John was on his way home from the grocery store when he got the panicked call from his wife. After a weekend out of town, his kids were finally asleep in their Houston area home. His wife was getting ready for bed too, before she heard a stranger’s voice echoing down her hallway.
“Is anyone home?” it asked.
“We’re gonna find out,” it promised.
The male voice was coming from a speaker on a camera posted near the TV in the living room. It was set up by the couple so they could monitor their babysitters remotely. It had brought them peace of mind. But now there was strange voice and a loud alarm emanating from the device, piercing like a klaxon through the hallways, threatening to wake the children a few rooms away. Then the voice began taunting John’s dog.
The 33-year-old dad immediately pulled to the side of the road.
He rushed to open the Ring app on his phone. Disconnecting the five security cameras he’d placed around the house would do the trick, he hoped. As he continued the drive, he wondered just how they had “broken in.” One scenario worried him more than the others.
If whoever had hacked his camera had broken in through his wifi, he thought to himself, then that means they must be close.
As he neared the driveway, John’s eyes darted up and down the street, searching for signs of anyone suspicious; a car, perhaps, that didn’t belong. Inside, he peered into his backyard, scanning the fence line. But the light only stretched so far, and he was left wondering if someone was there, just beyond its reach.
“I slept with my gun next to my bed that night, which I never do,” he said.
“That was in the forefront of my mind and my wife’s mind, you know, with two kids and everything,” he continued. “I couldn’t see anybody in my front yard, on the street, and my backyard up until the fence. I didn’t see anybody. But beyond the fence its so dark. I didn’t know if somebody was spying on us to look for an opportunity to break in—or something. That’s the unnerving part.”
John’s family isn’t alone in their experience. In the past week, frightening tales of indoor cameras being hacked have gone viral. It’s now become apparent that Ring customers, in particular, are being targeted.
After buying one of the Amazon-owned company’s doorbell cameras, John installed four more Ring devices around the house: Two Stick Up cams to watch the kids and the doggy door, as well as two floodlights equipped with cameras outside. A rash of vehicle burglaries in the neighborhood had led to the purchase. Now he was forced to disconnect them all and then begin about the annoying task of changing the passwords on every internet-connected device he owned.
“You hear about celebrities being targeted,” John said. “But I didn’t think it would happen to me.”
A Ring official said by phone that the company’s own systems had not been compromised and that customers reusing old passwords, or whose passwords were too simple to begin with, are the ones who are at risk.
“Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts,” Ring said in a blog post. “Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts.”
In John’s case, the police weren’t called. He’s still on the fence about whether or not it’s worth it. “By the next morning we had moved on with our lives and didn’t think it was a big deal,” he said.
Ring initially responded quickly when he reported the incident, escalating the issue to its security team. But nearly a week has passed now and John’s yet to hear anything back. His Ring account predates his use of a password manager, he says, but important accounts are locked down and use randomized passwords. What he wants to know is if Ring has any actual evidence that his password was cracked. He’s gotten no answers so far. (A Ring official offered to speak directly with John after Gizmodo called the company for comment.)
Motherboard reported this week that hackers have developed dedicated software for breaking into Ring cameras. They appear to be doing it mostly for entertainment. A custom app that helps locate vulnerable cameras is being sold for a little as $6, the site reported, and a podcast on Discord, the voice app built for gamers, has taken to hacking the cameras live on air.
The hackers are brute-forcing their way in, according to Motherboard, “rapidly churning through usernames or email addresses and passwords and trying to use them to log into accounts.” None of the victims had set up two-factor authentication.
The seriousness of the hacking incidents became apparent after WMC 5, a local Tennessee news station, broadcast Ring footage taken in an 8-year-old girl’s bedroom that depicts a mysterious voice feeding her instructions. “It’s Santa. It’s your best friend,” the voice says.
In a separate incident in Florida, a camera hacker reportedly spewed racist slurs over a speaker.
Despite the hack, John said his cameras are now back online. He’s convinced all the steps he took to secure his network will prevent it from happening again. And his wife, he says, prefers having the ability to keep an eye on the kids.
“That’s a big deal to her, to make sure we don’t have any problematic baby sitters or anything like that. And I’m not sure she’s willing to give up that ability because of this. We don’t have it in bedrooms, obviously. I would never put one in the bedroom. We have baby monitors that satisfy that need that aren’t connected to the internet,” he said.
“We don’t do anything weird on the cameras. I’m kinda of the opinion that if you don’t do anything wrong, you have nothing to worry about. It’s not like there’s illicit drugs in my house. There’s not anything like that going on. So I don’t really care. But what I have a problem with is somebody getting access to live view and disrupting our lives,” he said.
“What could have been really bad is, had my wife gone to the camera. I told her the best thing she did was ignore it and walk away,” he said. “If she had gone to the camera they could have started to demand things, or say really threatening things, that could have taken that unnerving to another level.”
Asked if Ring could have done more, John said he didn’t remember ever receiving an email about setting up two-factor authentication. “That should be a mandatory thing, in my opinion,” he said. “It’s a real easy thing to set up and use.”
A Ring spokeswoman said that emails referencing the security measure are “definitely” sent out to customers after they sign up, but that she would check to see how the company is notifying its users about the option. “We’re always looking at ways we can be better for our customers,” she said.
When asked whether Ring is currently working with any law enforcement agencies to hunt down the hackers that are targeting its users, the official told Gizmodo that she currently had nothing to share.
Editor’s note: “John” is an alias used to protect the identity of the Ring footage’s owner.