In a series of hacks targeting Ring camera devices, attackers are terrifying homeowners and making them feel violated in their own homes after taunting them or speaking to their children over the device's speakers.
On December 12th, numerous media outlets reported that homeowner's Ring devices were being hacked and used to talk to people in their homes while they are making dinner, having breakfast, or playing in their rooms.
In one attack, the hacker has a creepy conversation with an eight-year-old girl while she in her room by herself and tells her to break her tv or "mess up your room".
VIDEO In another hack, a person talks to a young boy and asks him what video games he plays, while the boy casually disconnects the Ring camera.
VIDEO In at least one of the attacks, the person speaking to the Ring device tries to get the owner to visit a site and screams out "Nulled" as the homeowner pulls out the device's batteries.
VIDEO That last-minute "Nulled" shout by the hacker was probably a reference to the live-streamed NulledCast show for the users of the Nulled hacking forum.
According to
a report by Vice , NulledCast commonly promotes its shows by advertising how they will be live-hacking Ring and Nest devices for the amusement of their viewers.
"Sit back and relax to over 45 minutes of entertainment. Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live."
After news of the Rings attacks being reported by the media, in what appears to be a prank, Nulled briefly showed a site seizure notice by law enforcement. A few hours later, the site was returned to normal, but with many of the messages related to Ring hacking removed from the site.
Fake Nulled Seizure Notice Ring Devices hacked through credential stuffing In
a statement released by Ring , the attackers are gaining access to devices through credential stuffing attacks and that there has been no unauthorized access to Ring's systems or networks.
"Recently, we were made aware of an incident where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts. Unfortunately, when people reuse the same username and password on multiple services, it’s possible for bad actors to gain access to many accounts." A credential stuffing attack is when attackers compile user names and passwords exposed during data breaches and use those credentials to try to log into unrelated services.
As many people use the same password at multiple, if not all, sites they visit, this technique allows attackers to easily gain access to other accounts that use the same credentials.
This is why it is not only important but also critical that users use unique passwords at every site they create an account.
Whether this is by creating an easy to remember password template or a password manager, it is important to never reuse passwords as data breaches can expose them to be used in other attacks.
Ring also suggests that all owners of their devices
enable 2-factor authentication on their accounts so that even if an attacker gains access to their credentials, they will not be able to log in without the special code sent to the owner's phone number.
source 
