After a series of high-profile hacks involving in-home Ring security cameras, some people are finding that devices they bought to increase their sense of security at home are doing just the opposite: leaving them feeling less secure, at risk and even violated as outsiders hijacked the devices with seemingly little to no effort.
We are in the midst of the holiday shopping season and people are evaluating devices like this. Because of that, it’s good to understand what’s actually going on so you can make an informed decision.
It’s also good to understand what’s going on from a tech industry point of view. There are lessons for device makers from all companies — but especially startups — on how these kinds of problems are happening and what can be done to prevent them.
In a nutshell, the industry’s reliance on passwords is truly coming home to roost.
The statement from Ring, an Amazon subsidiary, tells us all we need to know about this incident:
Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts. Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts.
This statement is nearly identical to one from Google in April 2019 in response to a nearly identical problem affecting their Nest devices.
The statements are so similar because the root cause is the same: for ease-of-use, these devices rely by default on passwords. In reality, people reuse passwords regularly. When we’re talking about configuring devices, password managers are nearly impossible to use and entering strong passwords on anything other than a full-sized keyboard is impracticable. When we talk about passwords and IoT devices, we have a perfect storm that effectively leads to password reuse and/or weak password use.
In an era of easy and pervasive data breaches, if you reuse a password even once, there are odds it’s been compromised: just go to haveibeenpwnd.com and check for yourself.
This problem has been made even worse because so many companies have looked to reduce their account support burden by having your email address act as your login. That makes it even easier to use compromised passwords since the attackers have the login AND the password.
To their credit, Ring and Nest both provide a two-factor authentication (2FA) option. However, anyone who’s had to do “family tech support” knows how ridiculously hard it is to get non-technical people to use 2FA successfully.
And within the security world, we know that two-factor authentication is already starting to fail as a reasonable counter-measure. More and more organizations are moving to multi-factor authentication (MFA). If you thought getting your parents to use 2FA was difficult, just try getting them to use MFA as it’s implemented today.
What does this all mean in practical terms? It means that hacks like this will continue so long as buyers are faced with a choice between multiple unusable and infeasible security options.
However, there is an opportunity here for companies, especially startups, to recognize that the current state of security for IoT devices in the home is simply intolerable, and look to come up with a new solution that combines ease-of-use and good security practices.
Until that problem is solved, situations like this will continue to be a barrier to adoption of IoT devices in the home.
Meanwhile, for your holiday shopping, the message is equally clear. If you want one of these devices for yourself or others, you should be prepared to invest the time and energy to learn and implement the strongest security possible on it.
To Ring’s credit, they have easy to find information on implementing 2FA for their devices here.
Sadly, Google doesn’t make Nest 2FA information easy to find but Google is moving Nest accounts over to Google accounts. You should review the Google 2FA page for information on how to secure your Google account.
In the end, this is what happens when technology from nearly 2020 relies on a security measure from 1960.
Update, Monday Dec. 16:Ring says it will introduce new security features, but it has yet to say what those will entail.