[Amazon's surveillance doorbell company Ring sells "security" — the sense that surveilling your porch or your driveway or your home can make you safe. But when the company experienced a grotesque and completely predictable breach that saw hackers breaking into Ring cameras and spying on and tormenting their owners, Amazon blamed their customers for recycling passwords. In this outstanding Deeplinks post, my EFF colleagues, Cooper Quintin and Bill Budington explain just how odious this victim-blaming really is. -Cory]
Just a week after hackers broke into a Ring camera in a childs’ bedroom taunting the child and sparking serious concerns about the company’s security practices, Buzzfeed News is reporting that over 3,600 Ring owners’ email addresses, passwords, camera locations, and camera names were dumped online. This Includes cameras recording private spaces inside homes.
This stunning new leak could potentially provide criminals and stalkers with access to view live video feeds from inside and around thousands of Ring customers’ homes, see archived videos, and get the precise location of all Ring devices attached to the compromised account by studying the orientation of the footage and location information attached to each camera.
Ring has claimed that this attack was the result of credential stuffing, a technique where attackers gather usernames and passwords compromised in another data breach and try them on other websites. Ring claims that the incident is “in no way related to a breach or compromise of Ring’s security.” Ring is attempting to place the blame squarely at the feet of their customers for reusing passwords, using weak passwords, and not turning on two-factor authentication. The truth is that Ring itself deserves the largest share of blame for every attack that their users have suffered.
We don’t currently know how the Ring account data was acquired but for the moment let’s take Ring at their word that this was a credential stuffing attack. That implies that an attacker tried tens or even hundreds of thousands of username and password combinations on Ring’s website, and Ring didn’t even notice until they were alerted by security researchers.
Best practices in website security provide a few basic guidelines. First, numerous subsequent failed attempts on an account should result in extra scrutiny for logging in to that account. This may include limiting the number of attempts or locking the account until the owner can be contacted. Second, when a password is chosen for an account, this should go through some form of scrutiny: checking whether it is in a list of known compromised passwords and ensuring that it is sufficiently complex. Third, account holders should be able to see (and audit) the list of devices that have logged in to their account. And fourth, companies should encourage users to enable two-factor authentication (2FA) in their account settings.
Ring cameras have extremely sensitive data—live footage adjacent to and often within the home—at their disposal. This means that Ring should be extra careful with account information, not just employing basic account protections. And although Ring has 2FA available for accounts, they rarely encourage its use to protect user accounts, with the exception of the email above. Furthermore, they appear to have not even followed any of the other best practices listed above. And instead of giving users clear channels of remediation, they’re placing the blame for the data breach on their own users.
Ring has demonstrated a pattern of being negligent in enforcing even basic web application security controls. As late as February they sent video feeds to their cloud providers completely unencrypted. Ring has done too little to prevent account breaches, instead opting to blame their customers for any security breaches. Ring claims its primary business is the security of their customers. Yet they’ve failed to follow even basic data security best practices, opting instead to put the burden on their customers.
(Crossposted from EFF Deeplinks)