Ring’s Services Have Not Been Compromised

You may have recently seen reports that Ring services have been compromised, and we want to let you all know that we have investigated this incident and have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network. Customer trust is important to us and we take the security of our devices extremely seriously. Follow this link to read all you need to know about this.

1 Like

Have you determined how this happened? So we can update or change what ever settings are necessary for our devices?

Thanks

1 Like

news reports MULTIPLE hacks… you say you’ve invesigated one incident… which one, and what about the other reports?

I tried to include a link from good morning America… but since the article title included a forbidden r word, you would not let me post it… Pretending that it doesn’t exist is little more than the illusion of safety…

4 Likes

My Ring was hacked, the hackers used. Brute force attack, then ran ring.config to cause my ring to alarm. I have video and audio proof. Ring will probably delete this post. Going to sell all my ring products. Just can’t purchase from a company that does not take responsibility for there actions. You failed Ring

2 Likes

It is always a tragedy when people are interfered with in thier daily lives, regardless of whether it be through internet accounts, credit card theft, or even social media. I have personally had both personal and business credit cards falsified, and was a victom of the Yahoo penetraion as well as other sites that were breached with various methods. Cameras and security systems that are not part of a closed loop can and do have the opportunity for breaches as well. Whether you are "brute force attacked, or your credentials were bought through some dark web circumstance, both companies offering services as well as consumers using those services have a responsibility for security. Ring has done a great job as far as I can tell with making services avaialble to be painless as possible for the cunsumer. That in itself has a risk. For us consumers, we must use good security practices such as seperate user id’s and passwords (for each critical service we have) so that if someone breaches a service somewhere else and now has that handy user ID and password for dozens of websites your impact is minimized. Use two factor authentication. Text or Email codes at least give you the chance to say “what’s up”. There are other ways as well such as secure code generators that create “one time codes” as well as many others. I would also recommend that, as Ring has stated in recent announcements, continue to implement more secure interfaces and systems. Having a visible inventory of connected devices - similar to Apple iCloud, Roku, and others would be a good way for consumers to see what is connected to thier accounts. Add notifications of when a new device or unkown login occurs or is attempted, add a lockout after so many attempts (brute force attacks) - all of these relatively simple industry standard security safegards are relatively easy to implement. I am quite sure Ring is very intrested in keeping consumers secure and contuning to make thier services as easy for the consumer as reasonable. We as consumers - let’s take our responsubility seriously too. Ring - please place the additional security improvements on top of the development list.

3 Likes

Hi @Ex2000 , we’re sorry you had this experience - please send us an email at community@ring.com so we can connect ASAP. We look forward to helping you as soon as possible.

Really, the only thing Ring could do here is require two-factor authentication. That would negate to a large extent weak passwords, stolen passwords, reused passwords, and brute force attacks.

So if Ring is to be faulted here, it is for not having big read letters telling the customer they are a fool if they do not enable 2FA, or requiring it.

Lets be real here, most customers are clueless about this stuff, so just pasively having the 2FA option is really not enough when you are offering security devices. Ring really should make it hard to not use 2FA.

3 Likes

The advice is all good until you get to step 5.

5. Regularly Update Your Passwords: It’s good practice to update your passwords every three to six months. Click here to learn how to change your password to your Ring account.

As a cyber security professional, I’ll point any user to NIST guidance regarding that. From: https://pages.nist.gov/800-63-FAQ/#q-b05

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

Vendors are doing their users a disservice when the recommend to continue this outdated practice. I’m with others here, turn 2FA on by default, and then make it clear to a user the risk they are taking if they opt out.

1 Like

@Ex2000 wrote:
My Ring was hacked, the hackers used. Brute force attack, then ran ring.config to cause my ring to alarm. I have video and audio proof. Ring will probably delete this post. Going to sell all my ring products. Just can’t purchase from a company that does not take responsibility for there actions. You failed Ring

And you will attest that you had a strong password that was unique to the Ring service, and also had 2FA enabled?

3 Likes

Security is a two way street and end users have an obligation to do what is necessary to mitigate hacker intrusions and successful hacks. Understand best practices and implement them to secure your system. If end users don’t do what is needed to prevent intrusions then nothing Ring, or any other provider, does will make a difference. Take security seriously. Do your part!

disclaimer: I do not work for Ring or their partners. I do work for a large IT company that has rigorous security protocols and rules.

1 Like

Looks like Ring just added a new security feature. I just logged in from a new machine and got an email message stating my account was accessed from a new machine. That is a step in the right direction.

My Ring has been hacked— my service is nearly impossible to log into! I’ve changed my password, gone to a two factor log in, and it takes three tries. A neighbor of mine was violently attacked yesterday and her baby was murdered, but yet I have NO NEW INCIDENTS!
I contacted support two days ago, and NADA! This service now pretends to proffer some awareness. Yeah, right!

My video doorbell has ben hacked. Porch thieves were able to hack into the doorbell and erase the video of them stealing the package. They didn’t delete the video, which i am sure that they would have prefered to do. They just somehow blanked it out so i have 30 seconds of a black screen and no sound. A motion activated video shows the fedex package being delivered 10 minutes before the blacked out video(1:37 pm). At 1:47, 10 minutes after the package was delivered, I have the 30 sec blacked out video. The next motion activated video was at 2:16 pm about 30 minutes after the blacked out video, and it shows me getting the mail, and there is no package on the porch. Somehow they were able to hack the system and get far enough into the system to black out the video. The only blacked out video I have ever had with Ring in the 12 months that I have had it, is this one occurance, exactly when the package was being stolen.

My WiFi has a complex password and wpa2 authentication with a full firewall, so there is not much more I can do from this end.

I called customer service. They looked into it and verified what I described above, then after about 20 minutes on hold, they came back and said that what they were seeing was impossible so they blew me off.

At this point, I can’t trust Ring for anything dealing with security.