Predictions are that there are going be billions of Internet of Things devices connected to the Internet over the next few years.
This past week the story has been about Amazon’s Ring camera – an example of an Internet of Things device.
In one case, in Tennessee, someone hacked into a family’s Ring cameras and talked to the family’s little girl and encouraged her to do destructive things. The camera, in the little girl’s room, had been installed four days earlier.
In another case, in Florida, the hacker hurled racial slurs at the family’s son.
Amazon says that they take the security of their devices and service extremely seriously. They also said that THEIR network wasn’t hacked (i.e., not my fault). Not smart PR.
I think that is true (that they take security seriously) as long as it doesn’t impact sales, drive up costs or cause more support calls.
For example, Ring (Amazon) says that they “encourage” users to enable two factor authentication. But they don’t make two factor authentication mandatory. That would make it harder to install and use Ring products, negatively impacting sales and driving up support calls. Score one against Amazon.
On the other hand, users are not taking the threat seriously enough to make sure that they are protecting their families.
I have a Ring camera so I logged on. Guess what, I didn’t have two factor turned on. I have had my camera for a couple of years, so I wondered WHEN Ring added two factor authentication because surely I would have turned it on if it was there.
I found a number of posts within the last week telling people how to turn on two factor. Then I found one post on Reddit from SEVEN months ago that Amazon (I am intentionally switching between calling it Ring and calling it Amazon because Ring is Amazon and Amazon is Ring. Amazon should know better) just turned on two factor authentication, but it wasn’t available to everyone yet.
That means until a few months ago, Ring didn’t even have two factor authentication available, never mind making it mandatory. That means that from 2013 when the first Ring doorbell came out until just a few months ago – a period of about 5 years – they didn’t offer two factor authentication.
They still don’t offer geo-fencing – the ability to say that hackers in North Korea, China or Russia should not be allowed to try and hack my doorbell.
They don’t give me the ability to white list Internet addresses that I want to be able to get to my web login from.
Apparently, they don’t notify current customers – like me – when new security features are available.
Assuming you put a Ring (or competitor’s) camera in your kid’s room, what is the possible downside of the camera being hacked?
I assume that your kids are naked in their room sometimes. You can figure out the rest.
If you put a camera in your living room, do you ever come out at night to get a drink of water and cross the path of your camera? What are you wearing then?
Not to mention the possibility of freaking out your kids so badly that they might need therapy.
So what should you be doing to protect yourself and your family?
First, think really hard about WHERE you put your Ring or other Internet connected cameras. My camera monitors the outside of my house. While not optimal to get hacked, it is way less personal than in my kid’s bedroom.
Next, don’t just plug it in and connect it to the Internet. Understand what security features the camera has and make sure that you enable them. This takes work on your part and they don’t make it easy for you. Sorry. If you are not willing to do this, DON’T BUY THE CAMERA.
Make sure the camera is always patched. In the case of Ring, the cameras phone home to make sure they are patched, but not all Internet of Things devices work this way.
Ring only supports text messaging for the second factor. As I have said many times, that is not the optimal solution.
Arlo, an Amazon Ring competitor, will send a message to the app on your phone if someone logs in from an Internet address that they haven’t seen before. That is a good feature. Amazon doesn’t offer that.
You should isolate your Ring cameras and other Internet of Things devices so that if they get hacked they can’t take over other devices on your network. That will probably require some IT expertise.
I have been holding off buying any more Ring cameras because I am not very pleased with their security and privacy strategy. If more people hold off buying their products, they will get the message.
Also, if people light up social media, that would would help make the point.
Bottom line, vendors need to provide security and privacy features, users need to use the features that are there and prospective customers need to vote with their wallets to get companies attention. Source: Vice