He was on his way home from the shops when he got the call. After a weekend out of town, John’s kids were finally asleep in his home, in the US city of Houston, Texas. His wife, too, had been getting ready for bed – until she heard a stranger’s voice echoing down the hallway.
“Is anyone home?” it asked.
“We’re gonna find out,” it promised.
The mysterious male voice was coming, she’d soon discovered, from a speaker on a camera posted near the TV in the living room. It had been there for a while, set up by the couple so they could monitor their babysitters remotely. It had brought them peace of mind. But that was over now.
Soon the voice paused and a loud alarm emanated from the device, piercing like a klaxon through the hallways, threatening to wake the kids. It had also begun taunting John’s dog.
The 33-year-old dad immediately pulled to the side of the road.
He rushed to open the Ring app on his phone. Disconnecting the five security cameras he’d placed around the house would do the trick, he hoped. As continued the drive, he wondered just how they had “broken in.” One scenario frightened him more than the rest.
If whoever had hacked his camera had broken in through his wifi, he thought to himself, then that means they must be close.
As he neared the driveway, John’s eyes darted up and down the street, searching for signs of anyone suspicious; a car perhaps, that didn’t belong. Inside, he peered out into his backyard, scanning the fence line for some insidious, lurking figure. The light only stretched so far, however, and he was left wondering if someone was there, just beyond its reach, watching him; watching the house.
“I slept with my gun next to my bed that night, which I never do,” he said.
“That was in the forefront of my mind and my wife’s mind, you know, with two kids and everything,” he continued. “I couldn’t see anybody in my front yard, on the street, and my backyard up until the fence. I didn’t see anybody. But beyond the fence its so dark. I didn’t know if somebody was spying on us to look for an opportunity to break in – or something. That’s the unnerving part.”
John’s family isn’t alone in their experience. In the past week, frightening tales of indoor cameras being hacked have gone viral. It’s now become apparent that Ring customers, in particular, are being targeted.
After buying one of the Amazon-owned company’s doorbell cameras, John installed four more Ring devices around the house: Two Stick Up cams to watch the kids and the doggy door, as well as two floodlights equipped with cameras outside. A rash of vehicle burglaries in the neighbourhood had led to the purchase. Now he was forced to disconnect them all and then begin about the annoying task of changing the passwords on every internet-connected device he owned.
“You hear about celebrities being targeted,” John said. “But I didn’t think it would happen to me. I’m just Joe Schmoe.”
A Ring official said by phone that the company’s own systems had not been compromised and that customers reusing old passwords, or whose passwords were too simple, to begin with, are the ones who are at risk.
“Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts,” Ring said in a blog post. “Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts.”
Motherboard reported last week that hackers have developed dedicated software for breaking into Ring cameras. They appear to be doing it mostly for entertainment. A custom app that helps locate vulnerable cameras is being sold for as little as $6 (£4.59), the site reported, and a podcast on Discord, the voice app built for gamers, has taken to hacking the cameras live on air.
“You hear about celebrities being targeted. But I didn’t think it would happen to me.”
The hackers are brute-forcing their way in, according to Motherboard, “rapidly churning through usernames or email addresses and passwords and trying to use them to log into accounts.” None of the victims had set up two-factor authentication.
The seriousness of the hacking incidents became apparent after WMC 5, a local Tennessee news station, broadcast Ring footage taken in an 8-year-old girl’s bedroom that depicts a mysterious voice feeding her instructions. “It’s Santa. It’s your best friend,” the voice says.
In a separate incident in Florida, a camera hacker reportedly spewed racist slurs over a speaker.
Despite being hacked, John said his cameras are now back online. He’s convinced the steps he took will prevent it from happening again. Besides, he says, his wife is “gung-ho” about having the ability to “nanny spy.”
“That’s a big deal to her, to make sure we don’t have any problematic baby sitters or anything like that. And I’m not sure she’s willing to give up that ability because of this. We don’t have it in bedrooms, obviously. I would never put one in the bedroom. We have baby monitors that satisfy that need that aren’t connected to the internet,” he said.
“We don’t do anything weird on the cameras. I’m kinda of the opinion that if you don’t do anything wrong, you have nothing to worry about. It’s not like there’s illicit drugs in my house,” he said. “There’s not anything like that going on. So I don’t really care. But what I have a problem with is somebody getting access to live view and disrupting our lives.”
The police weren’t called. John is still on the fence about whether or not it’s worth it, he said. Ring responded quickly when he reported the incident, escalating the issue to its security team. But at the time of writing, five days had gone by and he hadn’t heard anything back. (A Ring official offered to speak directly to John after Gizmodo called the company for comment.)
“What could have been really bad is, had my wife gone to the camera. I told her the best thing she did was ignore it and walk away,” he said. “If she had gone to the camera they could have started to demand things, or say really threatening things, that could have taken that unnerving to another level.”
Asked if Ring could have done more, John said he didn’t remember ever receiving an email about setting up two-factor authentication. “That should be a mandatory thing, in my opinion,” he said. “It’s a real easy thing to set up and use.”
A Ring spokeswoman said that emails referencing the security measure are “definitely” sent out to customers after they sign up, but that she would check to see how the company is notifying its users about the option. “We’re always looking at ways we can be better for our customers,” she said.
When asked whether Ring is currently working with any law enforcement agencies to hunt down the hackers that are targeting its users, the official told Gizmodo that she currently had nothing to share.
Editor’s note: “John” is an alias used to protect the identity of the Ring footage’s owner.
Featured image: Screenshot: Gizmodo