Smart devices in the home – look away now if you haven’t changed the default password

smart-home-2769239_1920

The next time your young daughter tells you that Santa Claus spoke to her overnight, don’t rush to assume that she’s either not telling the truth or was dreaming.

This was exactly what happened to a family living in Mississippi in December last year. They had a Ring camera sitting in the bedroom of their three young girls, so that they could keep an eye on them overnight.

One night though, their Ring camera started playing the song “Tiptoe through the Tulips” out-of-the-blue and when one of the girls asked “Who’s there?” the camera responded “I’m Santa Claus. Don’t you want to be my best friend?” It wasn’t the camera responding, obviously, but the voice of someone who had hacked into the family Ring camera and had been watching the video stream all along.

Chilling.

Too easy

The problem is, the family made it all too easy for anyone wanting to hack into their camera to do so. As a sign of how easy it was, their camera had only been installed for just four days before it was compromised – that’s how quickly it was accessed.

Having investigated the incident, the owners of Ring, Amazon, stated that there was “… no evidence of an unauthorised intrusion or compromise of Ring’s systems or network.” What that means is one of the two following possibilities:

Firstly, the family did not change the default username or password on the device, so anyone randomly looking to hack into a webcam would have struck gold with this family’s camera. Very often devices like this come with a default username like “admin” and password that is often also “admin” or “00000” or “123456” – it doesn’t take much to crack devices with those details.

Alternatively, which reports say is more likely in this case, is the possibility that the family’s online details had been made public elsewhere in hacks of other sites or servers, and someone simply used the same username and password discovered in that other hack to gain access to the family’s Ring camera. This is what is known as “credential stuffing” i.e. taking log-in credentials from one site or service and trying those same details all over the web to see which accounts give you access.

Protection is so simple

Two very simple things would have stopped this attack in its tracks.

Firstly, you should always change the default username and password on any connected device you buy. That goes for routers, cameras, doorbells, thermostats … anything that connects to the internet and that sits in your home.

Secondly, as we always recommend as part of our 5 simple rules for staying safe online, never re-use the same password on more than one site, account or device. If you do so, you’re laying yourself open to the kind of credential stuffing attacks that this family fell victim to and it is so easily preventable.

In addition, where companies or services offer you the additional protection of 2-factor authentication (2FA) or multi-factor authentication (MFA), please take it. It’s a bit of extra hassle when you log-in as you’ll either have to wait for a text message with an additional code to enter, or dig into an Authenticator App on your phone to retrieve that code, but it’s an extra layer of sign-in security that is only visible to you – so even if your details have been hacked elsewhere and someone knows your username and password, they still can’t log-in unless they have your phone with them.

As we always say, the internet and the ability to connect all manner of devices to it offers such a wealth of convenience and control to our lives. However, never sacrifice your own, or your family’s personal security by not taking some very basic steps to keep your online life safe and secure.

Leave a comment