People who use internet-enabled security camera systems like Amazon Ring or Google Nest to keep their homes safe could be opening up their virtual worlds to hackers, or even employees of the companies.
The devices, typically placed on the outside of homes and aimed at entryways, record live footage of who is approaching the premises, with many residents using the technology to deter package thieves and otherwise monitor their homes. But users who don’t properly secure their devices could be inviting criminals to snoop around their digital networks and potentially gain access to reams of sensitive personal data.
In a case highlighting such vulnerabilities, Amazon this week agreed to pay $5.8 million to the Federal Trade Commission to settle allegations it gave its Ring surveillance employees “unfettered” access to personal videos. The agency in its lawsuit also claimed that Amazon failed to protect customer security, leading to hackers threatening or sexually propositioning Ring owners.
Gavin Millard, a cybersecurity expert at Tenable, a firm that alerts clients to tech vulnerabilities, said there are ways to leverage video doorbells and cameras’ security features without exposing one’s private lives and information to bad actors. Here are five ways users of the technology can protect themselves.
Reset default username and password
Never keep the username and password that a home security system assigns you by default. Because they can be easily guessed by hackers, they should be changed immediately, Millard said.
“Often when consumers buy the devices, they don’t change them from their default, insecure configurations,” Millard told CBS MoneyWatch.
Changing this password is crucial because once hackers breach one device, they can explore others that are connected to the same home network. For example, bad actors can use search engine Shodan to scan the whole internet for any connected devices, from webcams to smart lightbulbs.
“I can ask it to show me every single internet-connected camera and try ‘Admin’ and ‘Password’ as the username and password, and you could access the video streams of any that are vulnerable,” he explained.
Two-factor authentication
In addition, use a multifactor authentication system for added protection.
“You also want to get a text or notification to a phone or some other device,” Georgetown University professor and cybersecurity expert Chuck Brooks told CBS MoneyWatch.
Use different networks for your devices
Once a cybercriminal cracks the code on your connected doorbell or camera, they can easily access content from other devices linked to the same network. As a result, it’s wise to keep these kinds of devices on a separate network than the one that powers your personal computer’s internet connection.
The upshot: Your network is only as secure as the most vulnerable device that is connected to it.
“They’re looking for the most vulnerable device to get access to your network and look at your emails and everything else you’re doing on your computer or smartphone,” Brooks said. “The value to them is they can acquire personal information that can be sold on the dark web.”
Millard keeps his devices on a guest network that’s separate from the home network he uses for work and to watch television.
“I use two networks because if I have a vulnerable camera connected to the internet, attackers don’t care what the device is — they just care that it’s vulnerable, and they can use it to gain an initial foothold into the network,” he said. “It gets them one step closer to being able to break into an infrastructure. Once they break into one device, they can look around and see what else they can go for. Very often an attack is not one-and-done.”
Never miss an update
While we’re often reminded to update the software on our smartphones and laptops when features are upgraded or changed, it’s also important to check home security cameras and doorbells for updates.
“‘Patching‘ is all about keeping the device up to date. It’s important to regularly check for updates as part of having good cyber hygiene,” Millard said.
Don’t record anything private
It’s also advisable to consider files stored in digital cloud services accessible to others, according to Millard. Deleting old footage in your library is also a good thing to do.
“Generally, I would assume any data I store in a cloud infrastructure or third-party app could be viewed by a company employee,” Millard said. Camera manufacturers could also be sharing your footage with law enforcement and other agencies, he said.
Another good rule of thumb is not to record your own personal movements or behaviors by putting a camera in a bedroom or bathroom, for example. In other words, aim the cameras at the outside world.
“Don’t put them in places that could reveal things you don’t want to be revealed more broadly,” Millard said.