(CBS) — Home security cameras are leaving users vulnerable to frightening cyberattacks. The incidents include hackers targeting Amazon Ring cameras around the country and shouting at residents, blasting music and setting off the system’s alarm, according to CNET.
A Mississippi family reported this week that a voice over their Ring camera told their 8-year-old that he was Santa Claus and asked if they could be friends. In October, a California man reported that his home Nest camera in his 18-month-old’s room had been hacked. In that instance, a woman’s voice was heard yelling, “I’m coming for your baby,” to the couple’s nanny, who was also in the room.
Earlier this year, CBS News also reported that an Illinois couple was a victim of a similar attack, in which the hackers “hurled obscenities” at their child over their Nest camera and also turned their home thermostat up to 90 degrees.
Ring, which is owned by Amazon, on Thursday acknowledged for the first time that “malicious actors” had obtained some users’ passwords and gained access to their accounts. Ring did not say how many accounts had been compromised, but it said the company had taken action to block improper access. The company also said affected users had been contacted.
In a blog post, Ring encouraged users to create strong passwords and provided a link for enabling so-called two-factor authentication, a more effective way to protect digital accounts, when logging in.
The hacks may be connected to a podcast in which the hosts aired live instances of their hacking into home security cameras and harassing users, according to Vice. The podcast, called “NulledCast,” was livestreamed on Discord, a chat app popular with gamers.
In a statement to CBS MoneyWatch, Discord confirmed that it had “located the server used by NullCast and terminated both the server itself and all the user accounts associated with it for violation of its terms of service.”
Discord was featured in a recent New York Times article that said sexual predators were targeting children through online video games. A spokesperson for Discord told the New York Times that the company has a “zero-tolerance policy for any illegal activity.”
The vulnerability of passwords for home cameras appears to have been known for some time. A year ago, a Canadian security consultant hacked into a home camera in Arizona and chatted with a real estate agent in order to raise awareness of the problem. Google, which owns Nest, in February issued a statement “strongly recommending” that users enable two-factor verification for their Nest accounts.
“Any incident where someone is made to feel unsafe in their home is deeply unfortunate and something Nest works hard to prevent. That’s why privacy and security are the foundation of our mission,” a Google spokesperson said in a statement.
Ring didn’t refer to the incidents as hacks, Rather, it said they were the result of “bad actors” getting access to passwords that customers had used with accounts for other devices or online services, and then those passwords had been used to access Ring accounts. Ring said that none of its own databases of user accounts and passwords had been breached.
Deral Heiland, the Internet of Things lead analyst at cybersecurity research firm Rapid7, thinks that Ring, Nest and others will find it hard to put an end to such attacks. In part, that’s because consumers commonly reuse passwords, and manufactures are reluctant to require two-factor verification because some users find it difficult, he said.
But the main problem is that the products are popular, attracting hackers.
“People really need to think about where they install these cameras,” Heiland said. “External cameras make sense. In a bedroom or bathroom, it is questionable.”
CNET contributed to the reporting in this story.
First published on December 13, 2019 / 3:37 PM
© 2019 CBS Interactive Inc.. All Rights Reserved.