazon's) computer without encryption at rest. The average Joe doesn't realize how bad of an idea this is.
And that is just it. They shamelessly do it on-the-cheap, relying on ordinary people not knowing what a bad idea that is.
Re:Matches my expectations (Score:5, Interesting)
Re: (Score:2)
That too, agreed.
Re:Matches my expectations (Score:5, Interesting)
If you live in Europe and your neighbor gets a Ring camera be sure to hit them with some GDPR data subject access requests and some data removal requests. Remind them to put up CCTV warning signs too.
If you live and elsewhere then you better start lobbying for privacy laws.
Re: Matches my expectations (Score:2)
Re: (Score:2)
Definitely different in Europe. If you record it in any way (your mind does not count as "recording"), the GDPR and other laws apply. CCTV _without_ recording is different.
Re: Matches my expectations (Score:1)
Or you could try not committing crimes in your neighborhood.
Re: (Score:2)
May also be that you need written consent from your neighbor and any of their visitors. CCTV in public places is done with some kind of security exception, private citizens will not get that. Worst case, you even need written consent from the snail-mail-person and anybody else doing deliveries to you. You will definitely be prohibited from having the camera see any public space.
In fact, nobody really knows what the full implications from the GDPR are, as it was (as usual) written by lawyers, not by people w
Condisider the Source... (Score:2)
Vice is really rocking it these days, they've got a 24 hour cable channel on my system, and a website they cite here daily, and a good report of record on HBO.
Thing is, they don't report all the news, they just report the "vices" as they call it. The fact they're on this story indicates there's some evil use of Ring cameras, and they're basically reporting that to the good people so they think of the problem.
Seems like this is a little functionality to you, big gift to the local government in the form of do
What is the product? (Score:5, Insightful)
I guess people thought the product was a standalone security system. Turns out that was just the loss leader and they were the product [1]. Who would have expected that from a company that Google found a good acquisition target?
[1] also turns out their neighbors, who had no part and no say in the transaction, were the product too
Re: (Score:2)
Re: (Score:2)
Good correction - thanks.
Re: (Score:2)
Ring is owned by Amazon. If it was Google they would be using Google accounts which are decently secure.
People thought they were buying a cloud security system. That's the main selling point. You can watch it from anywhere, and you can join a social surveillance network of curtain twitchers in your local neighborhood. They knew exactly what they were getting.
Their only mistake was to think that Amazon has competent security.
Re: (Score:3)
social surveillance network of curtain twitchers
"Curtain twitchers". Perfect!
You made me smile. Well done!
Sad state of the internet when. (Score:2)
check a user's chosen password against known compromised user credentials
This is a thing. Actually if there is a match, the user should be denied an account and asked to return the device.
Re: (Score:2)
check a user's chosen password against known compromised user credentials
This is a thing. Actually if there is a match, the user should be denied an account and asked to return the device.
Well, not really. Nobody selling to the general public would make much business with this. But forcing a password change would be the thing to do and checking the new password against the whole set of leaked passwords before accepting it would also be a good idea.
this is entirely to be expected (Score:4, Insightful)
Re: (Score:1)
The criminal AC then takes the package.
AC "every working class individual" should be able to enjoy online shopping without a criminal stealing from them.
"Basic" redefined (Score:5, Insightful)
"Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers," reports Motherboard:
Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in -- entirely common security measures across a wealth of online services... Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password..."
Those are hardly "basic security features." This is more of a hit job than anything else.
Re: (Score:2)
Re: "Basic" redefined (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Those are basic security features for anything beyond a throwaway forum account. Even some of those warn me when I use a new IP for the first time.
It's really not acceptable to sell someone an internet connected camera and not help them secure it. Demand more corporate responsibility.
One ring .... (Score:5, Funny)
In the Land of Amazon where the Shadows lie.
One Ring (Amazon Registered Trademark, all rights apply) to rule them all,
One Ring (Amazon Registered Trademark, all rights apply) to find them,
One Ring (Amazon Registered Trademark, all rights apply) to bring them all,
and in the darkness bind them under copyright, patent and trademark law,
In the Land of Amazon where the Shadows lie.
It's Time For a Ring'd Goatse (Score:2)
Seriously. Everyone should go purchase a Ring, get it on your home network but NOT on your door. Somewhere in a closet or in a basement with a light shining on it. Together we'll find the epitome of goatse photos and aim all of our Rings at that. And just leave it there.
Re: It's Time For a Ring'd Goatse (Score:2)
Absolutely, I think it's high time the world discovered the truth behind the Ring: an elaborate well organized scheme to bring goatse to Joe Sixpack, and for him to find that he can't take his eyes off of it. He'll wind up ordering another--for *research* of course. On their less-than-basic approach to security, etc.
Is it time for a new horror flick, then (Score:2)
Hint: It's not even scary. Don't spend a dime to feature the homeless of LA as paid extras on this one. Hello, Hollywood, are you even listening? Don't be reading Slashdot for story ideas (sheesh talk about bottom of the barrel stuff; you came to the right place)
Sensationalistic language (Score:2)
Good enough? (Score:3)
So, I have a Nest Hello doorbell, not Ring, but the issues are similar, I'm sure.
My doorbell does its job. I can tell because every time I walk out or in, or my lawn service arrives, or a deliver comes, it alerts me that someone is at the door. It never misses.
If someone with hacking skills cares enough about me to hack my doorbell, they probably will succeed. Who on earth would that be? And why would they do that?
Somebody could hack my car, too. It takes, what, 30 seconds for a car thief to bypass the security measures and steal my car. Do I worry? Not really. Do I spend thousands on upgraded car security? No.
Let's not hyperventilate. Sorry folks, you just aren't important enough to have somebody try to hack YOUR doorbell.
Sorry, you just aren't that important (Score:2)
If you are a politician, beware. But if you're a "regular" person, why would anyone want to hack your doorbell? If somebody cares enough about _you_ to spend the time and effort, not to mention risking jail, to hack your doorbell, you are screwed. But before you hyperventilate, think about this: Who in the world has the skills, and the inclination, and the motive, to hack your specific doorbell?
Let's be totally fair though... (Score:2)