Much has been written about the security of Amazon’s Ring Cameras. I still maintain that most of the issues people are discovering with the company’s security all require an attacker to know your user name and password—something you can help prevent by using a strong, unique password for your account. But don’t stop there.
Vice’s Motherboard is right to take the company’s lax security practices to task in its latest investigative piece, which discusses how Ring does nothing to inform you when someone is trying to (or has successfully) logged into your account. For example, you get no warning when someone logs into your account using an IP address that was never previously used to log into your account—and that person, in turn, isn’t challenged to provide an additional way to verify they are you. There’s also no way to see how many people are logged into your account at any time, nor a list of all the IP addresses that have successfully logged into your account.
In fact, Ring doesn’t seem to do very much to prevent the very brute-force attacks that hackers are using to break into Ring accounts (using previously leaked credentials). As Motherboard describes:
“Ring hackers’ software works by rapidly checking if an email address and password on the Ring web login portal works; hackers will typically use a list of already compromised combinations from other services. If someone makes too many incorrect requests to login, many online services will stop them temporarily from doing so, mark their IP address as suspicious, or present a captcha to check that the user trying to login is a human rather than an automated program. Ring appears to have minimal protections in place for this though. Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha.”
The good news? You can still sort-of secure your Ring account, but you’ll need to take an extra step to thwart anyone who has already logged in and is watching you read this right now.
Securing your Ring account is easy, but nuanced
As Mozilla writes, the best way to keep attackers out of your Ring account is to enable two-factor authentication. And doing so is easy. You just need to open up the Ring app on your iOS, iPadOS, or Android device, pull up your Account settings via upper-left icon (the three-lined figure), and look for “Two-Factor Authentication” under “enhance security.”
Turn it on, enter your password, provide Ring a mobile number that it can use to send you a verification code, and enter that code when prompted.
Since Ring is only texting you codes whenever you, or someone else, tries to access your Ring cameras from a new device, this “two-step” authentication technique is slightly less secure than a proper “two-factor” authentication setup. (It’s a subtle difference for an average user, but important to know.)
Here’s the kicker, though: Turning on Ring’s two-factor authentication (to use its terminology) doesn’t boot anyone out of your account who is already logged in. This is a strange but important distinction: You’ll be making your account more secure for the future, but not the present.
The only way to log off everyone who can access your account, as of when we wrote this article, is to change your password. Do that after you’ve set up two-factor authentication, and your Ring account will be as secure as it can get.
Since you won’t receive any notifications if someone has your login credentials and tries to log in as you, only to fail the two-step authentication, you’ll have to trust that said attacker also hasn’t found a way to intercept your messages.
And this is where Vice’s reporting hits it square on the head: Since Ring is providing the barest minimum of information to its users, you’ll really have no way of knowing whether someone has managed to get your account credentials and bypass your two-factor authentication. While the odds are incredibly low that a random attacker will be able to do that, the odds should be zero. There’s no reason why Ring shouldn’t be able to tell you when someone attempts to sign in as you, so you can then change your password or secure your authentication method.