
Ring lacks basic security features, making it easy for hackers - dsr12
https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security
======
brown9-2
The part about the author giving their friend their credentials detracts from
the main point of the article, which is:

\- Ring doesn’t check if the login comes from a new IP address or location

\- the Ring app doesn’t tell users how many others are logged in

\- Ring doesn’t check password dumps and alert users of reused credentials

I think we should all demand that major consumer electronic companies include
these features.

~~~
jmccorm
I personally remember witnessing the exploit of reused credentials as far back
as the 80s in the days of modems and personal BBSes. Here we are almost 40
years later and seeing the same problem, except with high speed live video
streams from in and around a user's home. WOW!

------
flashman
Ring can do more to protect people who re-use credentials that have been in a
data breach. Like Google's better password protection in Chrome,[0] sometimes
the stakes are high enough that the responsible thing to do is be proactive on
the user's behalf.

[0] [https://blog.google/products/chrome/better-password-
protecti...](https://blog.google/products/chrome/better-password-protections/)

------
danso
Am I right in assuming that Ring, a company that was later acquired by Amazon,
has an entirely different infrastructure than something like Alexa? From what
I can tell, Alexa uses the same login system as my Amazon account, and (I
assume/hope) is as safe/vulnerable to remote brute forcing as my Amazon
account. But this seems not to be the case for Ring?

~~~
tuxracer
Sounds like it's not brute forcing simple using the same email/password for
some random site that then gets compromised, malicious actors then try those
same credentials to log into Ring and they're in first try

------
mikevp
That's why all my passwords (including my Ring password) look like this:

c3Ve*w^ZHKmq1SQK&gGVQCezROLgZy

Individually generated, unique for every site I log into.

~~~
spydum
This doesn't help if your machine gets infected with malware. They can steal
that password and you'd never know - which is the point: unusual account
activity should alert the user.

~~~
syntheticcorp
If an attacker compromises your machine and steals your password they can also
just route their traffic through it, meaning the IP would match the regular
one seen by the Ring servers

~~~
spydum
Yes they can, but what we often see is accounts sold off to others. They don't
give away their infected machine. They just harvest credentials.

------
jibe
_My colleagues were only able to access my Ring camera because they had the
relevant email address and password_

Come on, what lousy click bait. If you give someone your username and
password, it isn't evidence of terrible security.

~~~
addicted44
You've taken that phrase completely out of context.

The author is clarifying that their friends were only able to access it
because the author gave them the email/password, because the author wants to
illustrate what someone who did have your email/password could see.

What's relevant are the sentences that come immediately after:

>, but Amazon-owned home security company Ring is not doing enough to stop
hackers breaking into customer accounts, and in turn, their cameras, according
to multiple cybersecurity experts, people who write tools to break into
accounts, and Motherboard's own analysis with a Ring camera it bought to test
the company's security protections.

Then the author goes through some instances and tools built to hack Ring
passwords.

IOW, the author isn't claiming that Ring is insecure because someone who he
gave the email/password to is able to login. The author is showing the kind of
information a person who has your email/password can access, and then is
showing how easily it is for someone nefarious to get that information.

~~~
tinus_hn
The article is just fear mongering bs, suggesting useless solutions like sms
two factor authentication.

The problem is with people using stupid passwords which is a problem on just
about any service and has nothing to do with Ring. Yes it could be better but
so could a lot of services.

~~~
shermozle
The level of security you provide should be commensurate with the risk.
Perhaps you don't need 2FA and IP checking for your smartwatch but you
probably need it for your x-ray machine.

This is a device people are encouraged to put into their homes, with access to
their most intimate moments. And sold to untrained consumers who probably
won't even read any documentation you supply. And, as the article highlights,
there are active attacks.

Ring need to up their game.

~~~
caf
Yes, this seems like exactly the kind of service that should be checking
passwords against known compromised password sets.

------
TwoNineA
The 'S' in IoT is for 'Security'.

~~~
OnlineGladiator
I'm going to steal this - thank you :)

~~~
ebg13
That's ok. They did too.

