Ring security products are facing criticism after multiple reports that the brand’s in-home security cameras have been hacked, including an incident where an 8-year-old Mississippi girl heard voices coming from the device in her bedroom.
In the security footage, a man’s voice is heard, telling the little girl that he’s “Santa Claus,” and her “best friend.” He also encourages the child to mess up her room and break her TV.
“They could have watched them sleeping, changing. I mean they could have seen all kinds of things,” the girl’s mother, Ashley LeMay, told WMC Action News. “It makes me feel like it’s either somebody who knows us or somebody who is very close by.”
In a statement sent to TIME, Ring said that they take their devices’ security very seriously, but that the incidents are not related to a breach of security protocols.
“We have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the statement reads.
The statement adds that Ring is aware of an incident where “malicious actors” were able to obtain a user’s login credentials from an outside, non-Ring device and use that same information to log into the Ring device. “Upon learning of the incident, we took appropriate actions to promptly block bad actors from known affected Ring accounts and affected users have been contacted,” Ring says.
Craig Shue, an associate professor of computer science at Worcester Polytechnic Institute, agrees that the hackers are likely getting Rings users’ account information from third parties (like the details used for an email account or streaming service). Using specialized software, they are then able to recycle those passwords and usernames across multiple devices, including Rings, looking for instances where the login data matches. Motherboard has reported of forums and Discord servers whose users collaborate on such hacking projects.
Shue recommends that users create strong passwords, ensure each is unique across their different accounts and devices, and change them regularly. He also recommends enabling two-step authentication on devices where possible; this adds another step to the authorization process by sending a security code to a registered email or phone number when someone tries to log into an account.
Ring also recommends customers change their passwords and enable two-factor authentication. LeMay told WMC that she did not set up the two-factor authentication for her Ring account. She has since disabled the device and plans on returning it.
Shue says that both Ring and its products’ users bear responsibility for their security. “Manufacturers have the responsibility to clean out devices that can be secured and patch any vulnerabilities that come up,” he tells TIME. “Consumers also have to look out for their own self-interest. It hurts us if it doesn’t go well… we have to always be vigilant.”
“I would also encourage everybody to do their own form of risk assessment and determine what they need in these devices and whether it’s worth the risk to have that functionality,” Shue continues. “It’s kind of crazy that we use passwords as a line of defense for a sensitive device.”