Ashley LeMay and Dylan Blakeley recently installed a Ring security camera in the bedroom of their 3 daughters, giving the Mississippi parents an extra set of eyes — but not the ones that they had bargained for.
Four days after mounting the camera to the wall, a built-in speaker started piping the song “Tiptoe Through the Tulips” into the empty bedroom, footage from the device showed.
When the couple’s 8-year-old daughter, Alyssa, checked on the music and turned on the lights, a man started speaking to her, repeatedly calling her a racial slur and saying he was Santa Claus. She screamed for her mother.
The family’s Ring security system had been hacked, the family said. The intrusion was part of a recent spate of breaches involving Ring, which is owned by Amazon.
There have been at least 3 similar cases reported this month — the others were in Connecticut, Florida and Georgia. Other breaches, involving Google’s Nest and Taococo, a baby monitor sold on Amazon, have also drawn scrutiny and prompted concerns about privacy.
LeMay, 27, said the Dec. 4 episode unnerved her family, particularly her daughter Alyssa.
“She won’t even sleep in her room,” LeMay said Saturday. “She actually spent the night with a friend the other night because she didn’t want to be here.”
LeMay said that she and her husband, who unplugged the camera, immediately reported the episode to Ring and later to the police in Southaven, Mississippi. Since the episode, she said, her family had been contacted by the FBI and by Ring’s chief operating officer, Jon Irwin.
But she criticized the company’s response, saying it had provided scant information and deflected responsibility for the breaches onto customers.
A Ring spokeswoman said in a statement Saturday that the company took the security of its devices seriously and attributed the recent episodes to hackers gaining users’ login credentials.
“Our security team has investigated this incident and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the statement said. “Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts.”
Ring users can monitor the cameras on the company’s smartphone app and speak to people inside their home and at their front door using a two-way audio feature. But cybersecurity experts say all it takes is a username and password for hackers to gain access to the devices.
Ring said it began sending emails this weekend to its millions of customers, reminding them to use multifactor authentication, which requires users to verify their identity by entering a code that they receive as a text message or by using an authentication application, in addition to their password.
“Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts,” the statement said.
A spokesman for the Jackson, Mississippi, field office of the FBI said he could not confirm or deny that the episode was being investigated. The Southaven police chief, Macon Moore, said Monday that the case was under investigation but would not comment further because the investigation was active. He also said that police had not received other reports.
Cybersecurity experts said it’s not that difficult for hackers to gain access to “internet of things” devices, which include Ring security cameras and voice assistants, such as Alexa and Google Home.
“Unfortunately, we’re so reliant on passwords at this point, but passwords are absolutely the weakest link,” said Tim Weber, security services director for ADNET Technologies in Farmington, Connecticut.
Weber, who is a certified ethical hacker, said he had not seen any evidence that Ring’s operating platform had been breached. He recommended that people avoid reusing old passwords because they could have already been compromised as part of a previous data breach without users even knowing it.
“People are honestly struggling right now because they have so many passwords to maintain,” he said.
In Waterbury, Connecticut, Ed Slaughter told NBC Connecticut last week that he felt “violated” after a hacker started yelling obscenities and woke up his mother-in-law, who had been sleeping in the basement where he had installed a Ring camera. Efforts to reach Slaughter were unsuccessful.
In Cape Coral, Florida, Josefine Brown told NBC 2 that she was frightened by an episode in which a hacker could be heard in footage from a Ring security camera provided to the station asking the interracial couple if their son was a “baboon.”
In an email Sunday, Brown said: “We are very concerned about our safety and privacy because we thought having a security camera will keep us safe. We don’t know how long someone has been watching us. It is very scary.”
She said that after listening to the voices on videos in the other Ring cases, she was convinced it was the same person who hacked her device.
A Georgia woman told WSB-TV 2 that she was terrified when a man started talking to her through her Ring camera while she was in bed. The station did not name the woman.
Kelli Burgin, chairwoman of the cybersecurity department at Montreat College in North Carolina, said there are inherent risks with new smart devices.
“Nothing is 100 percent secure,” she said. “It takes a lot of layers of defense to make things more secure and to lower the risk. I understand the convenience of getting these devices, but I would also hate to see children exploited. We don’t know how long someone may be monitoring those cameras.”
In addition to multi-factor authentication, she recommended using passphrases instead of passwords, because they are harder for hackers and computers to guess.
LeMay, who works the overnight shift as a laboratory scientist at a hospital, said she thought she had been getting peace of mind with the Ring camera, as one of her daughters suffers from seizures.
Now, she said, the family is on edge.
“I’m definitely very paranoid,” she said. “Yesterday, I told my husband, ‘I really want to get away from here for a bit.’”
2019 The New York Times Company