Endpoint Security , Governance & Risk Management , Internet of Things Security

Amazon's Ring Mandates Two-Factor Authentication

Company's Action Follows Similar Move by Google Nest
Amazon's Ring Mandates Two-Factor Authentication
Photo: Ring

Amazon's Ring is mandating the use of two-factor authentication for all users, a move designed to help stop creepy takeovers of the web-connected home security cameras.

See Also: How to Empower IT with Immutable Data Vaults

The move follows a Google announcement last week that it plans to require users of its its Nest line of cameras use two-step verification in the coming months.

The popularity of web-connected cameras has surged for such purposes as baby monitoring and seeing who’s at the front door. But it has also highlighted longstanding weaknesses in password security.

Ring users have had the option to use two-factor authentication, but now it will be mandatory, writes Ring President Leila Rouhi in a blog post. When a user logs into their Ring account, Ring will send a six-digit code either by email or SMS, she writes.

This, of course, isn’t necessarily the best way to implement two-step verification. The National Institute of Standards and Technology has long recommended that service providers not send two-step codes over SMS. That’s because of SIM hijacking, where a phone number is stolen and transferred to another SIM card, allowing an attacker to intercept the code.

Sending a code via email could be risky as well. If a user's Ring credentials have been compromised, their email account could be at risk if they’ve reused the same password.

Still, security experts generally agree that using some form of two-step verification is better than nothing. And Ring plans to add other options for receiving the code, The Verge reports.

Camera Takeovers

The move to two-factor authentication is important given the prevalence of “credential stuffing” attacks.

Enormous batches of stolen login credentials are circulating on the internet as a result of various data breaches. Credential stuffing is the practice of replaying large sets of credentials against a service provider to attempt to unlock accounts.

Service providers have various defenses against credential stuffing, such as limiting the number of erroneous logins, looking at the location of IP addresses and monitoring other metrics, such as how fast credentials are entered. But successful attacks, particularly against web-based cameras, have generated alarming concerns.

In December 2018, NBC News reported about a family in Houston who heard a man’s voice coming through a Nest camera in their infant son’s bedroom. The voice said: “I’m going to kidnap your baby. I’m in your baby’s room.”

Vice’s Motherboard uncovered a group that ran a live podcast on the chat service Discord. It featured 45 minutes of people taking over victim’s cameras and harassing the owners.

The practice was referred to as Ring rolling, which is a nod to Rick rolling, where people get baited into viewing something online but end up watching the video for singer Rick Astley’s “Never Gonna Give You Up.”

Motherboard subsequently dug deeper into Ring’s security, asserting that Ring lacked basic security features, such as monitoring the location of where someone logs in or letting users know when more than one person is logged into an account.

Other Security Moves

Ring is making other moves to improve its privacy and security settings.

On Jan. 30, it launched a Control Center dashboard to manage those settings. Users can see if they have two-factor authentication enabled, what devices are connected to their accounts and what third-party services have access. They also have the ability to control notifications that are sent when police are seeking footage.

Ring recently introduced a new Control Center that focuses on privacy and security settings.

Rouhi writes that Ring uses third-party service providers for features such as product support, delivering Ring offers and discounts and other alerts, such as for a low battery. It has also used third-party analytics tools, including Google Analytics, Mixpanel, HotJar and Optimizely, according to a list that dates from May 2018.

But Rouhi writes that Ring is “immediately pausing” the use of most of those third-party analytics services within Ring apps and its website.

“In early spring, we will provide you with additional options to limit sharing information with third-party service providers,” she writes.

In late January, the Electronic Frontier Foundation wrote about its investigation into the Ring doorbell app for Android. It wrote that the app was “found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information.”

The foundation contends that Ring does this without “meaningful notification” to users, putting the privacy of those users at risk.

“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” writes Bill Budington, a senior staff technologist at the foundation. “This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it.”

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.