Ring doorbells and cameras have joined the ever-growing list of IoT devices that have been compromised by hackers. According to reports, credentials to 3000 Ring accounts have been compromised, resulting in a number of alarming attacks. In one case, a Ring camera in the bedroom of an eight-year-old girl was accessed by a hacker who told the girl to mess up her room and to call her mother by racial slurs.
This is not an isolated instance. Other users of the device have reported hackers taunting them through the cameras, resulting in a class action lawsuit in California.
Smart home devices – cameras, doorbells, smart speakers, and even appliances like refrigerators, can be hacked and taken over by bad actors.
Ring issued a statement deflecting the blame and saying that their systems were not compromised but that the problem was the result of other systems being compromised.
Excerpt of Official Response from Ring:
Here’s what happened. Malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts.
When people reuse the same username and password on multiple services, it’s possible for malicious actors to gain access to many accounts.
These kinds of attacks are often referred to as “credential stuffing” attacks.
There have been many data breaches in which a user’s account logins (usually an email address) and passwords have been stolen. These credentials may be sold and then used to attempt to access other systems. The credentials from one system are then “stuffed” into another system. Invariably, some users have reused the same password across multiple systems. Given a large enough set of credentials to attempt, credential stuffing attacks find some number of accounts that they can breach.
Ring’s instructions to change passwords and enable two-factor authentication are appropriate, but they don’t tell the full story. First, the response from Ring implies that this is simple user error. In reality, greater levels of security can and should be built into these devices. Second, and perhaps worse, this is not the first security issue we’ve seen with Ring devices.
Previous security failures for Ring doorbells include reports of leaking WiFi credentials and a flaw that allowed users to stay logged into a device even after the device’s password was changed.
These breaches show that use of static credentials is inherently flawed. The Ring breach is not the first example of weak credentials resulting in an IoT hack. The Mirai botnet, which used default passwords to access a variety of IoT devices, is the poster child IoT hacks exploiting weak credentials. Static credentials (usernames and passwords) place undue burden on device users and are increasingly inadequate when advanced authentication technologies, available today, would inherently prevent such hacks.
Building Secure IoT Devices
While password reuse was a root cause of the most recent Ring breaches, this wasn’t just a user error. Had Ring required multi-factor authentication or certificate-based authentication for its devices, these breaches could have been prevented. It is critical that IoT device manufacturers begin taking security seriously and build comprehensive security technologies into their devices.
By using a variety of known, state-of-the-art security protocols and processes, it is possible to develop and build a connected home environment that is safe from cyberattack.
IoT Security Implementations
Devices must include security features that protect the device from attack, protect the integrity of the device, and enable device identity – so that “things” can be authenticated to safely communicate via the Internet using encryption. IoT identity and integrity solutions provide IoT manufacturers with best-of-breed solutions for authenticating and securing connected devices, including:
- Secure Boot. Provides embedded software APIs that ensure software has not been tampered with from the initial “power on” to application execution. It also lets developers securely code sign bootloaders, microkernels, operating systems, application code, and data.
- Device Identity Certificates. Adding digital certificates to devices during manufacturing ensures that devices are authenticated when installed on a network, as well as before communicating with other devices in the network—protecting against counterfeit devices being introduced into the network.
- Embedded Firewalls. By working with real time operating systems (RTOS) and Linux to configure and enforce filtering rules, embedded firewalls prevent communication with unauthorized devices and blocking malicious messages.
- Secure Elements. OEMs and medical device manufacturers should use a secure element, such as a trusted platform module (TPM) compliant secure element, or an embedded secure element for secure key storage. Secure key storage enables secure boot, PKI enrollment using key pairs generated within the secure element, providing very high levels of protection from attacks.
- Secure Remote Updates. It’s important to validate that device firmware has not been modified before installation. Secure remote updates ensure components are not modified and are authenticated modules from the OEM.
IoT Security Requirements
We have moved beyond the introductory days of the IoT to mass deployments. The IoT is no longer an emerging technology, and it needs mature security solutions. It is no longer acceptable to sell and deploy connected devices, from cars to smart doorbells, with weak or nonexistent security. Consumer confidence has been damaged and needs to be restored.
The state of California and the European Union have already enacted legislation requiring greater levels of security for IoT devices, and many other jurisdictions have pending legislation. In addition, industry consortiums and government regulatory bodies, such as the FDA, have begun to define cybersecurity requirements for IoT devices in specific vertical markets.
Security is fast becoming a must-have, not only for market acceptance but also to achieve compliance with emerging legislation in multiple jurisdictions.
Keeping IoT devices and information safeguarded from cyberattack is not simple and will never be perfect. It’s an ongoing battle. Cyber criminals are always improving their methods and developing new, clever attack tactics. However, staying current with cyber security best-practices and using proven security solutions provides a strong foundation for protecting devices from cyberattacks.
About the Author
Alan Grau has 30 years of experience in telecommunications and the embedded software marketplace. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs’ award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. More info about cybersecurity and protecting the cloud can be found at https://www.sectigo.com