I’ve done it, I’ve found the solution to the ring doorbell problem.
If y’all haven’t read the news recently, the new thing is a the password stuffing attacks against Ring Doorbells. Basically Ring only required an email and a password to access the microphone and camera feed.
Obviously it’s the bare minimum to have something be secured. This resulted in hackers checking their database of leaked or breached credentials and accessing the ring cameras. Scary part is some people tried to extort bitcoin from Ring’s customers or some were just super creepy towards children (looking at the guys who told the little girl they were Santa Claus).
Article(s) are HERE and HERE and HERE if you want to read ’em. Note there are many other articles written on the subject as well.
That said, some solutions I’ve read are using 2FA which ring should really have in place anyway. Others were to limit to IPs in the country the Ring Doorbell/Camera was activated originally. To me, these are ok but silly solutions.
Here is the real solution!
When you first activate the doorbell/camera require the customer to push a button on the ring camera/doorbell. Then only allow that connection. Think of it as a hardware one time 2FA.
Boom, I solved the problem. I’m ready for my reward from Ring.
What do you guys think? Would my solution Work? Or do you have your own solution?
END TRANSMISSION
What if someone was traveling and needed to use the camera remotely? I think a good solution would be to reset everyone’s password now and make sure everytime they login, a SMS or an email should go to trusted phone number/email. (Like google…)
It’s a one-time requirement. Once you activate the camera when you first set it up, authenticate with the hardware button on it, that device (like their phone) can access it anytime with a email/password (even with SMS or Email 2FA is better) Although email/SMS is the weakest type of 2FA.