from the another-PR-coup-for-Ring dept

Amazon’s home security tech acquisition, Ring, has become a dominant player in this industry sector. Some of that is due to Amazon’s backing. A lot of this is due to extremely inappropriate relationships with law enforcement, which convert cops to Ring proselytizers whose public statements are subject to review by the company’s PR wing.

Ubiquity is great for Ring’s bottom line. But being everywhere means you’re a prime target for malicious behavior, especially when market expansion is prioritized over securing devices used by millions of customers.

Easily exploited credentials led to horror stories from Ring users. Hackings were livestreamed, with hackers yelling verbal abuse and racist slurs at unsuspecting camera owners. In some cases, cameras in children’s bedrooms were targeted, subjecting kids to abuse shouted by hateful idiots whose oxygen allowance is greatly in need of severe reduction.

Ring responded to its complete lack of security requirements by implementing a few tepid changes to the “do nothing” baseline. While this may have nudged more people towards 2FA by making it the new default, it appears there are plenty of unsecured devices still online, sharing data and recordings with Ring while being attack vectors for malicious hackers.

The latest news for Ring and its internet-of-mostly-unsecured-devices? Becoming the mute witness to SWATtings perpetrated for the amusement of hideous internet denizens. Brian Krebs has more details at his site:

Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived.

Prosecutors in Los Angeles allege 20-year-old James Thomas Andrew McCarty, a.k.a. “Aspertaine,” of Charlotte, N.C., and Kya Christian Nelson, a.k.a. “ChumLul,” 22, of Racine, Wisc., conspired to hack into Yahoo email accounts belonging to victims in the United States. From there, the two allegedly would check how many of those Yahoo accounts were associated with Ring accounts, and then target people who used the same password for both accounts.

An indictment unsealed this week says that in the span of just one week in November 2020, McCarty and Nelson identified and swatted at least a dozen different victims across the country.

Note that 12 of these livestreamed attacks took place in November 2020, a full eight months after Ring rolled out new security measures meant to make it more difficult for people to gain access to customers’ cameras. The by-default 2FA only affected new users. And Ring appeared to add nothing that shoved existing users to better security, meaning there’s plenty of exploitable cameras still out there, thanks to Ring’s tireless marketing efforts and extremely tired approach to device security.

Old logins tied to older logins were the attack vector, says the DOJ:

According to the indictment returned Friday afternoon by a federal grand jury in Los Angeles, from November 7, 2020, to November 13, 2020, Nelson and McCarty gained access to home security door cameras sold by Ring LLC, a home security technology company. Nelson and McCarty allegedly acquired without authorization the username and password information for Yahoo email accounts belonging to victims throughout the United States.

Then, they allegedly determined whether the owner of each compromised Yahoo account also had a Ring account using the same email address and password that could control associated internet-connected Ring doorbell camera devices. Using that information, they identified and gathered additional information about their victims, according to the indictment.

Easy enough to do. And even easier to weaponize. It appears the indicted hackers believed they were pretty much untouchable. Not only did they interact with responding law enforcement, their SWATting campaign spanned the nation.

Nelson allegedly accessed without authorization a Ring doorbell camera, located at the residence of the victim’s parents and linked to the victim’s Ring account, and used it to verbally threaten and taunt West Covina Police officers who responded to the reported incident.

The indictment alleges other similar Ring-related swatting incidents occurred in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.

Is this Ring’s fault? No. Not directly. Just because something could be used for nefarious ends doesn’t mean it should be. All culpability for the harms perpetrated in these cases rests with the perpetrators. But if Ring had valued customer security over market expansion earlier, at the very least these horrible human beings would have been deprived of the vicarious thrill of watching their victims be victimized in real time. And that lack of visual thrill might have been enough to reduce the number of attacks, limiting the damage allegedly done by this pair.

Filed Under: , , ,

Companies: amazon


Source link