Inside the Podcast that Hacks Ring Camera Owners Live on Air (vice.com) 112
In the NulledCast podcast hackers livestream the harassment of Ring camera owners after accessing their devices. Hundreds of people can listen. From a report: A blaring siren suddenly rips through the Ring camera, startling the Florida family inside their own home. "It's your boy Chance on Nulled," a voice says from the Ring camera, which a hacker has taken over. "How you doing? How you doing?" "Welcome to the NulledCast," the voice says. The NulledCast is a podcast livestreamed to Discord. It's a show in which hackers take over people's Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners. In the example above, Chance blared noises and shouted racist comments at the Florida family. "Sit back and relax to over 45 minutes of entertainment," an advertisement for the podcast posted to a hacking forum called Nulled reads. "Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live."
Software to hack Ring cameras has recently become popular on the forum. The software churns through previously compromised email addresses and passwords to break into Ring cameras at scale. This has led to a recent spate of hacks that have occurred both during the podcast and at other times, several of which have been covered by local media outlets. In Brookhaven a hacker shouted at a sleeping woman through her hacked Ring camera to wake-up. In Texas, a hacker demanded a couple pay a bitcoin ransom. Hackers targeted a family in DeSoto County, Mississippi, and spoke through the device to one of the young children.
Software to hack Ring cameras has recently become popular on the forum. The software churns through previously compromised email addresses and passwords to break into Ring cameras at scale. This has led to a recent spate of hacks that have occurred both during the podcast and at other times, several of which have been covered by local media outlets. In Brookhaven a hacker shouted at a sleeping woman through her hacked Ring camera to wake-up. In Texas, a hacker demanded a couple pay a bitcoin ransom. Hackers targeted a family in DeSoto County, Mississippi, and spoke through the device to one of the young children.
Re: (Score:2)
oh sorry Amazon into the gutter.
This sort of thing is just why I won't allow any IoT S**t in my home. Security is a total afterthought.
Slow down there, Cowboy! We're all supposed to blame the randos that take advantage of an obviously flawed, insecure-by-design system and be outraged at *them* but definitely *not* those who designed, manufactured, marketed, and sold them.
But Epstein still didn't kill himself.
Strat
Re: (Score:3)
Yes, do the first, without neglecting the second.
Or, perhaps, stop defending offensive and inexcusable behavior.
We gotta stop using passwords (Score:3)
There are a lot of people one could and perhaps should be mad at. At least four different groups of people screwed up up here.
The solution is we need to stop using passwords for everything. Especially stop using the SAME password for everything.
(To be clear, the assholes didn't hack anything, they logged in, with the user's password. The user had used the same password on some other site, and they other site got hacked at some time in the past.)
> We're all supposed to blame the randos that take advanta
Re: (Score:1)
Do I detect a thread hijack here?
PS: I agree!
Re: (Score:2)
You may change your mind when you reach your dotage. IoT will become your best friend.
That said, current IoT is a security nightmare.
This is why guns were invented (Score:1)
Re: (Score:2)
The only way a gun can protect you from this is to shoot the camera.
Though, it would be funny if "your boy Chance"'s got to livestream his own arrest, since he is basically recording his own crimes.
Re: (Score:2)
Re: (Score:2)
His kids will be lucky if they don't line him and shoot him for the insurance money.
Re: (Score:3)
This is also the 500th anti Ring article this month and a half. Thanks /. for making sure it's all on our news feeds.
If you haven't figured out yet that Slashdot thrives by trolling with arguments to increase page views, you deserve to be upset.
Re: (Score:2)
The real crux of this story is, this is what hackers can do to Ring and Nest, what can the owners of those devices do and we are not talking the gullible fools who bought and installed them, we are talking the real owners, Amazon and who they contract to, the deep state. Watch and monitor you 24/7/365, even if you put you phone down, the monitoring can continue. Do you realise, via your phone, they can tell when you are alone and sleeping and feed you back subliminal messaging whilst you sleep, totally 100%
Why so much trust? (Score:1)
Re: (Score:2)
What "huge ramifications"? They are just using your password to do stuff you can do with your device. Change your password. What is next? Someone uses someone else's email account to send emails?
Re: (Score:1)
Re: (Score:2)
I'm pretty sure every Joe Sixpack understands the concept of "change your password".
Re: (Score:2)
I'm pretty sure every Joe Sixpack understands the concept of "change your password".
And you would be wrong.
Re: (Score:2)
Right. People are dumb and don't understand the concept of changing a password in 2019. Good thing you are a slashdot genius and don't suffer from that problem.
Re: (Score:3)
I'm pretty sure there a lot of Joe Sixpacks out there who don't understand the concept of "password", let alone changing it.
Re: (Score:1)
How do you setup a Ring without a password? You can't. So you claim there are a lot of people that have a Ring AND don't understand the concept of a password? Amazing. You guys are so smart.
Re:Why so much trust? (Score:4, Insightful)
The system tells them to type something in. They type something in. Doesn't mean they understand what they're typing in.
Re: (Score:1)
I see. So people are so dumb that when they are asked to type in an account password they don't know what a password means. And they never had to enter in a password before to access something like email, or a website. Thanks Chris. Too bad average people aren't as smart as you.
Re:Why so much trust? (Score:4, Insightful)
You've never worked in tech support, have you? Not everybody is that dumb, but, yes, some people are. They just do what the all the sites/software tells them to do without understanding why they all ask for it. It's just the way computers are, that's all.
Re: (Score:1)
Right. In 2019 some people don't understand the concept of passwords because they have never used an email account before. But somehow they are able to connect a Ring doorbell to their wifi and have to enter in a password in the box where it says "password". Makes a lot of sense. So when you tell them to "change their password", they just say "what be a password?"
Re: (Score:2)
Tech Support.
Not a very high bar.
Re: (Score:2)
How do you change your password if the first thing the attacker does is change it to something you don't know and probably the email and contact info associated with the device?
Re: (Score:2)
You call Amazon and they fix it for you. Are you new to the Internet?
How stupid ... (Score:2)
... he could have simply said he is a cop.
Or pay Amazon a penny and a half.
But I guess if you are bad with humans *andy with the Bezos from planet Bezos [youtu.be] ...
s/\*andy/and/ (Score:2)
Jesus, are touch screen keyboards a horribly misguided abomination.
well can move from podcasts to court TV or live PD (Score:2)
well can move from podcasts to court TV or an live PD bust.
Re: (Score:2)
Dumb. The main purpose of Ring is to access the video stream and recordings while you are away from the premises. This requires a connection to the Internet. What you are describing is a CCTV system. I can't believe you typed all that. None of what you described would stop these "hackers" from doing anything. They had the username and password of the account.
Re: (Score:1)
The main purpose of Ring is to access the video stream and recordings while you are away from the premises.
Perhaps that is true for some customers, but not for me and probably many others, at least not when I am at home: When I am at home, I want my doorbell camera to be a CCTV system that I can monitor from my phone or tablet if I'm at the far end of the house or concerned about a possible "ring the doorbell and hope I open the door" intruder.
None of what you described would stop these "hackers" from doing anything. They had the username and password of the account.
I specifically mentioned multi-factor authentication to address the issue of compromised passwords. Yes, I am aware of SIM-cloning and other ways to defeat MFA, but even
Re: (Score:2)
That's great. But that is not the main purpose of the Ring for anyone else but yourself. And yeah, Ring already has MFA.
Hacking (Score:4, Insightful)
I guess typing in a known password is what qualifies for "hacking" nowadays.
Re:Hacking (Score:5, Insightful)
We can debate whether the dude deserves the term "hacker"; but I'd guess it's close to unanimous that he deserves the term "asshole".
Re: (Score:2)
Re: (Score:2)
We can debate whether the dude deserves the term "hacker"; but I'd guess it's close to unanimous that he deserves the term "asshole".
Just to be clear, are you referring to the person who refuses to change their password after being hacked multiple times, ties up legal resources reporting a "crime", and then accuses the manufacturer of making a shitty product...
...or the person who confirms how much consumers are assholes?
Re: (Score:3)
If I don't lock my door, and you come in and steal my stuff... You're still an asshole committing a crime.
Re: (Score:2)
If I don't lock my door, and you come in and steal my stuff... You're still an asshole committing a crime.
Cute story. Now let's describe what people are actually doing here.
You don't lock your door. In fact, you never lock your door no matter how many times people tell you. It's now the third time this year you're calling the police to report the crime of you never learning. You actually got angry last time at the automobile insurance rep last time for raising your rates, as if this is somehow their fault. As a result of this happening more often than necessary, the rest of society is also forced to pay fo
Re: (Score:2)
Don't know about the US, but if you leave your doors unlocked in the UK whether it's your house or car their is a very high chance the insurance company will not pay out.
Re: (Score:2)
I leave my front and rear door open in the summer to get some airflow, are you saying if you come by and see my door open; it's okay for you to stand in my house and yell racist stuff at me, and I'm an asshole when I call the cops on you each time you do it?
Me hiring a pen tester is quite different from some rando on the internet doing it for shits n giggles.
Re: (Score:2)
I leave my front and rear door open in the summer to get some airflow, are you saying if you come by and see my door open; it's okay for you to stand in my house and yell racist stuff at me, and I'm an asshole when I call the cops on you each time you do it?
Yes you are, because we have the 1st Amendment. But if you don't believe me, we can repeat that action until the police officers call you an asshole and/or arrest you for wasting police resources reporting the "crime" of being offended.
Me hiring a pen tester is quite different from some rando on the internet doing it for shits n giggles.
Please. It's not different at all. Both the pen tester and the internet rando are telling people exactly what they're doing wrong, and yet consumers choose to ignore both of them anyway. Only difference is the internet rando is offering the same advice for free.
Re: (Score:2)
"we have the 1st Amendment"
We don't all live in the USA
Is this really "hacking" (Score:2)
How is taking a list of known compromised credentials and using it to see if you can login to a service hacking? They are not hacking into ring, they are accessing ring accounts via valid credentials. If I use my slashdot password for my email and slashdot gets hacked would you say the hacker figured out how to hack my mail server?
Yes it is. [Re:Is this really "hacking"] (Score:2)
How is taking a list of known compromised credentials and using it to see if you can login to a service hacking?
If they have not been authorized to access the account, then they are violating the Computer Fraud and Abuse act.
https://www.law.cornell.edu/uscode/text/18/1030
It doesn't matter from where they got the compromised credentials. If somebody steals the key to your house, makes a copy, and thumbtacks the copied key to a bulletin board in the local supermarket with the note "here's a key to XXX house!"-- yes, it's illegal for somebody to use that key to enter your house and take stuff. Saying "but I had a key
Re: (Score:2)
The argument wasn't whether it was illegal, but whether it was hacking. In the vernacular, it's true that anything done with a computer that's illegal is called hacking. But that's not at all what hacking means.
Re: (Score:3)
The argument wasn't whether it was illegal, but whether it was hacking. In the vernacular, it's true that anything done with a computer that's illegal is called hacking. But that's not at all what hacking means.
Seems to fit one definition [wikipedia.org] (besides being called a 'cracker'):
Re: (Score:2)
I'd argue that entering a username and password is not subverting security, but rather simply using it.
Re: (Score:2)
I'd argue that entering a username and password is not subverting security, but rather simply using it.
Hence me highlighting the 'macilcious purposes' part.
Re: (Score:2)
You can't do something for malicious purposes that you're not doing.
You can do something for malicious purposes that doesn't qualify as subverting security measures too.
Re:Is this really "hacking" (Score:5, Insightful)
That's like saying if I get your credit card information and use it to purchase items, I'm not committing a crime because the information is valid.
Re: (Score:3)
No, I think he's just arguing about what you should call the crime.
Re: (Score:3)
They are not hacking into ring, they are accessing ring accounts via valid credentials.
They are accessing ring accounts without authorisation. Stolen credentials are not authorisation. That falls straight into the category "criminal hacking".
shocking? (Score:1)
Re: (Score:2)
The internet... (Score:2)
I get that "hacking" someone's security camera might lead to some funny moments. Maybe it can be used as a reminder to ensure proper security on these devices. To be an outright asshole while doing it.. this is why I'd support public stockades.
Re: (Score:2)
If it wasn't for them being assholes, there would be no news story, and people would keep believing their internet-connected webcam is secure.
I think they're doing a great service.
Ring/Amazon could put a quick end to this (Score:1)
...simply by comparing their user's passwords with HaveIBeenPwned and forcing a password reset before anyone can get in.
So why haven't they done this already?
What a bunch of assholes. (Score:5, Insightful)
Re: (Score:2)
So we are looking at these jerks on one hand and even more of a jerk of a corporation releasing such products. In the end, when we root for the lesser of the two evils, we are still rooting for evil.
serious security (Score:5)
Re: (Score:1)
This is good. It makes people aware internet security is problem. Second , maybe it will make someone think twice before placing some IoT spy/crapware in their home.
No, it is bad. Apparently you could not be bothered to skim the summary:
In the example above, Chance blared noises and shouted racist comments at the Florida family.
Re: (Score:3)
https://en.wikipedia.org/wiki/... [wikipedia.org]
For the most part our society, especially legal system, is reactive, not proactive. That's just how we operate. It takes events like this to wake up the uneducated.
Frown: You're trying to produce Candid Camera... (Score:1)
Candid Camera is a classic show from the early days of TV that had to be banned along with all spinoffs because bad operators took over. I hereby assign footage of people with their Nest Thermostat changed to torture them to SpyTV... NBC don't air that.
Ring (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
When 'IT' bites them in the a$$ or when YOU or another law breaker bites them in the arse?
Because you can doesn't mean you should. Nobody hired you to test their security.
Re: (Score:2)
Re: (Score:2)
That's akin to saying, "I have absolutely no sympathy for idiots who buy a house when someone breaks in and stabs them. This goes for garages too." The person who took over their account is breaking the law. Period. Not everyone understands security and often re-uses passwords. Do you realize Titan, Schalge and Defiant reuse keys for deadbolts and door locks? Is it ok if I use a set of keys to get into your house and steal everything? "We have no sympathy for idiots who don't understand tumblers and p
What failed? (Score:2)
Password?
Hardware?
Ethernet?
How can this be prevented with better design?
Better wifi? A really strong, long and unique password on setup?
Hardware? Something has to change?
Ethernet? Should some type of network connections be changed to ethernet?
Hang on... (Score:2)
Comment Subject: (Score:2)
In unrelated news, many /. posters announce how outraged they are about people taking things from their unlocked cars.
So wait... (Score:2)
There's no "you failed 5 login attempts, you have to answer a CAPTCHA", or "you failed 10 times, your account is now locked" at a minimum?
Re: (Score:3)
This wasn't a brute force attack. It was people using the same password for their device that they used on another site that had their password lists compromised.
Re: (Score:2)
This wasn't a brute force attack. It was people using the same password for their device that they used on another site that had their password lists compromised.
Ahhh thanks I misread the churns over thinking it was chruning over a giant list with multiple passwords per usernsme as well.
Things like this are precisely why (Score:2)
Re:passwords are useless (Score:5, Insightful)
Harassing people you don't know just for the lulz is NEVER acceptable.
Re:passwords are useless (Score:5, Insightful)
Re:passwords are useless (Score:5, Insightful)
I hope they never get caught, and keep on doing this, so that ring goes bankrupt. If these pranksters stop spying on people, it will be the government doing it instead, and that's far more terrifying.
Re: (Score:1)
It's obviously not Ring/Amazon's fault. These people need to learn better security practices.
Not saying that they deserve to be harassed, not at all. I am just saying that Ring is not to blame here.
Re: (Score:3)
It's obviously not Ring/Amazon's fault. These people need to learn better security practices.
Not saying that they deserve to be harassed, not at all. I am just saying that Ring is not to blame here.
It's obviously Ring's fault.
How about this simple trick embedded in the install booklet?
Now enter your username and password or the install will halt until you do so.
[Install process checks to see if that shit's been hacked]
A. That username/password has been hacked. It's no good. Try again or the install will halt until you do so.
B. Null
Now enable two-factor authentication or the install will halt until you do so. ...
Re: passwords are useless (Score:1)
When the install halts once more, the customer reboxes it and ships it back.
Re: (Score:2)
When the install halts once more, the customer reboxes it and ships it back.
Better outcome than the headlines.
Re: (Score:2)
And if it doesn't accept any passwords, security is perfect.
Few things are as bad for security as the increasingly complex and convoluted "rules" that are now needed to set passwords.
like boiled cabbage [letvent.com]
Re: (Score:1)
It's obviously Ring's fault.
What a strange world some people live in where corporations are responsible for how people use their products. The irony is it comes from people who are opposed to 'corporate control' in general, but yet they advocate for much more stringent corporate control. Imagine this logic carried out of the virtual world and into the real world. Lock manufacturers would have to make it impossible for you to leave your key under the mat to prevent an unsuspecting customer from being burgled, charcoal manufacturers wou
Re: (Score:1)
I hope they never get caught, and keep on doing this, so that ring goes bankrupt.
Ah, yes. Here we see the liberal in its natural environment, gorging on the outrage that is so necessary for its survival. If the liberal finds no outrage, they can manufacture it for themselves out of practically nothing. Remarkable creatures. Let's sit tight and observe as this one manufactures outrage by declaring an electronic device that does nothing other than record reality as it happens, 'racist.' Viewers at home might wonder how a recording of reality could be racist, but they would be missing the
Re:passwords are useless (Score:4, Insightful)
There needs to be alternatives to passwords. Passwords as a sole method of authentication for services needs to be banned.
In other words, we should ban passwords, because most humans are too fucking stupid to password properly.
Maybe we should do that for other things too. Like parenting.
Re: (Score:2)
If you ban parenting, only criminals will parent.
Re: (Score:1)
There needs to be alternatives to passwords. Passwords as a sole method of authentication for services needs to be banned.
In other words, we should ban passwords, because most humans are too fucking stupid to password properly.
Maybe we should do that for other things too. Like parenting.
You're more right than you know about passwords. Phishing is very successful with that. Even as dumb as "Test the strength of your password here." Make it look like the target and dumb people will happily type their password in. Usually in minutes. Ok. Educate them. Do the same thing a month later, you STILL get them. Especially at agencies because they have to hire stupid people and promote them. Part of the equal opportunity BS. Get the position based on being a vet or race, gender, etc. Not on their abil
Re: (Score:1)
Re: (Score:2)
Re: passwords are useless (Score:2)
Re: (Score:1)
Re: (Score:2)
There has to be a better way
Web PKI using X.509 client certificates. Browsers already support it. No need for there to be a shared secret at all; you just share your public key.
Re: (Score:2)
Public-key cryptography, eg GnuPG.
Re: (Score:1)
Pray it isn't hackable.
It's only going to be hackable if you picked a stupid password. Many PMs allow 2FA. Done properly, that requires two devices in the same place at the same time in addition to knowing your password. That's a very narrow attack surface.