How to Kick Hackers Out of Your Ring Account
Much has been written about the security of Amazon ring cameras. I still maintain that most of the problems people find with company security require an attacker to know your username and password – which you can prevent by using a strong, unique password for your account. But don’t stop there.
The Vice motherboard correctly evaluates the company’s lax security practices in its latest investigation , which discusses how Ring does nothing to tell you when someone tries (or successfully) to log into your account. For example, you do not receive an alert when someone logs into your account using an IP address that has never been previously used to log into your account – and that person, in turn, is not required to provide an additional way to confirm that it is you. There is also no way to find out how many people have logged into your account at any time, or a list of all IP addresses that have successfully logged into your account.
In fact, Ring doesn’t seem to do much to prevent the brute-force attacks that hackers use to compromise Ring accounts (using previously leaked credentials). As the motherboard describes:
“Ring’s hacker software works by quickly checking if the email address and password are working on the Ring’s login portal; hackers usually use a list of already hacked combinations from other services. If someone makes too many incorrect login requests, many online services will temporarily stop them, flag their IP address as suspicious, or present a captcha to verify that the user trying to login is a human and not an automated program. The ring appears to have minimal protection against this. The motherboard deliberately entered the wrong password for our login portal account when connecting from the Tor anonymous network dozens of times in a row. Ring never tried to restrict our login attempts or enter captchas. “
Good news? You can still sort of secure your Ring account, but you will need to take an extra step to prevent anyone already logged in and watching you read this right now.
Keeping your Ring account secure is easy but tricky
According to Mozilla, the best way to keep your ring account safe from intruders is to enable two-factor authentication. And it is very simple to do it. You just need to open the Ring app on your iOS, iPadOS, or Android device, call up your account settings from the icon in the top left corner (three-line illustration), and find “Two-Factor Authentication” under “Enhance Security”. … “
Turn it on, enter your password, provide Ring with a mobile phone number that it can use to send you a verification code, and enter that code when prompted.
Since Ring only sends you codes whenever you or someone else tries to access your Ring cameras from a new device, this 2-factor authentication method is slightly less secure than setting up 2-factor authentication correctly. (This is a slight difference for the average user, but important to know.)
But here’s the interesting thing: enabling Ring’s two-factor authentication (to use its terminology) doesn’t load anyone from your account who’s already signed in. This is a strange but important difference: you will make your account more secure for the future , but not for the present.
At the time of this writing, the only way to log out anyone who can access your account is to change their password. Do this after you set up two-factor authentication and your ring account is as secure as possible.
Since you will not receive any notifications if someone has your credentials and tries to log in as you, only to not go through 2-Step Verification, you will have to believe that the said attacker also did not find a way to intercept your Messages.
And this is where Vice’s reports are striking: since Ring provides a minimal minimum of information to its users, you really won’t have a way to know if someone has succeeded in obtaining your account credentials and bypassing your two-factor authentication. While the likelihood that a random attacker would be able to do this is incredibly low, the probability should be zero. There is no reason Ring cannot tell you when someone tries to log in with your username so that you can then change your password or protect your authentication method.