Although primarily known for its smart doorbell, Ring also makes home security cameras. While these devices may have helped both solve, and prevent, crime, they have also resulted in crimes being committed.
Reports of hackers gaining unlawful access to Ring products have been widely publicized, which is understandably disconcerting for homeowners. But is there anything that the average person can do about online attacks? We look at the relative safety of Ring devices and how best to protect them from external threats.
How safe are Ring devices?
Ring has been in business for over two decades. During this time it has seen its fair share of controversy. A spate of attacks compromised users’ devices in alarming ways and the company itself was accused of failing to safeguard the data its devices collected.
Smart doorbell
Ring’s original smart video doorbell is still its most popular product more than two decades later. Its key features include two-way audio, video, and motion detection. The devices enable householders to see who’s outside and communicate with them if necessary. The footage recorded by the devices is popular with local law enforcement, but the devices themselves interest hackers.
In 2022, two men in the US were accused of hacking into Ring doorbells and using the devices’ cameras to livestream swatting attacks. According to the Department of Justice, the alleged perpetrators used stolen Yahoo email addresses and passwords to guess the login details for the Ring devices.
Security cameras
Ring security cameras seem like a convenient way to keep an eye on your home (or room) while you’re not in it. Like the doorbells, the cameras have two-way audio, and capture live footage that can be accessed remotely. Unfortunately, until relatively recently, the devices proved to be easy targets for hackers.
In 2019, a hacker took control of a Ring camera located inside an eight-year-old girl’s room, and proceeded to taunt her and “encourage destructive behavior”. The mother of the girl admitted to Action News 5 that she had not set up two-factor authentication for her Ring account. A statement from Ring regarding the incident said that it was “in no way related to a breach or compromise of Ring’s security”.
That same year, a Florida family shared footage of a hacker accessing their Ring camera and taunting them with racial slurs, before turning an alarm on. Ring told the family that the email address and password used to secure their device was the same as one exposed in a data breach and that attackers may have used it to gain access to their Ring account.
In another incident, a couple in Brookhaven, New York, received verbal abuse from a hacker via their Ring camera. In another, a Texan couple were told by hackers to pay a ransom or “get terminated”. There are plenty of other examples with similarly concerning results.
This all culminated in a class action lawsuit being filed in 2020. The lawsuit joined together complaints filed by more than 30 people in 15 families. It alleged that the cyberattacks were less to do with lax consumer security and more to do with Ring’s lack of appropriate controls and flawed software.
Who’s to blame?
In the vast majority of successful attacks on Ring devices, Amazon’s response has blamed consumers for failing to implement appropriate security measures. Many victims had indeed used non-unique passwords, but that isn’t the whole story. To Ring’s credit, none of the above incidents occurred as a result of hackers exploiting a security vulnerability in Ring software or hardware.
In 2019, BuzzFeed News reported that the log-in credentials for 3,672 Ring customers were compromised. The data—which exposed log-in emails, passwords, time zones, and the names people give to specific Ring cameras—appeared to have come from the company’s own databases. However, Ring denied the breach.
More damningly, the Federal Trade Commission filed a civil complaint in 2023 that Ring had “failed to implement standard security measures to protect consumers’ information from two well-known online threats—’credential stuffing’ and ‘brute force’ attacks—despite warnings from employees, outside security researchers and media reports”.
When Ring did introduce additional security measures, they suffered from “sloppy implementation”. The FTC says this resulted in hackers being able to exploit vulnerabilities and access data from “approximately 55,000 U.S. customers”.
Are Ring and other IoT devices safe?
In the rush to bring IoT devices to market, Ring and other manufacturers appeared to view their security almost as an afterthought. Back in 2014, a study by HP Fortify claimed that 70% of the most commonly used Internet of Things (IoT) devices contained “security vulnerabilities”. And things didn’t improve much in the years that followed.
In 2017, tens of millions of devices were affected by the Devil’s Ivy remote access vulnerability, while in 2021 the Name:Wreck vulnerabilities exposed at least a 100 million devices. In 2022, there were 110 million IoT malware attacks. The stats could go on and on.
To limit damage to consumer confidence, the US Government announced its “U.S Cyber Trust Mark” program for smart devices in 2023. Under the scheme, which is voluntary, products meeting specific cybersecurity criteria, such as “strong default passwords, data protection, software updates and incident detection capabilities, will display the ‘U.S. Cyber Trust Mark’ logo”.
How to protect your home security from hackers
Ring’s owner, Amazon, has already signed up to the U.S Cyber Trust Mark initiative, which is expected to commence in late 2024. In the meantime, there’s plenty existing Ring customers can – and should – do to protect their own devices.
Use a strong password
Rather than use password managers or other strategies for managing multiple passwords, many people use the same password across multiple accounts. The problem with this is that if one account is compromised, the stolen password can be used to access all of the other accounts.
Attackers interested in hacking Ring products can buy stolen user credentials for other accounts on the dark web, find out whether those users have Ring products, and then see if the passwords work – a technique known as credential stuffing. Alternatively, they can just try to guess the Ring password using automated software in what is known as a brute force attack.
The take home message here is that you should always use strong, unique passwords to secure your devices. Use our password generator tool if you’re not sure how to make a strong password.
Enable two-factor authentication
Devices where access requires both a password and a PIN (sent via text or email) are far more secure than those that just rely on a password. Two factor authentication (2FA) has always been an option for those with Ring products, but many users didn’t activate it. The result, as some of the above examples demonstrate, was multiple instances of users’ devices being compromised.
In 2020, Amazon made the two-factor verification mandatory for its Ring doorbell. This required users to enter a password and a six-digit code when logging in to view security footage. “This added authentication helps prevent unauthorized users from gaining access to your Ring account, even if they have your username and password,” said Ring President Leila Rouhi at the time.
Control who has access
Ring devices allow users to choose who has access to them. Adding shared users is not ideal, but is far preferable to simply sharing login credentials. Before adding anyone, consider the implications of allowing others access to camera feeds. You can see which Ring devices people have access to in the Control Center. You can also see which user devices are logged into your account. It’s worth periodically checking the Control Center to ensure there’s no unwanted access.
Designate Privacy Zones
The settings in the Ring app allow you to limit the camera’s field of vision. Ring says that “Privacy Zones are designed to allow you to designate an area in your Ring device camera’s field of view as off-limits. You may, for example, cover your neighbor’s apartment door with a Privacy Zone. You can also black out a neighbor’s window.” Users can specify up to two privacy zones, which can only be rectangular. To establish a Privacy Zone, open the Ring app, go to Device Settings> Privacy Settings> Privacy Zones.
Hide your wi-fi network
Routers broadcast the identity of your network by default. The SSID typically contains the name of the broadband supplier, which enables hackers to guess what router is being used. From here, they may be able to use the default login details supplied with the router to access your network.
It’s relatively easy to change the login details of your router. Alternatively, you can just tell it not to broadcast its identifier. Both require you to login in to your router. To do this, type either 192.168.0.1 or 192.168.1.1 in your browser’s address bar and enter the relevant login credentials.
If you plan to use IoT devices in your home, it’s a good idea to secure your wi-fi network. We’ve covered the additional steps you can take elsewhere.
Related: How to secure your home wireless network from hackers