Home security cameras are in the news (again), featuring startling clips of hackers speaking creepily to children and sleeping adults through Ring cameras inside private homes. Ring says there has been no breach of its system. So what is happening?
The Vice team has been all over this story, tracking down a podcast that hacks people’s home cameras live for listeners, an activity dubbed “Ring and Nest trolling,” which is far worse than the prank phone calls of drivetime radio shows. According to Vice, “Software to hack Ring cameras has recently become popular on the [Nulled] forum. The software churns through previously compromised email addresses and passwords to break into Ring cameras at scale.”
And there’s the issue: previously compromised email addresses and passwords.
We cannot stress this enough. Weak and reused passwords are a serious vulnerability to your personal security and privacy. The software that the Nulled crew is using to tap into Ring feeds can be used to take over other things like, say, a Disney+ account. Or your bank account.
So, what can you do? In a nutshell:
- Use unique passwords.
- Create strong passwords.
- Opt for a password manager.
- Turn on multi-factor authentication.
- Monitor your accounts.
Consider this fictional scenario:
January 2012: You, a diehard fan of hand-egg action, decide to host a Super Bowl party and invite a bunch of friends. You set up an Evite account for the first time and select “football” as your password. The party was great, even though Sam spilled red wine on the sectional after Ahmad Bradshaw’s game-winning run. Anyway, game over, Pats lost. You forget all about setting up an Evite account and go on with your life.
August 2013: Unbeknownst to you, Evite was breached. The dates of birth, email addresses, genders, names, passwords, phone numbers and physical addresses of over 100 million accounts were exposed. Massive.
July 2018: You get a new Ring camera for your house so you can make sure your pricey home entertainment system is protected when you’re out of town. When it’s time to set up the password, you happen to pick “football”. And you use the same email address, because, well, it’s your email address. You don’t bother turning on Ring’s two-factor authentication because that sounds tricky.
July 2019: The Evite data breach is discovered and made public. You get a message from Evite telling you to change your password, which you had forgotten all about. You end up deleting your account, but that compromised data set, containing your email address and “football” password have possibly been circulating for six years.
December 2019: Some hackers decide to run the breached Evite data set against Ring accounts to see if they get any matches, which they do. Among the many matches, they get a hit on yours. Now they can access your Ring cameras and peer into your family room while you watch the game, and they can shout ugly things at your family through the device.
Had you used unique, strong passwords and 2FA (see below), this scenario might have been avoided.
For the record, we’re not saying this is exactly what happened with these Ring breaches, but something similar is highly plausible given what Vice reports.
Use different passwords for every account
Once more for those in the back: it is — well and truly — time to make passwords unique again. Reusing passwords is a huge risk that’s not worth taking.
Create strong passwords
What makes a strong password? Here are some tips:
- Aim for a minimum of 12-15 characters.
- Use a combination of upper- and lower-case letters, numbers and symbols.
- Use long passphrases by combining two or more unrelated words. Also use numbers or special characters, but don’t rely on substituting @ for “a” or 3 for “e”, which are overly-used and well known.
Read more dos and don’ts over here.
Remember it all with a password manager
The task of remembering your ever-expanding list of logins and unique, strong password combos is a big one. A password management tool like Firefox Lockwise makes it much easier so you can save some brainspace for memorizing the script of your favorite Office episode and your nonna’s secret pesto recipe. Lockwise can instantly generate tricky random passwords in the Firefox browser, save them securely, automatically fill in website and app login screens, and let you look up your passwords when you need to. Game changer. What are you waiting for?
Get that 2FA going
The other major step you can take to protect your account is to add a “second factor” to the login process. In most cases, the second factor is tied to your phone, which means that even if an attacker has your password, they can’t log in to your account unless they also have your phone. (And vice versa — if your phone gets stolen, they can’t log in unless they get your password.) Services that offer two-factor authentication (also known as 2FA or MFA, multi-factor authentication) provide instructions, but it usually involves entering your phone number or scanning a barcode with a special app. Then, when you log in, the website will ask you for a code from your phone.
Ring does offer 2FA, but it’s optional, not a requirement. Seems like a no brainer to activate it, and while you’re at it, make sure everyone in your household does as well. Oh, and don’t make the mistake of thinking a weaker password is safer because you have 2FA. Keep ‘em strong!
Sign up for data breach alerts from Firefox Monitor
Firefox Monitor can help you learn if your account information is compromised in a data breach or exposed to hackers in some other way. When you do the initial scan, Monitor will warn you if your credentials have been compromised by comparing it to the public breach data in the system. After that, you’ll have the option to sign up for future alerts.
One other important note, don’t beat yourself up if you’ve been lax or caught up in a data breach. The longer you’ve lived online, the bigger your digital footprint, and with that comes greater security risks. As internet citizens and people who have accounts with a multitude of different sites, services, apps and products, we, personally, can do little to prevent a data breach. However, there is plenty we can do to protect ourselves in anticipation of one. Much of that protective action comes down to passwords. Start practicing those five tips above, and you’ll already be on a more secure journey through the digital world.
Also published on Medium.