One of Ring’s stated goals is to “reduce crime in neighborhoods by connecting people.” What customers didn’t expect is that those people would be criminals who’d be spying on them in their homes, occasionally yelling racist or threatening things at their children.
On Thursday, BuzzFeed News reported that at least 3,672 Ring camera owners had been compromised. Their passwords, some payment information, and other personal details were discovered floating around online. The access this enables is frightening. One could essentially comb through months’ worth of recorded video for each user.
Not more than a few hours later, TechCrunch reported being handed another list of around 1,562 Ring camera credentials, which had likewise been posted online. As of mid-afternoon Thursday, the list remained publicly available.
News of these lists follows a week of individual stories from actual camera owners who complained to reporters that they’d been harassed in their homes by mysterious voices emanating from their Ring devices. Some owners had, very unwisely, installed them in their children’s bedrooms.
Last week, Motherboard found that hackers had developed dedicated software to streamline the intrusions and were selling it for as little as $6. Some sick fucks had even taken to hijacking the cameras live on a Discord server for others’ amusement because, well, that’s what sick fucks do.
Amid this wave of damning reports, Ring has taken the staunch position that it bears no responsibility for these incidents whatsoever. “Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts,” the company told Gizmodo last week.
It’s true. Reusing passwords is dangerous, it’s a common problem, and security experts have been warning people about it for years.
That’s also kind of the point. Broadly speaking, people don’t listen very well. For the sake of convenience, they often act against their own interests. Many just remain ignorant of the risks.
Companies are supposed to take these factors into account when designing a product—particularly, a security product. Many do. But not Ring.
Every year, for example, thousands of children are injured in furniture tip-overs. There’s plenty of available literature warning parents about it. The knowledge is out there. But somehow, it just keeps happening anyway. In 2016, furniture giant IKEA recalled some 35 million products, telling customers straight up to stop using them “immediately.” Then it designed some new products, ones that don’t tip over.
Even if its lawyers quietly considered doing so in some backroom, IKEA’s response wasn’t to blame the parents or their children. It just acted and fixed the damn problem.
Ring is doing the opposite. It has explicitly blamed thousands of its customers for getting hacked in droves. Of course, none of its customers had to pass a security-literacy quiz before Ring shipped them a camera. Anyone with a few hundred bucks can stick a handful all over their house. At the point of purchase, Ring doesn’t care if you can spell “security,” much less have any expertise in the field.
That thousands of Ring customers are simultaneously experiencing the same frightening problem is a clear indication that this isn’t a matter of sporadic product misuse, but a systemic failure in Ring’s own customer care. That it’s being pinned on the customers themselves with no additional safety measures being implemented is indicative of a corporation with a flawed sense of social responsibility.
In point of fact, none of the Ring camera owners who got hacked were misusing the devices in any way. They simply hadn’t taken separate, additional measures to protect the devices that they thought were protecting them.
Sure, Ring has taken steps now—at least, by publishing a blog on its corporate website, because people definitely read those, and sending out emails—to remind users to change their passwords. But that clearly won’t solve anything. That’s how the cameras got hacked in the first place. People ignored that advice, didn’t take it seriously, or probably in many cases, simply never heard it.
To put it another way, the tactic Ring has chosen to address this problem is the same one it inadvertently exposed as being totally worthless.
There are other steps Ring could take right now. Given how widespread the hijackings have become, no one would blame Ring for forcing its customers to adopt two-factor authentication. (Ring declined to comment on the record about why it isn’t.) There’s no good reason not to do this, beyond inconveniencing a small percentage of petulant customers who think the 10-second process is just a big headache.
As Motherboard reported this week, Ring’s security overall is disappointing. (The disappointment is magnified to an extreme level by the fact that Ring is inherently a “security” company.) For example, Ring, which Amazon purchased for $1 billion last year, doesn’t notify users when someone logs into their account from an unknown IP address. There’s no way to track logins to see if others are watching live camera feeds. These are, as Motherboard noted, standard options available for countless IoT products.
As one researcher complained to the site: “They are worth billions so where is the investment in security.”
Viewed through that lens, the idea that the responsibility for this falls anywhere but squarely on Ring’s own back is completely absurd. Of course it has a responsibility to put an end to this, even if the improvements it decides to implement make using its products a little less convenient.
Effortless security is a myth. Time is the price you pay for peace of mind. It might take a few extra seconds to unlock that deadbolt you put on your front door. Yeah, it’s annoying when you’re standing outside with an arm full of groceries fiddling with your keys in the dead of the winter. But don’t forget why you installed it in the first place.
And hey, while you’re at, go change your password.