Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password.Other steps Ring could take to better keep hackers out includes checking whether someone is logging in from an IP address Ring has never seen before, and if so, carrying out additional checks, Cuthbert said. Another is checking for concurrent sessions, such as seeing whether the user is simultaneously logged in from, say, both Germany and the U.K., Cuthbert added, in case one of those may be a hacker accessing the account.One member of a hacking forum who codes cracking tools, and who Motherboard granted anonymity so they could speak more openly about the process, said, "just enabling SMS verification if there is a connection from an unknown IP would instantly kill each checker." A checker is a piece of software that grinds through credentials to see if they work on a particular site or service.
Do you work at Ring? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
The victims of Ring hacks have said themselves that they feel the company is putting too much burden on them to stop hackers. Ashley LeMay, one of the parents in Mississippi whose camera was hijacked to then spy on their children, told the New York Times she thought Ring's response provided scant information and shifted responsibility for the breaches onto customers."Auth [authentication] is still stuck in the '90s," Cuthbert said. "Username and password and very little other than that. That was ok back then but today we have a wealth of knowledge and experience to know that we need additional telemetry to make the [authentication] decision," he added.Ring is advertised as a home security device which is supposed to make its customers safer by monitoring their homes. But its lack of certain security features shows how the device can work against its owners, and open them up to other risks. When I get home tonight, I'll put the Ring camera back into its box, regardless of whether that little blue light is on or not.Jason Koebler, Emanuel Maiberg, and Lorenzo Franceschi-Bicchierai provided additional reporting for this piece.Subscribe to our cybersecurity podcast, CYBER.
"They are worth billions so where is the investment in security."