In case you needed another reminder of the potentially terrifying downside of having a Wi-Fi-connected security camera in your home, consider this: it’s surprisingly easy for hackers to gain access to them.
Hackers have created software that essentially streamlines the process, and are selling and sharing it on internet forums, Motherboard reported. The exploit is possible not because of any one vulnerability in Ring’s software, but rather how it takes advantage of insecure passwords in order to get into the accounts in question.
This is much more than a theoretical vulnerability. There have been reports all around the country of people encountering strangers on the other end of their in-home security camera.
Recently, local news in Tennessee reported on a distressing incident in which a hacker yelled racial slurs at an 8-year-old girl in her bedroom just four days after her mother set up a new Ring camera she had gotten from a Black Friday deal.
From BuzzFeed’s description of the interaction:
For nearly 10 minutes, he interacted with Alyssa. He could see her, talk to her, and had access to a second system placed in her baby sister’s room downstairs.
Thinking it was her younger sister playing music, the third grader wandered upstairs to her room as the eerie song, “Tiptoe Through the Tulips,” blared from the Ring camera. The man proceeded to tell her to go call her “mommy” the n-word and demand that she repeat it back to him: “Come on girl, say it with me.”
“Mom?” Alyssa asked, confused. “Who is that?
“I’m your best friend,” the replied. “You can do whatever you want right now. You can mess up your room, you can break your TV. You can do whatever you want.”
As horrifying as it sounds, what happened to that family wasn’t a one-off occurrence. A similar incident occurred in Florida just a few days earlier.
For its part, Ring points out that these hacks are possible because people are using weak passwords that have previously been compromised. Hackers often obtain lists of login credentials and attempt to reuse them on other services in what’s sometimes known as “credential stuffing.”
But the Amazon-owned company also doesn’t require camera owners to use two-factor authentication, which could help prevent these types of attacks, even though the company told Motherboard their reps “encourage” the practice.
So if all this hasn’t scared you away from your home security cameras, you should — at the very least — double check those security settings.