"Ring does not alert users of attempted log-in from an unknown IP address, or tell users how many others are logged into an account at one time. Because of this, there is no obvious way to know whether any bad actors have logged into people’s compromised Ring accounts without their consent."
I can understand not having 2FA turned on by default, but a bare minimum for this kind of service would be to alert users when someone successfully logs in from a new device.
My home security system, which is really... uh... crappy... manages to do this (provide both 2 factor and letting you know when someone logs in + changes the alarm state)
I've recently had a similar problem with Spotify. My account was stolen. In part because I did not have 2FA turned on... because the app doesn't offer it for some reason. And, in part, because whoever logged into my account from a different IP and device supposedly didn't trip any of their security measures. So I was never even told that someone took hold of my account until I tried to get on.
It's baffling to me that any popular app wouldn't have 2FA (or any app, for that matter.)
Same thing happened to me... I just noticed one day that my recent music was a bit odd, completely different to what I usually listen to. I changed my password, but 2FA should be a given at this stage.
I'd argue, in 2019, every app/service that requires a login should offer a 2FA option to add an additional layer of security - the person logging in most likely is the owner of the 2FA device.
If it involves money (paid service, even if the hijacker never gets access to your actual card data and can't make any payments) or private data (name, address, etc.) then it really should.
I agree for the most part about the money part. I would still want the option for them to not allow me to upgrade plans without re-entering my credit card info. But with regards to personal information, that is almost everything I log into. And those companies share your personal info anyway, so it just gives you a false sense of privacy/security.
> it just gives you a false sense of privacy/security
No more that the password already does. 2FA isn't supposed to protect you from the company you already have the data too. And it's not really for the "privacy" of that personal data but for securing it.
Due to the overwhelmingly high amount of attempted fraud in grey/black market VoIP stuff, it's pretty common for wholesale SIP trunking providers to now alert the account owner whenever the web account control panel is logged into from a new, unknown ISP and/or useragent.
These “boutique” SIP providers (as I call them, Telnyx, Voipo, VoIP.ms etc) could really learn from their larger telecom counterpoints by allowing users to whitelist what IP ranges users can even authenticate from. Heck, even Linode offers this.
Correct, though the commenter above and I were referring specifically to user interfaces where sensitive accounting details are stored and configured and would allow access to privileged systems and user controls.
Good! It’s been a long while since I’ve managed anything clients using Vitelity trunks, but recall having a generally positive experience, glad to hear they still run a good ship to have at least this mechanism.
Typically you have your own IP pbx such as an asterisk system which lives in one place on static v4/v6 IPs, it connects to your upstream sip trunk. Your own clients such as zoiper on Android connect to that.
I thought about using asterisk or something but does that noticeable latency when connecting remotely? Right now I connect directly to my sip provider on the go via an android sip client whereas running my own PBX would add another hop and was concerned how much this impacts latency.
I'll open myself up for correction on the matter, but it's been my experience that these days Asterisk is more useful as and often more commonly deployed as a feature server (hunt-groups, ring-groups, call trees etc), at least for a broad majority of use cases where SIP is even a part of the conversation. Personally I'd not recommend one try rolling their own Ast based phone system for production/enterprise unless you just really want to and have literally no other projects to deliver back to the org.
Otherwise, what you're doing is perfectly fine and well enough: connect to your SIP trunk via credentials using a local client and you've more or less got a working, accessible phone number. Unless you truly have a need for Asterisk features, don't bother.
I happen to know first hand of a "voice company" that has a pretty sizeable footprint in the travel/hospitality industry making several million dollars a year and one of their products amounts to nothing more than configuring IVRs and charging through the nose to host them using what is (in my opinion alone) a thoroughly overly-complicated Asterisk infrastructure and similarly overly-complicated dial plans.
Tin foil hat theory: They purposely don't show you this stuff because their security is garbage and it'd alert too many people of their shortcomings and negligence.
Well, if we want to tin foil hat theory it, then it's because the device can't differentiate between user access, police access and other hacker access.
Even if it was the official article title, "Data Leak" is extremely misleading; the attack is called credential stuffing and is unrelated to any sort of breach on Ring's end.
Edit: finished reading the article, and the entire text is just as misleading as the title, credential stuffing happens all the time and really isn't newsworthy.
> credential stuffing happens all the time and really isn't newsworthy.
If a bad thing happens all the time and people are unaware of it, calling attention to it is entirely newsworthy.
To you, as a jaded security person who understands that there are systemic risks to any network-connected service and nobody is good at defending against them, perhaps it's perfectly normal. To a customer who is making the decision between buying a network-connected doorbell for their security and buying a perfectly normal offline doorbell, the fact that credential stuffing happens all the time is a thing they need to hear about!
(Also, there are straightforward ways to resist these attacks, such as "You must use 2FA," "You can only pair a new device with your Ring account while it's in physical proximity to your Ring device," "You must use either 2FA or physical proximity," "The app will generate a password for you and won't let you use an existing one, feel free to write it down on a piece of paper," etc. A home security system should be more paranoid than a politics forum or a meme generator at keeping accounts secure.)
Under that justification, it would require at a bare minimum giving the reader the proper context, e.g., "similar non-breach threats exists for a large number of common online services, such as [list examples the reader is likely to know]".
Sure, but also, my impression is that similar threats do not exist for e.g. Google (because of heuristics on login attempts, scans on the backend for breached passwords, aggressive and un-silenceable notifications about new logins, a well-staffed security team, etc.). So an accurate statement is that most online services that do not specifically invest in account security are vulnerable.
Then customers can decide whether they want an internet-connected home security system from a company that doesn't invest heavily in account security.
If we read the same article, we’d have been agreeing that it said it was unlikely to be credential stuffing.
> Security experts told BuzzFeed News that the format of the leaked data — which includes username, password, camera name, and time zone in a standardized format — suggests it was taken from a company database. They said data obtained via credential stuffing —when previously-compromised emails and passwords are used to get access to other accounts — would likely not display RIng-specific data like camera names or time zone.
> “One could argue that the person maybe got these through credential stuffing,” Cooper Quintin, a security researcher and senior staff technologist at the Electronic Frontier Foundation, told BuzzFeed News. “But if that was the case, why did that person go through and add the information about names of camera and time zones?”
All of that information is extremely common when it comes to aggregated information sold/shared for credential stuffing, there's nothing that sticks out as odd or out of place in any of this. It can all be pulled through scripts, there's no extra effort needed.
If they were going to sell the information, and the credentials really allowed to remotely access the cameras, then accessing 'camera=BEDROOM' at 11PM Friday local time may provide more entertainment value than 'camera=GARAGE'? :)
The rhetoric surrounding Ring has reached a fever pitch. Seems like we get a new article or two every day about Ring, and the quality varies wildly. Its hard to know what to take seriously and what is just media preying on people's fears.
After reading the article, it's pretty clear that it was credential stuffing and that the writer didn't take the time to understand how it worked. Not sure what security experts they talked to, but credential stuffing absolutely can get all the information described, and the whole part about wifi connected devices is completely unrelated.
I'm not making any guesses what actually happened.
Just stating that you misrepresented what the article actually said when you wrote "the attack is called credential stuffing". Your sentence gives impression that the article would have said it, but the article made a point for the opposite.
The Amazon spokesperson directly said it was credential stuffing--the article was trying to argue that it was more than that in an extremely misleading way.
You may be totally right and it was credential stuffing and the article may have been wrong, misleading, incompetent and stupid.
Nonetheless, you misrepresented what the article actually said -- the article raised both, the possibility credential stuffing (implied by Amazon spokesperson), and doubt about it (unspecified security expert, WiFi attacks).
Yes they are different, and you did both: called it out for being misleading, and simultaneously misrepresented what it actually said (I've already detailed the reasons above, and others have quoted them verbatim to you).
The best before date of this conversation has clearly expired, so let's just stop here.
His take is a result of him trying not to completely let go of the story he's already decided is significant. There is no story. There isn't really a great way to defend against credential stuffing attacks when the adversary has access to a huge residential proxy network and you don't want to greatly inconvenience your users. All major US banks are pretty vulnerable to credential stuffing attacks. If banks aren't going to defend against it, Ring isn't.
The article implied he wasn't the only one they talked with. There isn't anything he said that was explicitly incorrect (unlike some of the other unnamed security researchers), but he must not have much experience with credential stuffing incidents given his responses.
Would you say that a thousand houses "leaked their owner's data" (presence information) if someone went by ten thousand specific homes and rang their doorbells to test if someone is home based on information they got from a third party?
I would say there is a substantial difference between compiling a list of valid Ring credentials by trial and error based on data you already have from another party ("credential stuffing") and Ring disclosing the credentials either on purpose or through a hack ("leaking data" / "data breach").
Note that another comment calls into question whether this really was credential stuffing, but that's not what I mean to comment on.
>Would you say that a thousand houses "leaked their owner's data" (presence information) if someone went by ten thousand specific homes and rang their doorbells to test if someone is home based on information they got from a third party?
That's not what's the headline says, and that's not what TFA says. Someone "leaked" a list of valid credentials to Ring accounts. A better analogy would be if someone collected ten thousand keys they found around the city, tried them on every lock they came across, and then created a map showing which keys worked on which locks. And provided an infinitely-copyable keyring to go along with the map.
Ring says they're not responsible for the data being out there, and that's probably true. But the data is out there, and that's a problem for the people on the list.
It's fascinating how Ring's business model benefits from local crime prevalence, which in turn might lead people to invest in home security.
It is also fascinating how media companies are likely to pounce on the slightest of flaws(some malignant, and some innocuous) with either Nest or Ring, since it feeds on people's sense of security/safety again, and thus are likely to lead to more clicks.
It's fascinating how Ring's business model benefits from local crime prevalence, which in turn might lead people to invest in home security.
That's an interesting point. The whole Ring ecosystem is kinda boosted by Amazon's other business too: leaving boxes on peoples front porches to be stolen. Amazon really knows how to grow a circular ecosystem huh?
A friend of mine recently made the excellent point that Ring also provides Amazon with surveillance footage of their own delivery service employees. Synergy!
> It is also fascinating how media companies are likely to pounce on the slightest of flaws
I wouldn't characterize these flaws as slight. But I'm biased... I used to work in the security space, and I know culturally the typical engineer are less concerned, and non-technical people in the technology sector being fully deferential to product orgs in that respect.
Not referenced in this article, but something I've been thinking about while reading about the security kerfuffle, why are people putting cameras in their kids rooms?
I get the exterior, but why are they spying on their kids? I can't think of a security reason for it, it's just super controlling and creepy.
That doesn’t really answer the question. If technology allows unlimited monitoring of your children where would you draw the line? Do you want to raise people who accept constant surveillance as a fact of life? They’re home, give them their own space.
If it's just a baby then I'd want to keep an eye to not fall of the bed. Door would be closed to reduce the noise. That said, I never did it... just thinking.
When they are older then I don't have a good reason.
“You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.”
"I just ran these in a script I wrote to process them through HaveIBeenPwned in bulk. Every single email except ~20 was already compromised. These Ring dumps going around (+Buzzfeed prob) are highly likely password reuse; not evidence to suggest internal DB"
If you hold sensitive customer data, you should idiot-proof your security, even if you can't help the better idiots. It's silly to even call these users idiots, when the service could implement several features to make them safer--whether or not they are idiots is totally beside the point. They're customers.
I'm curious if Ring operates a different security engineering team than the rest of Amazon. Because Amazon.com or AWS would not get hacked; not like this.
Maybe it's because literally every password protected service is vulnerable to users reusing passwords on other insecure sites.
It would be like a website writing an expose on how ford trucks are killing hundreds of drivers and expecting a response from ford, but when you read the details it's because users are driving their trucks into brick walls, something that literally every car on the market is susceptible to.
Ring doesn't seem to implement basic mitigations like warning users when there's been a login from a new device.
"Ring does not alert users of attempted log-in from an unknown IP address, or tell users how many others are logged into an account at one time. Because of this, there is no obvious way to know whether any bad actors have logged into people’s compromised Ring accounts without their consent."
“An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.”
If its stored in the Cloud, then it ain't private.
The Neighbors app is filled with posts about "suspicious" people walking down the street. People are very much using these devices to surveil their neighborhood.
I didn't say no one is using it to surveil their neighborhood. I said most people aren't. What percentage of Ring users do you think are posting in the Neighbors app?
"Ring does not alert users of attempted log-in from an unknown IP address, or tell users how many others are logged into an account at one time. Because of this, there is no obvious way to know whether any bad actors have logged into people’s compromised Ring accounts without their consent."
I can understand not having 2FA turned on by default, but a bare minimum for this kind of service would be to alert users when someone successfully logs in from a new device.