The smart home security camera market is booming, with estimated consumer spending in the U.S. alone expected to reach nearly $10 billion by 2023. While big players like Ring, Nest, and Arlo (owned by Amazon, Google, and Netgear, respectively) are vying to claim top spot on your doorstep and inside your home, the industry has been plagued by headline-grabbing breaches and terrifying security cam threats. The bad guys are even hacking into video baby monitors. Yep, strangers in the nursery. Pretty scary stuff.
South Carolina: Upon waking one morning in June 2018, Jamie Summitt, noticed the baby cam pointing directly at her as she lay in bed. Initially, she didn’t think much of it, simply assuming her husband was checking in on her and the baby from the office.
Later that day, while the baby slept, Jamie’s smartphone alerted her of camera movement. But this time, her husband was sitting across the dinner table from her. She told NPR that when she checked her phone app, she saw the camera pan across her bedroom and stop on the couple’s bed, where it paused before moving back to the bassinet.
While she first chalked it up to her app being “haunted,” the couple came to realize, with almost certainty, their baby monitor had been hacked. After the ordeal, Jamie posted the following on Facebook, “I honestly don’t ever want to go back into my own bedroom.”
Mississippi: Four days after installing a Ring camera to keep an eye on her daughters while she worked, Ashley Lemay said her 8-year-old daughter heard banging and creepy music emanating from her bedroom. When the daughter went to investigate, she stated a voice spoke to her from the Ring cam saying, “I’m Santa Claus, don’t you want to be my best friend?” The stranger on the other side of the cam also told her, “You can do whatever you want right now… you can break your TV.”
LeMay said that while she immediately changed passwords, the child was left shaken. “I was even scared of my room for a few days. I’m still a little bit scared of it.”
Who wouldn’t be?
Texas: In January 2021, ADT technician Telesforo Aviles pled guilty to computer fraud after admitting to repeatedly hacking into customers’ security cam feeds. Apparently, Aviles added his own email to the accounts of attractive female customers and would then view their footage. Over four-and-a-half years, the man accessed approximately 200 customer accounts nearly 10,000 times. He now faces up to five years in federal prison.
In December 2020, a new class action lawsuit was filed against Ring after dozens of users (including the Lemay family) claimed they were subject to death threats, racial slurs, and blackmail by hackers who accessed their in-home smart cams. Cybersecurity experts are keeping a close eye on the case, and the number of class members is expected to rise, potentially including tens of thousands Ring customers.
It appears that Ring’s defense is going to amount to blaming the victims of the security cam breaches, who they say did not implement strong enough passwords or use two-factor authentication.
Ring and others have been plagued by “credential stuffing” in which hackers access accounts using usernames and passwords stolen in seemingly unrelated data breaches. Hackers count on victims using the same login credentials for multiple accounts. So, while Ring and other security cam companies are not actually having their own data hacked, the outcome is essentially the same.
Still, Ring is not without fault. Perhaps most glaringly, it was determined that Ring’s internal systems failed to alert customers about suspicious login attempts and did not appear to limit the number of login attempts a user could make. Also, in 2019, it was reported that the company was not encrypting stored video data and that Ring employees had access to the entirety of customers’ video recordings. And while suggesting they do so, Ring also did not require customers to implement two-factor authentication until February 2020.
Big data breaches and stolen passwords aren’t the only way hackers are finding security cam victims. Bad actors also sweep the internet in search of unsecured security cameras. Suffice to say, where there is a will, there’s a way. But what are hackers really after?
Click here to read “We Tested Ring’s Security. It’s Awful” on Vice.com.
The thought of creepy strangers spying on you or talking to your children is bone-chilling, amounting really to psychological terrorism. The reasons bad actors target security cams are:
Testing their skill at hacking by breaching a system that will have little consequences for the perpetrator due to the unlikelihood they will ever be caught.
Crowing rights. Breaching Ring’s security system gives the hacker clout in the hacker community by causing a stir or attracting news media coverage.
Monetary gain. Security cam hackers can identify opportunities for burglary and other crimes where surveillance of the target is consequential. For instance, hackers can surveil home interiors of vacationing victims.
Voyeurism & Peeping Toms. Some individuals get off on viewing unsuspecting people in the homes or workplace, unaware they are being watched as they undress, shower or even do mundane household tasks. This is considered a psychological disorder.
Stalking. Security cams are sometimes used by stalkers to electronically surveil their victims. So that hacker could be a past or current romantic interest or some other shadowy figure with ill intent.
As a cyber expert, I can sadly assure you that security cam hackers, credential stuffers, and cyber creeps will continue to wreak havoc on our technologies and our bank accounts. But while security cams do pose some very real threats, they are also exceptional technology that allow users to feel a sense of ownership in the safety of their homes and neighborhoods.
Here are the Top 4 Tips in keeping your security camera and your family safe from hackers:
Change the Vendor Default Passwords. These passwords frequently ship with equipment and are generally well known to all hackers. A common hacking exploitation technique is to identify the vendor equipment, then lookup the vendor default admin password with a simple google search.
Change Your Password to a Long (“Strong”) Password. You might be surprised how many people will reuse the same password for multiple accounts. Hackers count on this laziness and may already have your password from a cyber breach of a different website (Adobe, eBay, My Fitness Pal, Yahoo, LinkedIn, Equifax, etc.) It is important you create a unique password for each account using long, complex phrases or character strings. Use a combination of upper and lower case letters, numbers and symbols. Do not use your name, your children’s names or any other identifying information in your passwords. Length is the most important determinant of password strength.
Use Multi-Factor Authentication. Two-step verification or multi-factor authentication substantially increases the security of your accounts by requiring two or more steps to gain access. For example, you might be required to enter your password, which triggers a text to your phone that includes an access code to enter in your login. It may even involve a security question, like your mother’s maiden name. For a perpetrator to gain access to your account, they would need all these to be successful.
Install a Password Manager. Password managers help protect users from identity theft. They are applications that allow users to store, generate, and manage all their passwords in a centralized, encrypted database. By having an application create and manage your passwords for you (securely), it makes it trivial to have strong, long and unique passwords because you don’t have to rely on your memory to use your password. While nothing is foolproof, password managers are a smart line of defense in phishing, scamming and hacking schemes.
While security cam threats are not going away any time soon, knowledge is most certainly power. Outsmart the bad guys at their own game by knowing and implementing the smart cybersecurity measures that will keep your home fortified and your family safe.
Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.