The internet is going nuts over a recent story of hackers interacting with an 8-year-old girl over the Ring camera in her bedroom. There are many reports of this happening all over the country, and Ring isn’t the only target. The hacks and interactions were being broadcast on the app Discord in a, now banned, podcast called NulledCast.
What most people need to understand about these hacks is that it is not typically the device itself that has been compromised. In almost all of the reports, the hackers logged into the user’s account with the proper usernames and passwords in order to gain access to the cameras.
There are several ways attackers obtain user account information. Knowing how to prevent someone malicious from accessing your accounts will help prevent the majority of these kinds of attacks. So, what are the various ways attackers obtain your login credentials?
They Ask You For It
This is probably the easiest way for an attacker to get your login information. They send out a massive phishing email, and anyone who bites will have their account compromised. These emails have become VERY good and extremely convincing.
The email will tell you your account has been compromised and you need to log in right away to change your password. You click the link in the email, and the website LOOKS like Ring’s website, and you hand over your credentials to the attackers. They may even go into your account and change your password to what you “changed” it to on their site, so you don’t even know the difference.
It is unfortunate how often phishing emails are successful. One way to prevent this from happening is to NEVER click the link in the email warning you about something or asking you to log into your account. NEVER EVER EVER. If you get an email that appears to be legit, open the website manually in a new browser window.
I rarely click any links in an email and prefer to just go to the website manually. If you DO happen to click a link in an email and it takes you directly to a login page, close the window and open the login page in a new browser window or tab.
Obtain Info From Previous Hacks
The second most popular way for attackers to get your login credentials is to get it from companies who have already been compromised. Here’s how that works:
Say you have a MyFitnessPal account where you use your email address and a password to log in. You actually use that same email address and password to login to your Ring account. When MyFitnessPal has a massive data breach, your email address and password are leaked to the dark web.
Now the attackers will try that same combination in your Ring account (that they found on a database on the dark web). Voila! They have access now because it was the same information.
Obviously, a great way to prevent this from happening is to use different login credentials for every account you log in to on the web. Likely you won’t be able to change your username since you don’t have an unlimited supply of email addresses, but you can use a different password in each location.
Keeping your passwords in a database like LastPass will help you log in to your various accounts since the passwords will all be different. LastPass can also give you an audit of your passwords so you can see if any of them are the same and you can change those outliers to be different.
You can find out if your email and standard password are already leaked on the web by visiting Have I Been Pwned. The “pwned” is a call back to gaming when people would be “owned” by the person who they were battling. The site will tell you exactly which websites your email address was compromised in. If you have used the same password in those sites as other sites, it’s definitely time to change your password.
They Just Crack It
If you have a simple password, attackers have programs that can try thousands of passwords quickly. If the website or service you are using is not very secure, they could quickly crack your password.
Password standards have actually changed, for the better, and it no longer requires you to have a strange stream of letters numbers and symbols (although many accounts will still probably require those). According to NIST, the strongest passwords are long (at least 20 characters) and are several words strung together. Like cake.state!drive$snacks#.
It is also no longer needed to change your password frequently. The only time you absolutely need to change your password is if it has been compromised in any form. As soon as someone else knows your username and password combination, you need to change it.
How can I prevent someone from accessing my smart home cameras and devices?
We’ve already touched on a few things here, but to simplify matters, here are 4 things you can do to help secure yourself from these breaches.
- Use different passwords – Using a different password for each website and service will go a long way to prevent crossover breaches (where your information is compromised from an unrelated service or website)
- Never log in from a clicked link – Make sure you manually type the website into your address bar if you are going to login to a website (or use the bookmark you’ve already created)
- Enable 2FA – 2FA stands for 2-factor authentication. This means that a code is either sent to your phone, or you need to open an app like Google Authenticator to enter the code listed there to access your websites and services. Yes, it becomes a huge pain sometimes, but the extra 15 seconds it takes you to log in to your camera will be worth it in the end of it prevents a hacker from accessing your devices. Some websites and services do not have the ability to enable 2FA, so check it out. If they do have it, turn it on right away!
- Use a firewall – We also didn’t mention this, since we were more focused on protecting your actual account in this post, but using a wifi router with a built-in firewall can prevent direct access to your devices. As I mentioned, this was not the problem in the recent breaches (account security was the problem), but that doesn’t mean it couldn’t happen in the future. My Gryphon firewall will let me know about any smart devices in my home that have open ports (windows into my home network) that could be attacked so I can lock them down.
Unfortunately, attackers are getting smarter every day. There are so many threats to our home network than just these. Soon there will be a huge need for consultants to come to help you secure your home networks just like there already are for businesses. I’m ready to help you! Let me know if you want to schedule a video consultation or in-home support in Utah.
This post may contain affiliate links, which means I receive compensation if you make a purchase using the links.