Ring made headlines last week when multiple hacks were reported, with some disturbing results. In the wake of the reports, Ring tried to assure users that its network and systems had not been compromised and that the hacks were the result of users reusing passwords from other, compromised services.
Not content with that explanation, the journalists at VICE took it upon themselves to test Ring’s security firsthand. The results were…unfortunate…to say the least.
“Motherboard purchased a Ring camera to test what sort of security protections are in place to stop or slow hackers trying to break into Ring accounts. After setting up an account, the Ring app, and the camera itself, we shared the email address and password to the camera interface with multiple reporters who used both virtual private network software to connect to the camera from IP addresses from all over the world as well as physically being located in other countries.
“We logged into the Ring app and website from the U.S., U.K., Spain, and Singapore, in some cases simultaneously and from various devices and browsers that had never been used to log into the platform before. At no point did Ring trigger any sort of alert, such as an email notification, to check that the IP address the system had never seen did indeed belong to the legitimate camera owner. Gmail, for instance, may email you if it detects a suspicious login attempt from a new location, a new device, or a new browser.
“On a desktop web browser, someone who is logged in is able to watch historical, archived footage. From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera’s microphone, speak through the camera’s speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime ‘incidents.’”
VICE goes on to highlight that Ring provides no way of seeing who is currently logged on to the device, despite allowing multiple people to be logged in simultaneously. The device also provides no log to see who has accessed it in the past. In other words, if a hacker manages to gain access to a Ring device, the owner has absolutely no way of knowing—other than obsessively monitoring the little blue light on the front of the camera. Even then, that only indicates someone is live-streaming the camera feed at that exact moment.
The bottom line is that Ring provides a deplorable level of security for a device whose sole purpose is to increase security.