An eight-year-old girl heard strange noises coming from her bedroom. When she went to see what it was, she heard a man’s voice speaking to her through the Amazon Ring her parents had just installed in her room.
A hacker was able to break into the video camera, see the eight-year-old, and give her orders because Amazon does not require two-factor authentication (2FA) for its Ring devices.
This is not an isolated incident. In fact, cyber criminals are sharing software online to break into Ring cameras at scale and are even showing off with a podcast where they hijack Ring videos and harass the devices’ owners live on-air. It’s despicable, but there is something Amazon can do to help prevent future attacks.
Requiring 2FA for all Ring account holders would be a straightforward step for Amazon. 2FA is already a widely accepted industry practice that safeguards people’s security. Many platforms collecting sensitive data require their users to have 2FA to verify their identity when logging in, just in case their login details are compromised.
Ring offers 2FA and while many people use it, it’s not required for setting up an account. This makes any device attached to an account without 2FA turned on vulnerable.
But rather than taking responsibility for enabling basic default security, Amazon is putting the onus on consumers to protect themselves. When the mother of the eight-year-old reported what had happened to Ring, she was told to set up 2FA. In her interview with the Washington Post she said, “To be honest, it felt like they were trying to place the blame on me. As a mother, I already feel guilty enough that I let this happen to my family.”
She’s right. It is Amazon’s responsibility to protect its customers – particularly given that Amazon’s Ring Doorbell does not have a great track record when it comes to securing customer data, as we recently noted in Mozilla’s 2019 Privacy Not Included guide. The product failed many of our basic security guidelines and has a history of poor security practices, including failing to manage security vulnerabilities.
That's why we are calling on Amazon to require 2FA for all Ring accounts.