The security of smart home equipment has come under scrutiny again after a hacker compromised a US family’s connected camera system to spy on and talk to its 8-year-old daughter.
The Ring camera was only installed for four days in the girl’s room before the incident, according to local reports.
After remotely compromising the device, the male hacker appears to have taunted the child, encouraging her to destroy her room and playing unsettling music through the speaker.
“I'm Santa Claus. Don't you want to be my best friend?" he said at one point.
It’s likely that he managed to crack or guess the family’s account password, potentially through a credential stuffing attack.
“Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services,” a statement from Ring noted.
“As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords."
Kiri Addison, head of data science overwatch at Mimecast, argued that international standards are lagging behind in regulating minimum mandatory security levels.
“Much like the early insufficient drone use standards originally introduced in the UK, this is an area which demands attention given the potential widespread vulnerabilities of such devices and the malicious uses they can be put to, as the Mirai botnet illustrates,” she continued.
“Children are uniquely vulnerable to influence or coercion via technology and this is something every parent should be conscious of as the sophistication of these often seemingly innocuous connectable devices increases”
In fact, standards are catching up, at least in Europe.
The ETSI TS 103 645 standard was introduced by the European Union in February to drive improvements in baseline security for consumer-grade Internet of Things (IoT) products. It came from a UK government proposal based on a code of practice it introduced last year. It also came a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.